Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update hashicorp/google requirement from >= 5.9.0, < 6 to >= 5.9.0, < 7 in /examples/complete-example #16

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 29, 2024

Updates the requirements on hashicorp/google to permit the latest version.

Release notes

Sourced from hashicorp/google's releases.

v6.0.1

BREAKING CHANGES:

  • sql: removed settings.ip_configuration.require_ssl from google_sql_database_instance in favor of settings.ip_configuration.ssl_mode. This field was intended to be removed in 6.0.0. (#19263)
Changelog

Sourced from hashicorp/google's changelog.

6.0.1 (Unreleased)

BREAKING CHANGES:

  • sql: removed settings.ip_configuration.require_ssl from google_sql_database_instance in favor of settings.ip_configuration.ssl_mode. This field was intended to be removed in 6.0.0. (#19263)

6.0.0 (August 26, 2024)

Terraform Google Provider 6.0.0 Upgrade Guide

BREAKING CHANGES:

  • provider: changed provider labels to add the goog-terraform-provisioned: true label by default. (#19190)
  • activedirectory: added deletion_protection field to google_active_directory_domain resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource. (#18906)
  • alloydb: removed network in google_alloy_db_cluster. Use network_config.network instead. (#19181)
  • bigquery: added client-side validation to prevent table view creation if schema contains required fields for google_bigquery_table resource (#18767)
  • bigquery: removed allow_resource_tags_on_deletion from google_bigquery_table. Resource tags are now always allowed on table deletion. (#19077)
  • bigqueryreservation: removed multi_region_auxiliary from google_bigquery_reservation (#18922)
  • billing: revised the format of id for google_billing_project_info (#18823)
  • cloudrunv2: added deletion_protection field to google_cloudrunv2_service. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource.(#19019)
  • cloudrunv2: changed liveness_probe to no longer infer a default value from api on google_cloud_run_v2_service. Removing this field and applying the change will now remove liveness probe from the Cloud Run service. (#18764)
  • cloudrunv2: retyped containers.env to SET from ARRAY for google_cloud_run_v2_service and google_cloud_run_v2_job. (#18855)
  • composer: ip_allocation_policy = [] in google_composer_environment is no longer valid configuration. Removing the field from configuration should not produce a diff. (#19207)
  • compute: added new required field enabled in google_compute_backend_service and google_compute_region_backend_service (#18772)
  • compute: changed certifcate_id in google_compute_managed_ssl_certificate to correctly be output only. (#19069)
  • compute: revised and in some cases removed default values of connection_draining_timeout_sec, balancing_mode and outlier_detection in google_compute_region_backend_service and google_compute_backend_service. (#18720)
  • compute: revised the format of id for compute_network_endpoints (#18844)
  • compute: guest_accelerator = [] is no longer valid configuration in google_compute_instance. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#19207)
  • compute: google_compute_instance_from_template and google_compute_instance_from_machine_image network_interface.alias_ip_range, network_interface.access_config, attached_disk, guest_accelerator, service_account, scratch_disk can no longer be set to an empty block []. Removing the fields from configuration should not produce a diff. (#19207)
  • compute: secondary_ip_ranges = [] in google_compute_subnetwork is no longer valid configuration. To set an explicitly empty list, use send_secondary_ip_range_if_empty and completely remove secondary_ip_range from config. (#19207)
  • container: made advanced_datapath_observability_config.enable_relay required in google_container_cluster (#19060)
  • container: removed deprecated field advanced_datapath_observability_config.relay_mode from google_container_cluster resource. Users are expected to use enable_relay field instead. (#19060)
  • container: three label-related fields are now in google_container_cluster resource. resource_labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#19062)
  • container: made three fields resource_labels, terraform_labels, and effective_labels be present in google_container_cluster datasources. All three fields will have all of labels present on the resource in GCP including the labels configured through Terraform, the system, and other clients, equivalent to effective_labels on the resource. (#19062)
  • container: guest_accelerator = [] is no longer valid configuration in google_container_cluster and google_container_node_pool. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#19207)
  • container: guest_accelerator.gpu_driver_installation_config = [] and guest_accelerator.gpu_sharing_config = [] are no longer valid configuration in google_container_cluster and google_container_node_pool. Removing the fields from configuration should not produce a diff. (#19207)
  • datastore: removed google_datastore_index in favor of google_firestore_index (#19160)
  • edgenetwork: three label-related fields are now in google_edgenetwork_network and google_edgenetwork_subnet resources. labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#19062)
  • identityplatform: removed resource google_identity_platform_project_default_config in favor of google_identity_platform_project_config (#18992)
  • pubsub: allowed schema_settings in google_pubsub_topic to be removed (#18631)
  • integrations: removed create_sample_workflows and provision_gmek from google_integrations_client (#19148)
  • redis: added a deletion_protection_enabled field to the google_redis_cluster resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection_enabled = false before destroying the resource. (#19173)
  • resourcemanager: added deletion_protection field to google_folder to make deleting them require an explicit intent. Folder resources now cannot be destroyed unless deletion_protection = false is set for the resource. (#19021)
  • resourcemanager: made deletion_policy in google_project 'PREVENT' by default. This makes deleting them require an explicit intent. google_project resources cannot be destroyed unless deletion_policy is set to 'ABANDON' or 'DELETE' for the resource. (#19114)
  • sql: removed settings.ip_configuration.require_ssl in google_sql_database_instance. Please use settings.ip_configuration.ssl_mode instead. (#18843)
  • storage: removed no_age field from lifecycle_rule.condition in the google_storage_bucket resource (#19048)
  • vpcaccess: removed default values for min_throughput and min_instances fields on google_vpc_access_connector and made them default to values returned from the API when not provided by users (#18697)
  • vpcaccess: added a conflicting fields restriction between min_throughput and min_instances fields on google_vpc_access_connector (#18697)
  • vpcaccess: added a conflicting fields restriction between max_throughput and max_instances fields on google_vpc_access_connector (#18697)
  • workstation: defaulted host.gce_instance.disable_ssh to true for google_workstations_workstation_config (#19101)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [hashicorp/google](https://github.com/hashicorp/terraform-provider-google) to permit the latest version.
- [Release notes](https://github.com/hashicorp/terraform-provider-google/releases)
- [Changelog](https://github.com/hashicorp/terraform-provider-google/blob/v6.0.1/CHANGELOG.md)
- [Commits](hashicorp/terraform-provider-google@v5.9.0...v6.0.1)

---
updated-dependencies:
- dependency-name: hashicorp/google
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Aug 29, 2024
Copy link
Contributor Author

dependabot bot commented on behalf of github Aug 29, 2024

Dependabot tried to add @approvers as a reviewer to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/clouddrove/terraform-gcp-gke/pulls/16/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the clouddrove/terraform-gcp-gke repository. // See: https://docs.github.com/rest/pulls/review-requests#request-reviewers-for-a-pull-request

@anmolnagpal
Copy link
Contributor

Terraform Security Scan Failed

Show Output
Result #1 HIGH Cluster pod security policy is not enforced. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enforce-pod-security-policy
      Impact Pods could be operating with more permissions than required to be effective
  Resolution Use security policies for pods to restrict permissions to those needed to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enforce-pod-security-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#pod_security_policy_config
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Cluster does not have master authorized networks enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-master-networks
      Impact Unrestricted network access to the master
  Resolution Enable master authorized networks

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-master-networks/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster has legacy metadata endpoints enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:578-728
────────────────────────────────────────────────────────────────────────────────
  501    resource "google_container_node_pool" "pools" {
  ...  
  578node_config {
  579image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
  580machine_type     = lookup(each.value, "machine_type", "e2-medium")
  581min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
  582dynamic "gcfs_config" {
  583for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
  584content {
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-metadata-endpoints-disabled
      Impact Legacy metadata endpoints don't require metadata headers
  Resolution Disable legacy metadata endpoints

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/metadata-endpoints-disabled/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Cluster does not have a network policy enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:23
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   23  [       enabled  = network_policy.value.enabled (false)
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-network-policy
      Impact Unrestricted inter-cluster communication
  Resolution Enable network policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-network-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Cluster does not have private nodes. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6  │   provider = google-beta
    78  │   name            = var.name
    9  │   description     = var.description
   10  │   project         = var.project_id
   11  │   resource_labels = var.cluster_resource_labels
   1213  └   location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-private-cluster
      Impact Nodes may be exposed to the public internet
  Resolution Enable private cluster

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-private-cluster/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Cluster does not use GCE resource labels. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:11
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   11  [   resource_labels = var.cluster_resource_labels
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-cluster-labels
      Impact Asset management can be limited/more difficult
  Resolution Set cluster resource labels

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-cluster-labels/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             256.661µs
  parsing              34.418856ms
  adaptation           291.657µs
  checks               9.64279ms
  total                44.609964ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     188
  files read           11

  results
  ──────────────────────────────────────────
  passed               16
  ignored              0
  critical             0
  high                 3
  medium               2
  low                  1

  16 passed, 6 potential problem(s) detected.

@VishwajitNagulkar VishwajitNagulkar merged commit 59f1598 into master Aug 29, 2024
8 checks passed
@dependabot dependabot bot deleted the dependabot/terraform/examples/complete-example/hashicorp/google-gte-5.9.0-and-lt-7 branch August 29, 2024 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants