v44.1.0

BREAKING CHANGES

• modules/project-factory: automation resource keys now have the /automation prefix added between project key and resource key, e.g. $iam_principals:service_accounts/foo/automation/rw [#3303]

What's Changed

• Add missing outputs to new project factory module, improve context README section by @ludoo in #3301
• New project factory improvements by @ludoo in #3303

Full Changelog: v44.0.0...v44.1.0

v44.0.0

This release represents a substantial breaking change, with several changes and deprecations. Please read the below section carefully, and test migrations before applying.

BREAKING CHANGES

This release introduces several breaking changes.

Blueprints

Blueprints have been deprecated. Going forward, some of the old blueprints will be refactored as either FAST project templates, or module-level recipes. Please open a feature request if there's a blueprint that you would need us to refactor.

Modules

• The context replacement interface has been refactored across major modules and will eventually be rolled out across all.
• The project factory module has been refactored so as to leverage the new context interface. The old project factory has been kept in this release as project-factory-legacy to support the corresponding FAST stage. It will be removed in the next release.

FAST

• The FAST bootstrap and resource manager stages have been deprecated, and replaced with a new organization setup stage. The old stages are still available in this release as *-legacy to support migration to the new context interface in modules. They will be removed in the next release.
• The FAST project factory stage has been refactored to leverage the new project factory module. The old version has been renamed and will be removed in the next release.

Please keep in mind that we are not supporting upgrades from legacy stages to new stages. They are possible, but require a substantial effort and custom steps that depend on each installation.

Project templates are still following the old project factory schemas, and will be updated to work with the new project factory for the next release.

What's Changed

• fix missing conditions in top-level-folders IAM by @wiktorn in #3282
• FAST bootstrap light, blueprints deprecation, modules context, new project factory by @ludoo in #3255
• Fix E2E tests after provider upgrade to 7.0+ by @wiktorn in #3296
• Fix Cloud Run validation for refactored fields by @wiktorn in #3295
• gke-hub local fix by @justkmark in #3297
• Rename FAST stages preparing for eventual deprecation by @ludoo in #3298
• Rename new botstrap stage to org-setup by @ludoo in #3299
• Final changes to new org setup stage by @ludoo in #3300

New Contributors

• @justkmark made their first contribution in #3297

Full Changelog: v43.0.0...v44.0.0

v43.0.0

What's Changed

• Upgrade provider to version 7.0.1 by @juliocc in #3291

Full Changelog: v42.1.0...v43.0.0

v42.1.0

The next major release will switch to provider version 7.x.x. Older provider versions will only be supported in v42.x.x releases.

Breaking Changes

• modules/cloud-run-v2: dropped support for service_account_create for eventarc_triggers as it was impossible to properly manage permissions for those SA [#3269]
• terraform-provider-google: Bump provider to 6.47.0, to allow use of gpu_zonal_redundancy_disabled in modules/cloud-run-v2 [#3274]
• modules/cloud-run-v2: create_job bool was changed to type enum, custom_audiences, eventarc_triggers, iap_config, ingress and invoker_iam_disabled were moved to service_config. prefix variable was removed. [#3270]

What's Changed

• Add Cloud Run Worker Pools by @wiktorn in #3270
• Add support for GPU functionality in Cloud Run by @wiktorn in #3274
• E2E: Align bucket location to the triggers by @wiktorn in #3269
• Add cross project support for backend bucket by @norbert-loderer in #3273
• Provide node_pool_auto_config only when node auto provisioning is enabled for GKE standard cluster by @kumadee in #3275
• Add Cloud Run recipes for updating image and IAM authentication to Cloud SQL by @wiktorn in #3276
• Provide Apache port to listen to, fixes E2E by @wiktorn in #3277
• Support different key names for service accounts in project factory IAM by @ludoo in #3279
• Instance flexibility policy added for regional MIGs by @apichick in #3281
• Added test for compute-vm module disks template example by @kovagoadam in #3289
• Fix boot disk source/params incompatibility in compute vm module by @ludoo in #3292
• Enable ADMIN_READ audit log for sts.googleapis.com in automation (iac) project by @ysolt in #3290
• fix Flexible MIG E2E test by @wiktorn in #3293

New Contributors

• @norbert-loderer made their first contribution in #3273
• @ysolt made their first contribution in #3290

Full Changelog: v42.0.0...v42.1.0

v42.0.0

Breaking Changes

• modules/net-vpc: vpc_create(bool) replaced with vpc_reuse(object). Any existing code referencing net-vpc with vpc_create=false will need to change to the vpc_reuse object. [#3205]
• modules/project: "project_attributes" parameter in var.project_reuse to "attributes" [#3205]
• fast/stages/0-bootstrap: two new custom roles for KMS keys have been added: re-run stage 0 so that they are available to the resman stage, where they are required. [#3147]

What's Changed

• Update default FAST org policies by @juliocc in #3207
• Standardise reuse variable from project module and implement for net-vpc by @lnesteroff in #3205
• Allowing multiple on-prem domains by @lnesteroff in #3219
• Support IAM tag factory context expansion in organization / project modules and FAST resman stage by @ludoo in #3226
• Add Data Product Reference Example to FAST Data Platform Stage by @jayBana in #3211
• Improve and fix DAG variable retrieve method in FAST Data Platform by @lcaggio in #3227
• Allow setting default/override for project factory buckets force_destroy attribute by @ludoo in #3233
• Fixes force_destroy for project factory buckets by @LucaPrete in #3237
• feat: Add Service Agent substitution for Buckets and iam_by_principal in project-factory by @V0idC0de in #3246
• fix: Multi-tenant parameters from upstream bootstrap by @williamsmt in #3265

Full Changelog: v41.1.0...v42.0.0

v41.1.0

What's Changed

• Fix service agent substitutions in project factory additive bindings by @V0idC0de in #3210
• Fix network tier in project module when reusing an existing project by @apichick in #3213
• Changed psc address to be optional by @apichick in #3214
• Add IP filtering support to modules/gcs by @juliocc in #3216
• Adding Regional Internet NEGs support by @Art1k in #3206
• Add tag_bindings to Artifact Registry and Secret Manager modules. by @juliocc in #3220
• Support regional instance templates in compute-vm module outputs by @javiroger in #3224
• Fixed gke-hub module to support regional deployment by @Art1k in #3218
• Add force destroy option to buckets in project factory module by @LucaPrete in #3238
• Net firewall policy module documentation improvements by @la-luce in #3232
• Add support for cloudsql regional replicas by @eeila in #3239
• Fix collision in CMEK service agent bindings by @juliocc in #3241
• Allow custom names and descriptions for load balancer components by @AyushGupta1-2-3 in #3223
• Add support for quotas to project-factory module by @kovagoadam in #3242
• Bump golang.org/x/oauth2 from 0.7.0 to 0.27.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker by @dependabot[bot] in #3243
• Bump brace-expansion from 1.1.11 to 1.1.12 in /blueprints/apigee/apigee-x-foundations/functions/instance-monitor by @dependabot[bot] in #3244
• Conditionally creates billing sink if the billing account is of type resource by @Ali-Aburub in #3130
• Bump form-data from 2.5.1 to 2.5.5 in /blueprints/apigee/apigee-x-foundations/functions/instance-monitor by @dependabot[bot] in #3248
• feat(gke-nodepool): add missing options in the kubelet_config by @NitriKx in #3250
• Added "client_version" and "client" to ignore_changes in cloud-run-v2… by @fenyvesi-levi in #3245
• Add support for cross project NEGs by @kovagoadam in #3215
• Support display_name for workstation configurations by @kunzese in #3251
• E2E fixes: load balancer and dataproc by @wiktorn in #3252
• Feat: Add branch protection object to the repositories variable by @Ali-Aburub in #3249
• Fixed schema pattern for iam_bindings_additive roles in project factory by @lnesteroff in #3258
• feat: add GCS bucket trigger support for Cloud Run services by @MuhammadElsaeed in #3257
• Fix E2E: Disable E2E for dataproc on GKE by @wiktorn in #3254
• Migrated VPN alerting rules from MQL to PromQL by @SamuPert in #3259
• Fixing merge artifact in fast/stages/2-networking-b-nva/README.md by @Sacha-Guyot-01 in #3262

New Contributors

• @Art1k made their first contribution in #3206
• @javiroger made their first contribution in #3224
• @la-luce made their first contribution in #3232
• @eeila made their first contribution in #3239
• @AyushGupta1-2-3 made their first contribution in #3223
• @kovagoadam made their first contribution in #3242
• @Ali-Aburub made their first contribution in #3130
• @fenyvesi-levi made their first contribution in #3245
• @MuhammadElsaeed made their first contribution in #3257
• @Sacha-Guyot-01 made their first contribution in #3262

Full Changelog: v41.0.0...v41.1.0

v41.0.0

Upgrade notes

• fast/stages/0-bootstrap: two new custom roles for KMS keys have been added: re-run stage 0 so that they are available to the resman stage, where they are required. [#3147]

What's Changed

• Fix IAM delegation for project factory on security KMS keys by @ludoo in #3147
• Allow configuring project key format in project factory by @ludoo in #3154
• Improve and document org policy tags use in FAST resman stage by @ludoo in #3162
• Add notebooks, appengine and appspot to dns policy routing in FAST networking stage by @wiktorn in #3160
• Allow custom roles in context, add support for shared VPC IAM to project and project factory by @ludoo in #3163
• Bypass accounts.google.com in FAST DNS policy rules by @ludoo in #3179
• Support new style service account principalsets in project factory by @ludoo in #3181
• Revert "Bypass accounts.google.com in FAST DNS policy rules" by @ludoo in #3183
• Bypass accounts.google.com in FAST DNS policy rules by @ludoo in #3185
• Added tag factory option for organization module by @lnesteroff in #3178
• Added option for tag factory in resman by @lnesteroff in #3190
• Add default route action to internal app lb path matcher by @sepehrjavid in #3195
• Support user-defined tfvar files in resman CI/CD definitions by @ludoo in #3198
• Rename workflows config variable introduced in #3198 by @ludoo in #3199

Full Changelog: v40.2.0...v41.0.0

v40.2.0

Upgrade notes

• modules/ai-applications: renamed agentspace module to ai-applications [#3184]
• modules/gke-nodepool: renamed variable network_config.additional_pod_network_config to network_config.additional_pod_network_configs [#3134]

What's Changed

• Support iam_sa_roles in project factory service accounts by @ludoo in #3110
• Add option to specify any port on https protocol by @Stepanenko-Alexey in #3105
• Add support for service agent expansion to project factory IAM by @ludoo in #3112
• Allow creating disks with no name in compute-vm by @ludoo in #3113
• Allow creation of regional templates in compute-vm module by @ludoo in #3114
• Add support for binary authorization policy to cloud function v2 module by @ludoo in #3116
• adds revision label by @msikora-rtb in #3117
• Remove default values for access_config.ip_config for gke cluster modules by @jaiakt in #3083
• Bump Terraform to 1.11 by @juliocc in #3120
• Expose private_endpoint_enforcement_enabled in gke modules by @juliocc in #3119
• Allow explicit definition of automation prefix in project factory by @ludoo in #3124
• Document x-referencing HCs in net-lb-int by @sruffilli in #3125
• Allow multiple types in JSON schema docs tool by @ludoo in #3126
• Interpolate egress_to resources in enforced perimeter config by @juliocc in #3127
• Added multi-region API Gateway recipe, that was removed by accident by @apichick in #3128
• Add explicit errors when VPC-SC perimeters reference undefined directional policies by @juliocc in #3133
• fix additional pod networks config creation in GKE node pool by @jacek-jablonski in #3134
• CloudSQL - Create password resource only when needed by @wiktorn in #3135
• Return instance ID not IP address by @kkrtbhouse in #3137
• Cloud Run with IAP recipe by @apichick in #3129
• Improve SWP transparent gateway example by @wiktorn in #3141
• Fixed mistake in net-vpn-ha module docs by @apichick in #3143
• Fix #3142 by @juliocc in #3144
• Added backend preference to global application load balancers by @apichick in #3139
• Add KMS keys interpolation to project factory by @ludoo in #3145
• Bump requests from 2.32.2 to 2.32.4 in /fast/project-templates/secops-anonymization-pipeline/source by @dependabot in #3146
• Added network tier to network interfaces in compute-vm module by @apichick in #3151
• Added default compute network tier to project module by @apichick in #3150
• Added recipe for Apigee X with SWP by @apichick in #3140
• Bring back master ipv4 cidr block by @jacklever-hub24 in #3153
• Fixed problem with backend preference, changed it to boolean. Backend… by @apichick in #3157
• Allow to directly specify service agents for CMEK in project module (Composer v2 support) by @jnahelou in #3156
• feat: ignores labels added by gh action in unmanaged cloud run service / job by @msikora-rtb in #3161
• Add support for DNS zones to Apigee module by @apichick in #3149
• Cloud run direct iap by @msikora-rtb in #3165
• feat: Update session affinity validation for ALB by @williamsmt in #3172
• Fixed option to set descriptions for environment tag values by @lnesteroff in #3174
• Add new Agentspace module by @LucaPrete in #3170
• Rename agentspace module to ai-applications by @LucaPrete in #3184
• Clean fast 2 security from vpcsc by @aumohr in #3187
• Fixed hard-coded resource management tags (!var.tag_names) by @lnesteroff in #3180
• Add support for IPv6 only subnets and IP collections by @cmm-cisco in #3177
• Addition of Cloud Deploy Module by @vineeteldochan in #3169
• [module/ai-applications] fix module for unexpected updates from APIs by @LucaPrete in #3189
• fix failing E2E test for net-vpc by @wiktorn in #3191
• Only consider active projects to default VPC SC perimeter by @juliocc in #3193
• Added option to set force_destroy on pf buckets by @lnesteroff in #3192
• Added node_pool_auto_config to GKE cluster by @apichick in #3196
• Create (or import) subnets with empty description by @lnesteroff in #3197
• Remove blueprint metadata validation by @juliocc in #3200
• Fix ai-applications provider_meta by @juliocc in #3202
• Update service-agents.yaml by @juliocc in #3201
• Add PEP 723 dependencies to tfdoc.py, versions.py and build_service_agents.py by @juliocc in #3203

New Contributors

• @Stepanenko-Alexey made their first contribution in #3105
• @jaiakt made their first contribution in #3083
• @jacek-jablonski made their first contribution in #3134
• @kkrtbhouse made their first contribution in #3137
• @aumohr made their first contribution in #3187
• @cmm-cisco made their first contribution in #3177
• @vineeteldochan made their first contribution in #3169

Full Changelog: v40.1.0...v40.2.0

v40.1.0

What's Changed

• Revert "Make automation project in project factory module optional" by @ludoo in #3106
• Add fast_version.txt to FAST stages by @juliocc in #3107
• Add version tracking files to FAST by @ludoo in #3108

Full Changelog: v40.0.0...v40.1.0

v40.0.0

Breaking Changes

• fast/stages/0-boostrap: the default set of organization policies now prevents the creation of bridge perimeters. [#3098]
• modules/vpc-sc: perimeter bridge are no longer supported. Please migrate to directional policies (ingress/egress rules) for more granular and secure perimeter configurations.
  modules/vpc-sc: service_perimeters_regular renamed to perimeters [#3062]

What's Changed

• Add ability to reuse existing projects in project factory by @LucaPrete in #3051
• New FAST data platform by @ludoo in #3066
• JSON schema documentation tool by @ludoo in #3070
• Added versions.tf to net-vpc-factory by @sruffilli in #3073
• [cloud-run-v2] Add ability to deploy OpenTelemetry Collector sidecar by @charles-salmon in #3071
• Fix no VPC composer scenario and roles by @lcaggio in #3075
• AlloyDB read poll support and various usability fixes by @viliampucik in #3061
• VPC SC module refactor by @juliocc in #3062
• Add ability to optionally update Cloud Run job containers outside Terraform by @LucaPrete in #3077
• Map secops group to security by default by @juliocc in #3080
• bug: mark policy_controller as optional by @FalconerTC in #3086
• Fix permadiff in FAST bootstrap IAM by @ludoo in #3089
• Relax WIF org policy in IaC project by @ludoo in #3090
• fix: remove file starting by 1 and 2 to avoid copying 1-resman-provid… by @Alhossril in #2944
• Add GitLab SaaS support in fast/extras/0-cicd-gitlab by @Alhossril in #3088
• Add support for additive perimeter resources to vpc-sc module by @ludoo in #3093
• feat(gke): add kubelet_readonly_port_enabled by @6uellerBpanda in #3092
• Enable context replacements for IAM principals in project factory module by @ludoo in #3094
• Enable multi-network GKE by @msikora-rtb in #3096
• Make automation project in project factory module optional by @LucaPrete in #3091
• Disable creation of bridge perimeters by @juliocc in #3098
• Fix net vpc firewall module schema by @ludoo in #3099
• Backup enablement for CloudSQL instance should be only based on user provided settings by @apichick in #3101
• Project Factory: fix reference to automation SAs in IAM block for service accounts by @LucaPrete in #3100
• feat: enables blue-green upgrades by @msikora-rtb in #3102
• Added auto-provisioning-locations to gke-cluster-standard module by @apichick in #3103
• Improves fast/data-platform-ng README for clarity by @jayBana in #3074

New Contributors

• @charles-salmon made their first contribution in #3071
• @FalconerTC made their first contribution in #3086
• @6uellerBpanda made their first contribution in #3092
• @msikora-rtb made their first contribution in #3096

Full Changelog: v39.1.0...v40.0.0