v49.2.0

What's Changed

• fix http2 and ssl health-checks for load balancers by @wiktorn in #3551
• Auto-grant editor role for cloudservices in project module, expand project ids context in project factory module by @ludoo in #3552
• Re-enable billing budget association in project factory for projects and extend to folders by @ludoo in #3554
• Added PSC connection id to outputs, which is required, for instance f… by @apichick in #3560
• Update stage 0 README by @ludoo in #3565
• Add support for CMEK in logging bucket, big query dataset and gke notifications by @vannicktrinquier in #3558
• Add GEMINI.md file by @drebes in #3563
• feat(net-lb-app): support Google-Managed IAP and add tests by @drebes in #3564
• Updates to GKE modules to support Secret Sync by @woodham1 in #3562
• Add Direct VPC Egress support to modules/cloud-function-v2 by @juliocc in #3567
• Cursed knowledge for ignore_changes by @wiktorn in #3568
• fix e2e tests - move c4* tests to c zone by @wiktorn in #3569
• add labels support to dns module by @borijani in #3572

New Contributors

• @woodham1 made their first contribution in #3562
• @borijani made their first contribution in #3572

Full Changelog: v49.1.0...v49.2.0

v49.1.0

This is an interim release, to quickly publish small updates to service identities in the project module, and the new iam_principalsets context replacements for organizations, folders, projects.

What's Changed

• Allow PSC and PSA connections on Cloud SQL by @vennemp in #3539
• Add optional secondary read pool support to the alloydb module by @sshcherbakov in #3529
• Fix aprover -> approver by @juliocc in #3540
• Fix factory budget check with threshold_rules[*].percent by @kovagoadam in #3542
• Add backup vault module by @yashwantmahawar in #3536
• Fix org policy service to be enabled before organization policies applied by @vannicktrinquier in #3547
• Update service-agents.yaml by @wiktorn in #3543
• Context improvements: "all service accounts" principal in folder, org, project modules; custom roles in factory condition vars for FAST stage 0 by @ludoo in #3548
• Add custom default routes and delete default route in FAST networking datasets by @ludoo in #3549

New Contributors

• @vennemp made their first contribution in #3539
• @sshcherbakov made their first contribution in #3529
• @yashwantmahawar made their first contribution in #3536

Full Changelog: v49.0.0...v49.1.0

v49.0.0

What's Changed

• Prettify and standardize YAML controls from hardened datasets by @vannicktrinquier in #3525
• Leverage project-level workload identity in FAST CI/CD by @ludoo in #3535
• Drop the 2-secops stage and minimally refactor 3-secops-dev by @ludoo in #3537

Full Changelog: v48.1.0...v49.0.0

v48.1.0

What's Changed

• Replace leftover schema links with actual files by @ludoo in #3522
• Adds support for custom learned routes to net-vpn-ha by @sruffilli in #3523
• Fix schema doc tool, fix schema errors, regenerate schema docs by @ludoo in #3524
• Add support for Workforce Identity to organization module and org setup stage by @ludoo in #3530
• Add support for Workload Identity to project module and project factory by @ludoo in #3531
• Assign service usage roles on iac project to automation service accounts by @ludoo in #3532
• Remove log buckets from security stage projects by @ludoo in #3534
• Remove pattern from egress-policy schema identities to match with the one in ingress-policy schema by @kovagoadam in #3533
• Do not cancel terraform tests on tofu failure by @wiktorn in #3538

Full Changelog: v48.0.0...v48.1.0

v48.0.0

Breaking changes

• modules/project-factory: the logging_data_access project default and override have been removed, if you need project-wide configuration of data access logs use a folder-level configuration or a project template. [#3516]

What's Changed

• Allow defining org-level pam_entitlements in 0-org-setup by @juliocc in #3506
• Sets a default for delete_default_routes_on_create in 2-networking by @sruffilli in #3511
• Rename project and VPC resources in net stage datasets by @ludoo in #3513
• Add support for KMS autokey by @ludoo in #3515
• Allow configuring data access logs from org/folder/project schemas by @ludoo in #3516
• Add hardened controls for GKE, Networking and monitoring alerts recommended in CIS Benchmarks for GCP by @vannicktrinquier in #3484
• Add support for KMS key creation to project factory by @ludoo in #3518
• Update yaml controls to match max line-length by @vannicktrinquier in #3520
• Align modules autokey context to project factory / FAST by @ludoo in #3521

Full Changelog: v47.1.0...v48.0.0

v47.1.0

What's Changed

• Password for initial_user for AlloyDB is now required by @wiktorn in #3503
• Refactor FAST VPC-SC docs, ensure cooperative VPC-SC resource control works by @ludoo in #3504
• Cursed knowledge - try & known after apply structures by @wiktorn in #3507
• [FAST] fix host project ids in sample yaml files in project factory by @LucaPrete in #3508
• compute-vm: hyperdisk and ARM support by @wiktorn in #3509
• Added missing parameters in cloud build trigger by @apichick in #3519

Full Changelog: v47.0.0...v47.1.0

v47.0.0

Breaking Changes

• fast/stages/2-networking-legacy-a-simple: The stage is being removed, and superseded by the 2-networking FAST stage, introduced in #3435
  fast/stages/2-networking-legacy-b-nva: The stage is being removed, and superseded by the 2-networking FAST stage, introduced in #3435
  fast/stages/2-networking-legacy-c-separate-envs: The stage is being removed, and superseded by the 2-networking FAST stage, introduced in #3435 [#3479]

What's Changed

• Streamline stage variables and output files for vpc-sc and security stages by @ludoo in #3471
• Removes legacy FAST networking stages by @sruffilli in #3479
• Enable tflint on 2-security by @wiktorn in #3480
• Align network stage defaults/outputs to other stages, add defaults schema by @ludoo in #3481
• Allow referencing template-derived resources in project configuration files by @ludoo in #3490
• Implement precondition check in project factory to ensure declared templates exist by @ludoo in #3493
• Okta as Workload identity provider by @lhoet-google in #3494
• Support essential contacts in FAST stages and project factory YAML definitions, add email context namespace by @ludoo in #3495
• Pass email addresses context to organization module in stage 0 by @ludoo in #3496
• Add resource set for org setup projects to vpc sc stage by @ludoo in #3497
• Add support for project templates to projects variable in project factory module by @ludoo in #3498
• Revert "Add support for project templates to projects variable in project factory module" by @ludoo in #3499

New Contributors

• @lhoet-google made their first contribution in #3494

Full Changelog: v46.1.0...v47.0.0

v46.1.0

Breaking Changes

• modules/cloud-function: Removed field vpc_connector.create, populate vpc_connector_create instead
  modules/cloud-function-v2: Removed field vpc_connector.create, populate vpc_connector_create instead
  modules/cloud-run-v2: Removed service_account and service_account_create. Use service_account_config instead [#3473]

What's Changed

• Run yapf in single thread to prevent EOFError errors by @wiktorn in #3475
• service_account_config for Cloud Run v2 by @wiktorn in #3473
• feat: add GKE fleet property for Standard and Autopilot Cluster Modules by @danistrebel in #3477
• Add CIS Benchmarks for GCP 3.0 to documentation of controls by @vannicktrinquier in #3478
• Enable extra_dirs for tflint_fast by @wiktorn in #3469
• Align agent-engine with interface for Cloud Functions and Cloud Run by @wiktorn in #3476
• chore: cleanup remove fleet output by @danistrebel in #3482
• Enable essential contacts in org setup stage by @fenyvesi-levi in #3486
• Exclude folder config files from project factory paths by @ludoo in #3488
• Explain cursed Create Before Destroy by @wiktorn in #3489
• BigQuery reservation by @lcaggio in #3441
• Fix E2E tests. by @wiktorn in #3500

Full Changelog: v46.0.0...v46.1.0

v46.0.0

Breaking Changes

• fast/stages/2-networking-a-simple: The stage is being deprecated, and superseded by the 2-networking FAST stage, introduced in #3435
  fast/stages/2-networking-b-nva: The stage is being deprecated, and superseded by the 2-networking FAST stage, introduced in #3435
  fast/stages/2-networking-c-separate-envs: The stage is being deprecated, and superseded by the 2-networking FAST stage, introduced in #3435
  modules/net-vpc-factory: The module has been deprecated, and superseded by the 2-networking FAST stage, introduced in #3435 [#3451]
• modules/iam-service-account: The service_account_create variable has been renamed to service_account_reuse and its type has changed.
  modules/project-factory and fast/stages/0-org-setup: Data sources for service accounts are no longer needed. [#3450]
• modules/project-factory: storage_location and bigquery_location have been replaced with locations.storage and locations.bigquery in defaults and overrides; the same applies to FAST org setup, security, project factory stages. [#3392]

What's Changed

• Add support for output files to FAST project factory stage by @ludoo in #3373
• Document log_buckets namespace by @juliocc in #3386
• Support iam_by_principals_additive in 0-org-setup by @juliocc in #3387
• Use location.bigquery for billing dataset by @juliocc in #3390
• Rationalize location defaults across project factory module and FAST stages by @ludoo in #3392
• Reorder org-setup to support new datasets by @juliocc in #3397
• Allow automation resources with bucket or service accounts only in project factory by @ludoo in #3398
• Align FAST project templates project definitions to new format by @ludoo in #3399
• Support context and add configurations factory to workstation cluster module, add FAST project template by @ludoo in #3401
• Ngfw custom roles by @LucaPrete in #3408
• Fix NGFW add-on instructions by @ludoo in #3409
• Fix context bug on net-dns by @sruffilli in #3426
• Allow overriding individual factory paths from organization config in FAST org setup by @ludoo in #3430
• Revert "Allow overriding individual factory paths from organization config in FAST org setup" by @ludoo in #3431
• Add retention support for project-factory buckets by @kovagoadam in #3417
• Adding hardened datasets for preventive and detective Compliance Controls by @vannicktrinquier in #3410
• Align schemas by @ludoo in #3447
• Allow skipping data source in service account module by @ludoo in #3450
• Start the deprecation process of the old networking stages by @sruffilli in #3451
• Allow null project id in service account module when reusing service account by @ludoo in #3452
• Fix typos by @juliocc in #3453
• Factory based FAST Networking stage by @sruffilli in #3435
• 2-networking - NCC Dataset by @sruffilli in #3457
• Fix issues with FAST CI/CD support by @ludoo in #3454
• 2-networking - VPN Dataset by @sruffilli in #3458
• Consistent subnetting across datasets + contexts by @sruffilli in #3460
• Use context in ilb routes by @sruffilli in #3462
• Make classic dataset link to hub-and-spokes-peerings by @wiktorn in #3464
• Fix YAML linting on fast-dev by @ludoo in #3466
• Add fourth folder level to project factory module by @ludoo in #3467
• NVA Dataset for FAST networking stage by @sruffilli in #3463
• Implement proper validation for tag value names in schema by @ludoo in #3470
• Remove legacy security stage by @ludoo in #3474

Full Changelog: v45.1.0...v46.0.0

v45.1.0

Breaking Changes

• modules/cloud-run: cloud-run module was deprecated in favor of cloud-run-v2, which supports more functionalities [#3472]
• modules/cloud-function-v1: service_account and service_account_create were moved to service_account_config. By default, module now creates a service accounts and grants roles/logging.logWriter and roles/monitoring.metricWriter on project level
  modules/cloud-function-v2: service_account and service_account_create were moved to service_account_config. By default, module now creates a service accounts and grants roles/logging.logWriter and roles/monitoring.metricWriter on project level [#3443]
• terraform-provider-google: Bump provider to 7.6.0, to allow use of google_vertex_ai_reasoning_engine in modules/agent-engine [#3429]
• modules/project-factory: the factories_config attribute has been removed from project defaults and overrides. [#3440]
• modules/gke-hub: Unified cluster configuration. The module now uses a single clusters variable to configure both cluster registration and feature enablement. [#3332]
• all modules: Minimum supported Terraform version bumped 1.12.2 [#3332]
• all modules: Minimum supported OpenTofu version bumped 1.10.0 [#3332]
• modules/project-factory: the format for automation service account names has changed. [#3345]

What's Changed

• Rationalize prefix handling for project factory automation resources by @ludoo in #3345
• Added Cloud Build v2 connection module by @apichick in #3346
• Add resource_manager_tags to gke-standard-cluster, gke-autopilot-cluster and gke-nodepool by @rosmo in #3350
• Fixing typos and adding missing roles for Terraform and CI/CD service… by @norbert-loderer in #3351
• Expose project factory stage defaults via a YAML file by @ludoo in #3354
• Fix linting / remove unnecessary screenshot by @wiktorn in #3362
• Use pre-commit managed Python environment for pre-commit checks by @wiktorn in #3361
• Fixed small typo in project-factory module with log-buckets by @kovagoadam in #3357
• Add custom error response policy for route rules to external application load balancer module. by @patricklubach in #3353
• Add missing billing viewer role for org-ro service account in org-set… by @norbert-loderer in #3364
• Add support for billing export in 0-org-setup by @kovagoadam in #3347
• Make project id optional in GCS module by @ludoo in #3369
• Adding support for managed connection pooling in CloudSQL by @ramja-google in #3365
• feat: add support for SCC Custom Security Health Analytics module in … by @vannicktrinquier in #3372
• Fix admin_approval field access in VPC-SC module by @juliocc in #3374
• Fix service account module datasource when universe is set by @ludoo in #3375
• Allow project id with universe prefix in project module by @ludoo in #3376
• Allow forcing jit service agents generation for universe in project and project factory modules by @ludoo in #3378
• Allow FAST stage 0 provider template to work with universe by @ludoo in #3379
• Lightly refactor service agents locals in project module by @ludoo in #3380
• Fix typo in fast stage 0 provider template by @ludoo in #3381
• Support universe in fast security stage by @ludoo in #3383
• feat(bigquery-dataset): add optional schema support for views by @weather2602 in #3377
• Add support for universe to fast project factory stage by @ludoo in #3384
• Add support for context to bigquery module by @ludoo in #3388
• fix: expose missing audiences variable for gitlab workflow file by @vvision in #3385
• Remove unavailable service from VPC-SC stage services list by @ludoo in #3400
• Fix incorrect cloudservices agent email for global universe in project module by @ludoo in #3402
• Add tests for service agents iam_emails by @wiktorn in #3404
• Update gke-hub module to use new Policy Controller API by @juliocc in #3332
• Add support for contexts to compute-vm module by @ludoo in #3406
• remove tf version from matrix, to keep workflow names stable across upgrades by @wiktorn in #3407
• modules fixes for E2E tests by @wiktorn in #3403
• Add support for context to DNS modules by @ludoo in #3412
• Make SSM gitignores a list by @juliocc in #3413
• Add support for context to net-cloudnat, net-firewall-policy modules by @ludoo in #3414
• Add support for context to net-lb-int net-vpc-firewall and net-vpc module by @ludoo in #3419
• Add support for context to net-vpn-ha module by @ludoo in #3420
• Adds network_id to net-vpc outputs by @sruffilli in #3421
• Support CIDR range sets in firewall modules context by @ludoo in #3424
• bigquery-dataset: fix issues by @rosmo in #3425
• gitignore update by @juliocc in #3428
• bigquery-connection module by @lcaggio in #3423
• Add missing project number variable to outputs in 0-org-setup stage by @norbert-loderer in #3427
• Added audience to workflow local in 0-org-setup by @kovagoadam in #3418
• Revert "Added audience to workflow local in 0-org-setup" by @ludoo in #3432
• Add service agent outputs to folder and organization by @juliocc in #3436
• compatiblity fix: Github CICD templates Terraform version bump to 1.12.2 by @ysolt in #3439
• Support resource-level factories config in project factory module and FAST stages by @ludoo in #3440
• Apply alerts and log based metrics after log buckets creation by @vannicktrinquier in #3442
• fix Terraform version linter by @wiktorn in #3444
• Add PAM support by @juliocc in #3438
• Add Agent Engine module. by @LucaPrete in #3429
• Remove Netsec Authz Service Agent by @juliocc in #3445
• Skip IAM grants for service agents that are not created on API activation by @juliocc in #3448
• Cursed knowledge...