feat: relax tf version to allow terraform 0.13 (#67)

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.12.2
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

README.md

@@ -45,24 +45,24 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild).
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| activate\_apis | List of APIs to enable in the seed project. | list(string) | `<list>` | no |
-| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
-| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
-| folder\_id | The ID of a folder to host this project | string | `""` | no |
-| grant\_billing\_user | Grant roles/billing.user role to CFT service account | bool | `"true"` | no |
-| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
-| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
-| org\_admins\_org\_iam\_permissions | List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. | list(string) | `<list>` | no |
-| org\_id | GCP Organization ID | string | n/a | yes |
-| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `<list>` | no |
-| parent\_folder | GCP parent folder ID in the form folders/{id} | string | `""` | no |
-| project\_labels | Labels to apply to the project. | map(string) | `<map>` | no |
-| project\_prefix | Name prefix to use for projects created. | string | `"cft"` | no |
-| sa\_enable\_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool | `"false"` | no |
-| sa\_org\_iam\_permissions | List of permissions granted to Terraform service account across the GCP organization. | list(string) | `<list>` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no |
-| storage\_bucket\_labels | Labels to apply to the storage bucket. | map(string) | `<map>` | no |
+|------|-------------|------|---------|:--------:|
+| activate\_apis | List of APIs to enable in the seed project. | `list(string)` | <pre>[<br>  "serviceusage.googleapis.com",<br>  "servicenetworking.googleapis.com",<br>  "compute.googleapis.com",<br>  "logging.googleapis.com",<br>  "bigquery.googleapis.com",<br>  "cloudresourcemanager.googleapis.com",<br>  "cloudbilling.googleapis.com",<br>  "iam.googleapis.com",<br>  "admin.googleapis.com",<br>  "appengine.googleapis.com",<br>  "storage-api.googleapis.com",<br>  "monitoring.googleapis.com"<br>]</pre> | no |
+| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| folder\_id | The ID of a folder to host this project | `string` | `""` | no |
+| grant\_billing\_user | Grant roles/billing.user role to CFT service account | `bool` | `true` | no |
+| group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
+| group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| org\_admins\_org\_iam\_permissions | List of permissions granted to the group supplied in group\_org\_admins variable across the GCP organization. | `list(string)` | <pre>[<br>  "roles/billing.user",<br>  "roles/resourcemanager.organizationAdmin"<br>]</pre> | no |
+| org\_id | GCP Organization ID | `string` | n/a | yes |
+| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
+| parent\_folder | GCP parent folder ID in the form folders/{id} | `string` | `""` | no |
+| project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no |
+| project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |
+| sa\_enable\_impersonation | Allow org\_admins group to impersonate service account & enable APIs required. | `bool` | `false` | no |
+| sa\_org\_iam\_permissions | List of permissions granted to Terraform service account across the GCP organization. | `list(string)` | <pre>[<br>  "roles/billing.user",<br>  "roles/compute.networkAdmin",<br>  "roles/compute.xpnAdmin",<br>  "roles/iam.securityAdmin",<br>  "roles/iam.serviceAccountAdmin",<br>  "roles/logging.configWriter",<br>  "roles/orgpolicy.policyAdmin",<br>  "roles/resourcemanager.folderAdmin",<br>  "roles/resourcemanager.organizationViewer"<br>]</pre> | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `true` | no |
+| storage\_bucket\_labels | Labels to apply to the storage bucket. | `map(string)` | `{}` | no |
 
 ## Outputs
 

build/int.cloudbuild.yaml

@@ -78,4 +78,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.11.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.2'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.11.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.2'

examples/cloudbuild_enabled/README.md

@@ -6,13 +6,13 @@ This example combines the Organization bootstrap module with the Cloud Build sub
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
-| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
-| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
-| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
-| org\_id | GCP Organization ID | string | n/a | yes |
-| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `<list>` | no |
+|------|-------------|------|---------|:--------:|
+| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
+| group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| org\_id | GCP Organization ID | `string` | n/a | yes |
+| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
 
 ## Outputs
 

examples/cloudbuild_enabled/main.tf

@@ -16,11 +16,11 @@
 
 
 provider "google" {
-  version = "~> 3.38.0"
+  version = "~> 3.43.0"
 }
 
 provider "google-beta" {
-  version = "~> 3.31.0"
+  version = "~> 3.43.0"
 }
 
 provider "null" {

examples/simple-folder/README.md

@@ -6,14 +6,14 @@ This example demonstrates the simplest usage of the GCP organization bootstrap m
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
-| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
-| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
-| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
-| org\_id | GCP Organization ID | string | n/a | yes |
-| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `<list>` | no |
-| parent | GCP parent folder id of form folders/{id} | string | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
+| group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| org\_id | GCP Organization ID | `string` | n/a | yes |
+| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
+| parent | GCP parent folder id of form folders/{id} | `string` | n/a | yes |
 
 ## Outputs
 

examples/simple-folder/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.38.0"
+  version = "~> 3.43.0"
 }
 
 provider "google-beta" {
-  version = "~> 3.31.0"
+  version = "~> 3.43.0"
 }
 
 provider "null" {

examples/simple/README.md

@@ -6,13 +6,13 @@ This example demonstrates the simplest usage of the GCP organization bootstrap m
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
-| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
-| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
-| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
-| org\_id | GCP Organization ID | string | n/a | yes |
-| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `<list>` | no |
+|------|-------------|------|---------|:--------:|
+| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
+| group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| org\_id | GCP Organization ID | `string` | n/a | yes |
+| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
 
 ## Outputs
 

examples/simple/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 3.38.0"
+  version = "~> 3.43.0"
 }
 
 provider "google-beta" {
-  version = "~> 3.31.0"
+  version = "~> 3.43.0"
 }
 
 provider "null" {

kitchen.yml

@@ -15,6 +15,7 @@
 ---
 driver:
   name: terraform
+  verify_version: false
 
 provisioner:
   name: terraform

main.tf

@@ -53,7 +53,7 @@ resource "google_folder_iam_member" "tmp_project_creator" {
 
 module "seed_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 8.0"
+  version                     = "~> 9.2"
   name                        = local.seed_project_id
   random_project_id           = true
   disable_services_on_destroy = false

modules/cloudbuild/README.md

@@ -50,28 +50,28 @@ Functional examples and sample Cloud Build definitions are included in the [exam
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| activate\_apis | List of APIs to enable in the Cloudbuild project. | list(string) | `<list>` | no |
-| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
-| cloud\_source\_repos | List of Cloud Source Repo's to create with CloudBuild triggers. | list(string) | `<list>` | no |
-| cloudbuild\_apply\_filename | Path and name of Cloud Build YAML definition used for terraform apply. | string | `"cloudbuild-tf-apply.yaml"` | no |
-| cloudbuild\_plan\_filename | Path and name of Cloud Build YAML definition used for terraform plan. | string | `"cloudbuild-tf-plan.yaml"` | no |
-| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
-| folder\_id | The ID of a folder to host this project | string | `""` | no |
-| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
-| org\_id | GCP Organization ID | string | n/a | yes |
-| project\_labels | Labels to apply to the project. | map(string) | `<map>` | no |
-| project\_prefix | Name prefix to use for projects created. | string | `"cft"` | no |
-| sa\_enable\_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool | `"false"` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no |
-| storage\_bucket\_labels | Labels to apply to the storage bucket. | map(string) | `<map>` | no |
-| terraform\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | list(string) | `<list>` | no |
-| terraform\_sa\_email | Email for terraform service account. | string | n/a | yes |
-| terraform\_sa\_name | Fully-qualified name of the terraform service account. | string | n/a | yes |
-| terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. | string | n/a | yes |
-| terraform\_validator\_release | Default terraform-validator release. | string | `"2020-03-05"` | no |
-| terraform\_version | Default terraform version. | string | `"0.12.24"` | no |
-| terraform\_version\_sha256sum | sha256sum for default terraform version. | string | `"602d2529aafdaa0f605c06adb7c72cfb585d8aa19b3f4d8d189b42589e27bf11"` | no |
+|------|-------------|------|---------|:--------:|
+| activate\_apis | List of APIs to enable in the Cloudbuild project. | `list(string)` | <pre>[<br>  "serviceusage.googleapis.com",<br>  "servicenetworking.googleapis.com",<br>  "compute.googleapis.com",<br>  "logging.googleapis.com",<br>  "bigquery.googleapis.com",<br>  "cloudresourcemanager.googleapis.com",<br>  "cloudbilling.googleapis.com",<br>  "iam.googleapis.com",<br>  "admin.googleapis.com",<br>  "appengine.googleapis.com",<br>  "storage-api.googleapis.com"<br>]</pre> | no |
+| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| cloud\_source\_repos | List of Cloud Source Repo's to create with CloudBuild triggers. | `list(string)` | <pre>[<br>  "gcp-org",<br>  "gcp-networks",<br>  "gcp-projects"<br>]</pre> | no |
+| cloudbuild\_apply\_filename | Path and name of Cloud Build YAML definition used for terraform apply. | `string` | `"cloudbuild-tf-apply.yaml"` | no |
+| cloudbuild\_plan\_filename | Path and name of Cloud Build YAML definition used for terraform plan. | `string` | `"cloudbuild-tf-plan.yaml"` | no |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| folder\_id | The ID of a folder to host this project | `string` | `""` | no |
+| group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| org\_id | GCP Organization ID | `string` | n/a | yes |
+| project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no |
+| project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |
+| sa\_enable\_impersonation | Allow org\_admins group to impersonate service account & enable APIs required. | `bool` | `false` | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `true` | no |
+| storage\_bucket\_labels | Labels to apply to the storage bucket. | `map(string)` | `{}` | no |
+| terraform\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "master"<br>]</pre> | no |
+| terraform\_sa\_email | Email for terraform service account. | `string` | n/a | yes |
+| terraform\_sa\_name | Fully-qualified name of the terraform service account. | `string` | n/a | yes |
+| terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. | `string` | n/a | yes |
+| terraform\_validator\_release | Default terraform-validator release. | `string` | `"2020-03-05"` | no |
+| terraform\_version | Default terraform version. | `string` | `"0.12.24"` | no |
+| terraform\_version\_sha256sum | sha256sum for default terraform version. | `string` | `"602d2529aafdaa0f605c06adb7c72cfb585d8aa19b3f4d8d189b42589e27bf11"` | no |
 
 ## Outputs
 

modules/cloudbuild/main.tf

@@ -37,7 +37,7 @@ data "google_organization" "org" {
 
 module "cloudbuild_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 8.0"
+  version                     = "~> 9.2"
   name                        = local.cloudbuild_project_id
   random_project_id           = true
   disable_services_on_destroy = false

modules/cloudbuild/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">=0.12.20, <0.14"
 
   required_providers {
     google      = "~> 3.5"

test/fixtures/cloudbuild_enabled/versions.tf

@@ -15,5 +15,5 @@
  */
 
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">=0.12.20, <0.14"
 }

test/integration/cloudbuild_enabled/controls/gcp.rb

@@ -33,17 +33,20 @@
 control "bootstrap" do
   title "Bootstrap module GCP resources"
 
-  describe google_project(project_id: attribute("seed_project_id")) do
+  describe google_project(project: attribute("seed_project_id")) do
     it { should exist }
   end
 
   describe google_storage_bucket(name: attribute("gcs_bucket_tfstate")) do
     it { should exist }
   end
 
-  describe google_service_account(name: attribute("terraform_sa_name")) do
+  describe google_service_account(project: attribute("seed_project_id"), name: attribute("terraform_sa_name").split('/').last) do
     it { should exist }
-    its('has_user_managed_keys?') {should cmp false }
+  end
+
+  describe google_service_account_keys(project: attribute("seed_project_id"), service_account: attribute("terraform_sa_name").split('/').last) do
+    its('key_types') { should_not include 'USER_MANAGED' }
   end
 
   default_apis.each do |api|
@@ -58,7 +61,7 @@
 control "cloudbuild" do
   title "Cloudbuild sub-module GCP Resources"
 
-  describe google_project(project_id: attribute("cloudbuild_project_id")) do
+  describe google_project(project: attribute("cloudbuild_project_id")) do
     it { should exist }
   end
 
@@ -95,14 +98,14 @@
       its('members') {should include 'serviceAccount:' + project_number.to_s + '@cloudbuild.gserviceaccount.com'}
     end
 
-    describe google_kms_crypto_key_iam_binding(crypto_key_url: attribute("kms_crypto_key")['self_link'],  role: "roles/cloudkms.cryptoKeyDecrypter") do
+    describe google_kms_crypto_key_iam_binding(project: attribute("cloudbuild_project_id"), location: "us-central1", key_ring_name: attribute("kms_crypto_key")[:key_ring].split('/').last, crypto_key_name: attribute("kms_crypto_key")[:name],  role: "roles/cloudkms.cryptoKeyDecrypter") do
       it { should exist }
       its('members') {should include 'serviceAccount:' + attribute("terraform_sa_email")}
       its('members') {should include 'serviceAccount:' + project_number.to_s + '@cloudbuild.gserviceaccount.com'}
     end
   end
 
-  describe google_kms_crypto_key_iam_binding(crypto_key_url: attribute("kms_crypto_key")['self_link'],  role: "roles/cloudkms.cryptoKeyEncrypter") do
+  describe google_kms_crypto_key_iam_binding(project: attribute("cloudbuild_project_id"), location: "us-central1", key_ring_name: attribute("kms_crypto_key")[:key_ring].split('/').last, crypto_key_name: attribute("kms_crypto_key")[:name],  role: "roles/cloudkms.cryptoKeyEncrypter") do
     it { should exist }
     its('members') {should include 'group:' + attribute("group_org_admins")}
   end