Terraform Google Provider 3.0.0 Upgrade Guide
The 300
release of the Google provider for Terraform is a major version and includes some changes that you will need to consider when upgrading. This guide is intended to help with that process and focuses only on the changes necessary to upgrade from the final 2X
series release to 300
.
Most of the changes outlined in this guide have been previously marked as deprecated in the Terraform plan
/apply
output throughout previous provider releases, up to and including the final 2X
series release. These changes, such as deprecation notices, can always be found in the CHANGELOG of the affected providers. google google-beta
What is 300Beta1
?
With 300
, we introduced a prerelease window for our major provider releases. 300Beta1
contains all of the changes in 300
, and allows you to test it prior to the full upgrade. Currently 300
is not expected to contain new features not available in 300Beta1
, only bugfixes for issues we're made aware of before 300
's release. Using 300Beta1
in production is not recommended.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});
I accidentally upgraded to 3.0.0, how do I downgrade to 2X
?
If you've inadvertently upgraded to 300
, first see the Provider Version Configuration Guide to lock your provider version; if you've constrained the provider to a lower version such as shown in the previous version example in that guide, Terraform will pull in a 2X
series release on terraformInit
.
If you've only ran terraformInit
or terraformPlan
, your state will not have been modified and downgrading your provider is sufficient.
If you've ran terraformRefresh
or terraformApply
, Terraform may have made state changes in the meantime.
-
If you're using a local state, or a remote state backend that does not support versioning,
terraformRefresh
with a downgraded provider is likely sufficient to revert your state. The Google provider generally refreshes most state information from the API, and the properties necessary to do so have been left unchanged. -
If you're using a remote state backend that supports versioning such as Google Cloud Storage, you can revert the Terraform state file to a previous version. If you do so and Terraform had created resources as part of a
terraformApply
in the meantime, you'll need to either delete them by hand orterraformImport
them so Terraform knows to manage them.
Upgrade Topics
- Provider Version Configuration
- Provider
- ID Format Changes
- Data Source:
googleContainerEngineVersions
- Resource:
googleAccessContextManagerAccessLevel
- Resource:
googleAccessContextManagerServicePerimeter
- Resource:
googleAppEngineApplication
- Resource:
googleAppEngineDomainMapping
- Resource:
googleAppEngineStandardAppVersion
- Resource:
googleBigqueryTable
- Resource:
googleBigtableAppProfile
- Resource:
googleBinaryAuthorizationPolicy
- Resource:
googleCloudbuildTrigger
- Resource:
googleCloudfunctionsFunction
- Resource:
googleCloudiotRegistry
- Resource:
googleCloudschedulerJob
- Resource:
googleCloudRunService
- Resource:
googleComposerEnvironment
- Resource:
googleComputeBackendBucket
- Resource:
googleComputeBackendService
- Resource:
googleComputeFirewall
- Resource:
googleComputeForwardingRule
- Resource:
googleComputeGlobalForwardingRule
- Resource:
googleComputeHealthCheck
- Resource:
googleComputeImage
- Resource:
googleComputeInstance
- Resource:
googleComputeInstanceGroupManager
- Resource:
googleComputeInstanceTemplate
- Resource:
googleComputeNetwork
- Resource:
googleComputeNetworkPeering
- Resource:
googleComputeNodeTemplate
- Resource:
googleComputeRegionBackendService
- Resource:
googleComputeRegionHealthCheck
- Resource:
googleComputeRegionInstanceGroupManager
- Resource:
googleComputeResourcePolicy
- Resource:
googleComputeRoute
- Resource:
googleComputeRouter
- Resource:
googleComputeRouterPeer
- Resource:
googleComputeSnapshot
- Resource:
googleComputeSubnetwork
- Resource:
googleContainerCluster
- Resource:
googleContainerNodePool
- Resource:
googleDataprocAutoscalingPolicy
- Resource:
googleDataprocCluster
- Resource:
googleDataprocJob
- Resource:
googleDnsManagedZone
- Resource:
googleDnsPolicy
- Resource:
googleFolderOrganizationPolicy
- Resource:
googleHealthcareHl7V2Store
- Resource:
googleLoggingMetric
- Resource:
googleMlengineModel
- Resource:
googleMonitoringAlertPolicy
- Resource:
googleMonitoringUptimeCheckConfig
- Resource:
googleOrganizationPolicy
- Resource:
googleProjectIamAuditConfig
- Resource:
googleProjectOrganizationPolicy
- Resource:
googleProjectService
- Resource:
googleProjectServices
- Resource:
googlePubsubSubscription
- Resource:
googleSecurityScannerScanConfig
- Resource:
googleServiceAccountKey
- Resource:
googleSqlDatabaseInstance
- Resource:
googleStorageBucket
- Resource:
googleStorageTransferJob
- Resource:
googleTpuNode
Provider Version Configuration
-> Before upgrading to version 3.0.0, it is recommended to upgrade to the most recent 2X
series release of the provider, make the changes noted in this guide, and ensure that your environment successfully runs terraformPlan
without unexpected changes or deprecation notices.
It is recommended to use version constraints when configuring Terraform providers. If you are following that recommendation, update the version constraints in your Terraform configuration and run terraformInit
to download the new version.
If you aren't using version constraints, you can use terraformInitUpgrade
in order to upgrade your provider to the latest released version.
For example, given this previous configuration:
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});
An updated configuration:
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});
Provider
Terraform 0.11 no longer supported
Support for Terraform 0.11 has been deprecated, and Terraform 0.12 or higher is required to terraformInit
the provider. See the blog post for more information. It is recommended that you upgrade to Terraform 0.12 before upgrading to version 3.0.0 of the provider.
userinfoEmail
added to default scopes
userinfoEmail
has been added to the default set of OAuth scopes in the provider. This provides the Terraform user specified by credentials
' (generally a service account) email address to GCP APIs in addition to an obfuscated user id; particularly, it makes the email of the Terraform user available for some Kubernetes and IAP use cases.
If this was previously defined explicitly, the definition can now be removed.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {
scopes: [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/userinfo.email",
],
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});
ID Format Changes
ID formats on many resources have changed. ID formats have standardized on being similar to the selfLink
of a resource. Users who depended on particular ID formats in previous versions may be impacted.
Data Source: googleContainerEngineVersions
region
and zone
are now removed
Use location
instead.
Resource: googleAccessContextManagerAccessLevel
osType
is now required on block googleAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints
In an attempt to avoid allowing empty blocks in config files, osType
is now required on the basicConditionsDevicePolicyOsConstraints
block.
Resource: googleAccessContextManagerServicePerimeter
At least one of resources
, accessLevels
, or restrictedServices
is now required on googleAccesscontextmanagerServicePerimeterStatus
In an attempt to avoid allowing empty blocks in config files, at least one of resources
, accessLevels
, or restrictedServices
is now required on the status
block.
Resource: googleAppEngineApplication
splitHealthChecks
is now required on block googleAppEngineApplicationFeatureSettings
In an attempt to avoid allowing empty blocks in config files, splitHealthChecks
is now required on the featureSettings
block.
Resource: googleAppEngineDomainMapping
sslManagementType
is now required on googleAppEngineDomainMappingSslSettings
In an attempt to avoid allowing empty blocks in config files, sslManagementType
is now required on the sslSettings
block.
Resource: googleAppEngineStandardAppVersion
At least one of zip
or files
is now required on googleAppEngineStandardAppVersionDeployment
In an attempt to avoid allowing empty blocks in config files, at least one of zip
or files
is now required on the deployment
block.
shell
is now required on googleAppEngineStandardAppVersionEntrypoint
In an attempt to avoid allowing empty blocks in config files, shell
is now required on the entrypoint
block.
scriptPath
is now required on googleAppEngineStandardAppVersionHandlersScript
In an attempt to avoid allowing empty blocks in config files, scriptPath
is now required on the handlersScript
block.
sourceUrl
is now required on googleAppEngineStandardAppVersionDeploymentFiles
and googleAppEngineStandardAppVersionDeploymentZip
In an attempt to avoid allowing empty blocks in config files, shell
is now required on the deploymentFiles
and deploymentZip
blocks.
Resource: googleBigqueryTable
At least one of range
or skipLeadingRows
is now required on externalDataConfigurationGoogleSheetsOptions
In an attempt to avoid allowing empty blocks in config files, at least one of range
or skipLeadingRows
is now required on the externalDataConfigurationGoogleSheetsOptions
block.
Resource: googleBigtableAppProfile
Exactly one of singleClusterRouting
or multiClusterRoutingUseAny
is now required on googleBigtableAppProfile
In attempt to be more consistent with the API, exactly one of singleClusterRouting
or multiClusterRoutingUseAny
is now required on googleBigtableAppProfile
.
clusterId
is now required on googleBigtableAppProfileSingleClusterRouting
In an attempt to avoid allowing empty blocks in config files, clusterId
is now required on the singleClusterRouting
block.
Resource: googleBinaryAuthorizationPolicy
namePattern
is now required on googleBinaryAuthorizationPolicyAdmissionWhitelistPatterns
In an attempt to avoid allowing empty blocks in config files, namePattern
is now required on the admissionWhitelistPatterns
block.
evaluationMode
and enforcementMode
are now required on googleBinaryAuthorizationPolicyClusterAdmissionRules
In an attempt to avoid allowing empty blocks in config files, evaluationMode
and enforcementMode
are now required on the clusterAdmissionRules
block.
Resource: googleCloudbuildTrigger
Exactly one of filename
or build
is now required on googleCloudbuildTrigger
In attempt to be more consistent with the API, exactly one of filename
or build
is now required on googleCloudbuildTrigger
.
Exactly one of branchName
, tagName
or commitSha
is now required on googleCloudbuildTriggerTriggerTemplate
In an attempt to avoid allowing empty blocks in config files, exactly one of branchName
, tagName
or commitSha
is now required on the triggerTemplate
block.
Exactly one of pullRequest
or push
is now required on googleCloudbuildTriggerGithub
In an attempt to avoid allowing empty blocks in config files, exactly one of pullRequest
or push
is now required on the github
block.
Exactly one of branch
or tagName
is now required on googleCloudbuildTriggerGithubPush
In an attempt to avoid allowing empty blocks in config files, exactly one of branch
or tagName
is now required on the githubPush
block.
steps
is now required on googleCloudbuildTriggerBuild
.
In an attempt to avoid allowing empty blocks in config files, steps
is now required on the build
block.
name
is now required on googleCloudbuildTriggerBuildSteps
In an attempt to avoid allowing empty blocks in config files, name
is now required on the buildSteps
block.
name
and path
are now required on googleCloudbuildTriggerBuildStepsVolumes
In an attempt to avoid allowing empty blocks in config files, name
and path
are now required on the buildVolumes
block.
Resource: googleCloudfunctionsFunction
The runtime
option nodejs6
has been deprecated
nodejs6
has been deprecated and is no longer the default value for runtime
. runtime
is now required.
Resource: googleCloudiotRegistry
Replace singular event notification config field with plural eventNotificationConfigs
Use the plural field eventNotificationConfigs
instead of eventNotificationConfig
, which has now been removed. Since the Cloud IoT API now accept multiple event notification configs for a registry, the singular field no longer exists on the API resource and has been removed from Terraform to prevent conflicts.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudiotRegistry.CloudiotRegistry(this, "myregistry", {
event_notification_config: [
{
pubsub_topic_name: "${google_pubsub_topic.event-topic.id}",
},
],
name: "%s",
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudiotRegistry.CloudiotRegistry(this, "myregistry", {
event_notification_configs: [
{
pubsub_topic_name: "${google_pubsub_topic.event-topic.id}",
},
],
name: "%s",
});
publicKeyCertificate
is now required on block googleCloudiotRegistryCredentials
In an attempt to avoid allowing empty blocks in config files, publicKeyCertificate
is now required on the credentials
block.
Resource: googleCloudRunService
Google Cloud Run Service is being released at v1 and there are breaking schema changes that have arisen from changing the underlying API. These breaking changes only affect the Beta version of the resource as it was not previously available in the GA provider.
To support partial rollouts of different revisions, the spec
block is now nested under template
and a second metadata
block has been added alongside spec
. Now users can make a change and, using a named revision, they can control the rollout of that revision with a higher granularity.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudRunService.CloudRunService(this, "default", {
spec: [
{
container_concurrency: 10,
containers: [
{
args: ["arrg2", "pirate"],
image: "gcr.io/cloudrun/hello",
},
],
},
],
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudRunService.CloudRunService(this, "default", {
template: [
{
metadata: [
{
annotations: [
{
"autoscaling.knative.dev/maxScale": "1000",
"run.googleapis.com/client-name": "terraform",
},
],
name: "revision-name",
},
],
spec: [
{
container_concurrency: 10,
containers: [
{
args: ["arrg2", "pirate"],
image: "gcr.io/cloudrun/hello",
},
],
},
],
},
],
});
Resource: googleCloudschedulerJob
Exactly one of pubsubTarget
, httpTarget
or appEngineHttpTarget
is required on googleCloudschedulerJob
In attempt to be more consistent with the API, exactly one of pubsubTarget
, httpTarget
or appEngineHttpTarget
is now required on googleCloudschedulerJob
.
serviceAccountEmail
is now required on googleCloudschedulerJobHttpTargetOauthToken
and googleCloudschedulerJobHttpTargetOidcToken
.
In an attempt to avoid allowing empty blocks in config files, serviceAccountEmail
is now required on the httpTargetOauthToken
and httpTargetOidcToken
blocks.
At least one of retryCount
, maxRetryDuration
, minBackoffDuration
, maxBackoffDuration
, or maxDoublings
is now required on googleCloudSchedulerJobRetryConfig
In an attempt to avoid allowing empty blocks in config files, at least one of retryCount
, maxRetryDuration
, minBackoffDuration
, maxBackoffDuration
, or maxDoublings
is now required on the retryConfig
block.
At least one of service
, version
, or instance
is now required on googleCloudSchedulerJobAppEngineHttpTargetAppEngineRouting
In an attempt to avoid allowing empty blocks in config files, at least one of service
, version
, or instance
is now required on the appEngineHttpTargetAppEngineRouting
block.
Resource: googleComposerEnvironment
At least one of airflowConfigOverrides
, pypiPackages
, envVariables
, imageVersion
, pythonVersion
or schedulerCount
is now required on googleComposerEnvironmentConfigSoftwareConfig
In an attempt to avoid allowing empty blocks in config files, at least one of airflowConfigOverrides
, pypiPackages
, envVariables
, imageVersion
, pythonVersion
or schedulerCount
is now required on the configSoftwareConfig
block.
useIpAliases
is now required on block googleComposerEnvironmentIpAllocationPolicy
Previously the default value of useIpAliases
was true
. In an attempt to avoid allowing empty blocks in config files, useIpAliases
is now required on the ipAllocationPolicy
block.
At least one of enablePrivateEndpoint
or masterIpv4CidrBlock
is now required on googleComposerEnvironmentConfigPrivateEnvironmentConfig
In an attempt to avoid allowing empty blocks in config files, at least one of enablePrivateEndpoint
or masterIpv4CidrBlock
is now required on the configPrivateEnvironmentConfig
block.
At least one of nodeCount
, nodeConfig
, softwareConfig
or privateEnvironmentConfig
required on googleComposerEnvironmentConfig
In an attempt to avoid allowing empty blocks in config files, at least one of nodeCount
, nodeConfig
, softwareConfig
or privateEnvironmentConfig
is now required on the config
block.
Resource: googleComputeBackendBucket
signedUrlCacheMaxAgeSec
is now required on googleComputeBackendBucketAutoscalingPolicyCdnPolicy
Previously the default value of signedUrlCacheMaxAgeSec
was 3600
. In an attempt to avoid allowing empty blocks in config files, signedUrlCacheMaxAgeSec
is now required on the autoscalingPolicyCdnPolicy
block.
Resource: googleComputeBackendService
At least one of connectTimeout
, maxRequestsPerConnection
, maxConnections
, maxPendingRequests
, maxRequests
, or maxRetries
is now required on googleComputeBackendServiceCircuitBreakers
In an attempt to avoid allowing empty blocks in config files, at least one of connectTimeout
, maxRequestsPerConnection
, maxConnections
, maxPendingRequests
, maxRequests
, or maxRetries
is now required on the circuitBreakers
block.
At least one of ttl
, name
, or path
is now required on googleComputeBackendServiceConsistentHashHttpCookie
In an attempt to avoid allowing empty blocks in config files, at least one of ttl
, name
, or path
is now required on the consistentHashHttpCookie
block.
At least one of httpCookie
, httpHeaderName
, or minimumRingSize
is now required on googleComputeBackendServiceConsistentHash
In an attempt to avoid allowing empty blocks in config files, at least one of httpCookie
, httpHeaderName
, or minimumRingSize
is now required on the consistentHash
block.
At least one of cacheKeyPolicy
or signedUrlCacheMaxAgeSec
is now required on googleComputeBackendServiceCdnPolicy
In an attempt to avoid allowing empty blocks in config files, at least one of cacheKeyPolicy
or signedUrlCacheMaxAgeSec
is now required on the cdnPolicy
block.
At least one of includeHost
, includeProtocol
, includeQueryString
, queryStringBlacklist
, or queryStringWhitelist
is now required on googleComputeBackendServiceCdnPolicyCacheKeyPolicy
In an attempt to avoid allowing empty blocks in config files, at least one of includeHost
, includeProtocol
, includeQueryString
, queryStringBlacklist
, or queryStringWhitelist
is now required on the cdnPolicyCacheKeyPolicy
block.
At least one of baseEjectionTime
, consecutiveErrors
, consecutiveGatewayFailure
, enforcingConsecutiveErrors
, enforcingConsecutiveGatewayFailure
, enforcingSuccessRate
, interval
, maxEjectionPercent
, successRateMinimumHosts
, successRateRequestVolume
, or successRateStdevFactor
is now required on googleComputeBackendServiceOutlierDetection
In an attempt to avoid allowing empty blocks in config files, at least one of baseEjectionTime
, consecutiveErrors
, consecutiveGatewayFailure
, enforcingConsecutiveErrors
, enforcingConsecutiveGatewayFailure
, enforcingSuccessRate
, interval
, maxEjectionPercent
, successRateMinimumHosts
, successRateRequestVolume
, or successRateStdevFactor
is now required on the outlierDetection
block.
At least one of enable
or sampleRate
is now required on googleComputeBackendServiceLogConfig
In an attempt to avoid allowing empty blocks in config files, at least one of enable
or sampleRate
is now required on the logConfig
block.
Resource: googleComputeFirewall
Exactly one of allow
or deny
is required on googleComputeFirewall
In attempt to be more consistent with the API, exactly one of allowed
or denied
is now required on googleComputeFirewall
.
Resource: googleComputeForwardingRule
ipVersion
is now removed
ipVersion
is not used for regional forwarding rules.
ipAddress
is now strictly validated to enforce literal IP address format
Previously documentation suggested Terraform could use the same range of valid IP Address formats for ipAddress
as accepted by the API (e.g. named addresses or URLs to GCP Address resources). However, the server returns only literal IP addresses and thus caused diffs on re-apply (i.e. a permadiff). We amended documentation to say Terraform only accepts literal IP addresses.
This is now strictly validated. While this shouldn't have a large breaking impact as users would have already run into permadiff issues on re-apply, there might be validation errors for existing configs. The solution is be to replace other address formats with the IP address, either manually or by interpolating values from a googleComputeAddress
resource.
Old Config (that would have permadiff)
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeAddressMyAddr = new google.computeAddress.ComputeAddress(
this,
"my-addr",
{
name: "my-addr",
}
);
new google.computeForwardingRule.ComputeForwardingRule(this, "frule", {
address: googleComputeAddressMyAddr.selfLink,
name: "my-forwarding-rule",
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeAddressMyAddr = new google.computeAddress.ComputeAddress(
this,
"my-addr",
{
name: "my-addr",
}
);
new google.computeForwardingRule.ComputeForwardingRule(this, "frule", {
address: googleComputeAddressMyAddr.address,
name: "my-forwarding-rule",
});
Resource: googleComputeGlobalForwardingRule
ipAddress
is now validated to enforce literal IP address format
See googleComputeForwardingRule
.
Resource: googleComputeHealthCheck
Exactly one of httpHealthCheck
, httpsHealthCheck
, http2HealthCheck
, tcpHealthCheck
or sslHealthCheck
is required on googleComputeHealthCheck
In attempt to be more consistent with the API, exactly one of httpHealthCheck
, httpsHealthCheck
, http2HealthCheck
, tcpHealthCheck
or sslHealthCheck
is now required on googleComputeHealthCheck
.
At least one of host
, requestPath
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on googleComputeHealthCheckHttpHealthCheck
, googleComputeHealthCheckHttpsHealthCheck
and googleComputeHealthCheckHttp2HealthCheck
In an attempt to avoid allowing empty blocks in config files, at least one of host
, requestPath
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on the httpHealthCheck
, httpsHealthCheck
and http2HealthCheck
blocks.
At least one of request
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on googleComputeHealthCheckSslHealthCheck
and googleComputeHealthCheckTcpHealthCheck
In an attempt to avoid allowing empty blocks in config files, at least one of request
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on the sslHealthCheck
and tcpHealthCheck
blocks.
Resource: googleComputeImage
type
is now required on googleComputeImageGuestOsFeatures
In an attempt to avoid allowing empty blocks in config files, type
is now required on the guestOsFeatures
block.
Resource: googleComputeInstance
interface
is now required on block googleComputeInstanceScratchDisk
Previously the default value of interface
was scsi
. In an attempt to avoid allowing empty blocks in config files, interface
is now required on the scratchDisk
block.
At least one of autoDelete
, deviceName
, diskEncryptionKeyRaw
, kmsKeySelfLink
, initializeParams
, mode
or source
is now required on googleComputeInstanceBootDisk
In an attempt to avoid allowing empty blocks in config files, at least one of autoDelete
, deviceName
, diskEncryptionKeyRaw
, kmsKeySelfLink
, initializeParams
, mode
or source
is now required on the bootDisk
block.
At least one of size
, type
, image
, or labels
is now required on googleComputeInstanceBootDiskInitializeParams
In an attempt to avoid allowing empty blocks in config files, at least one of size
, type
, image
, or labels
is now required on the initializeParams
block.
At least one of enableSecureBoot
, enableVtpm
, or enableIntegrityMonitoring
is now required on googleComputeInstanceShieldedInstanceConfig
In an attempt to avoid allowing empty blocks in config files, at least one of enableSecureBoot
, enableVtpm
, or enableIntegrityMonitoring
is now required on the shieldedInstanceConfig
block.
At least one of onHostMaintenance
, automaticRestart
, preemptible
, or nodeAffinities
is now required on googleComputeInstanceScheduling
In an attempt to avoid allowing empty blocks in config files, at least one of onHostMaintenance
, automaticRestart
, preemptible
, or nodeAffinities
is now required on the scheduling
block.
Resource: googleComputeInstanceGroupManager
The following changes apply to both googleComputeInstanceGroupManager
and googleComputeRegionInstanceGroupManager
.
instanceTemplate
has been replaced by versionInstanceTemplate
Instance group managers should be using version
blocks to reference which instance template to use for provisioning. To upgrade use a single version
block with instanceTemplate
in your config and by default all traffic will be directed to that version.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
this,
"my_igm",
{
base_instance_name: "igm",
instance_template: "${google_compute_instance_template.my_tmpl.self_link}",
name: "my-igm",
zone: "us-central1-c",
}
);
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
this,
"my_igm",
{
base_instance_name: "igm",
name: "my-igm",
version: [
{
instance_template:
"${google_compute_instance_template.my_tmpl.self_link}",
name: "prod",
},
],
zone: "us-central1-c",
}
);
updateStrategy
has been replaced by updatePolicy
To allow much greater control over the updates happening to instance groups updateStrategy
has been replaced by updatePolicy
. The functionality controlled by updateStrategy
is now controlled by a combination of updatePolicyType
and updatePolicyMinimalAction
. updateStrategy =None
can be achieved with type =Opportunistic
. The previous values of restart
and replace
were both proactive
types implicitly previously but can now be controlled explicitly.
For more details see the official guide.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
this,
"my_igm",
{
base_instance_name: "igm",
instance_template: "${google_compute_instance_template.my_tmpl.self_link}",
name: "my-igm",
update_strategy: "NONE",
zone: "us-central1-c",
}
);
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
this,
"my_igm",
{
base_instance_name: "igm",
name: "my-igm",
update_policy: [
{
minimal_action: "RESTART",
type: "OPPORTUNISTIC",
},
],
version: [
{
instance_template:
"${google_compute_instance_template.my_tmpl.self_link}",
name: "prod",
},
],
zone: "us-central1-c",
}
);
Resource: googleComputeInstanceTemplate
At least one of enableSecureBoot
, enableVtpm
, or enableIntegrityMonitoring
is now required on googleComputeInstanceTemplateShieldedInstanceConfig
In an attempt to avoid allowing empty blocks in config files, at least one of enableSecureBoot
, enableVtpm
, or enableIntegrityMonitoring
is now required on the shieldedInstanceConfig
block.
At least one of onHostMaintenance
, automaticRestart
, preemptible
, or nodeAffinities
is now required on googleComputeInstanceTemplateScheduling
In an attempt to avoid allowing empty blocks in config files, at least one of onHostMaintenance
, automaticRestart
, preemptible
, or nodeAffinities
is now required on the scheduling
block.
Disks with invalid scratch disk configurations are now rejected
The instance template API allows specifying invalid configurations in some cases, and an error is only returned when attempting to provision them. Terraform will now report that some configs that previously appeared valid at plan time are now invalid.
A disk with type
"scratch"
must have diskType
"localSsd"
and a size of 375GB. For example, the following is valid:
These configs would have been accepted by Terraform previously, but will now fail:
disk {
source_image = "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20210217"
auto_delete = true
type = "SCRATCH"
}
disk {
source_image = "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20210217"
auto_delete = true
disk_type = "local-ssd"
}
kmsKeySelfLink
is now required on block googleComputeInstanceTemplateDiskEncryptionKey
In an attempt to avoid allowing empty blocks in config files, kmsKeySelfLink
is now required on the diskEncryptionKey
block.
Resource: googleComputeNetwork
ipv4Range
is now removed
Legacy Networks are removed and you will no longer be able to create them using this field from Feb 1, 2020 onwards.
Resource: googleComputeNetworkPeering
autoCreateRoutes
is now removed
autoCreateRoutes
has been removed because it's redundant and not user-configurable.
Resource: googleComputeNodeTemplate
At least one of cpus
or memory
is now required on googleComputeNodeTemplateNodeTypeFlexibility
In an attempt to avoid allowing empty blocks in config files, at least one of cpus
or memory
is now required on the nodeTypeFlexibility
block.
Resource: googleComputeRegionBackendService
At least one of connectTimeout
, maxRequestsPerConnection
, maxConnections
, maxPendingRequests
, maxRequests
, or maxRetries
is now required on googleComputeRegionBackendServiceCircuitBreakers
In an attempt to avoid allowing empty blocks in config files, at least one of connectTimeout
, maxRequestsPerConnection
, maxConnections
, maxPendingRequests
, maxRequests
, or maxRetries
is now required on the circuitBreakers
block.
At least one of ttl
, name
, or path
is now required on googleComputeRegionBackendServiceConsistentHashHttpCookie
In an attempt to avoid allowing empty blocks in config files, at least one of ttl
, name
, or path
is now required on the consistentHashHttpCookie
block.
At least one of httpCookie
, httpHeaderName
, or minimumRingSize
is now required on googleComputeRegionBackendServiceConsistentHash
In an attempt to avoid allowing empty blocks in config files, at least one of httpCookie
, httpHeaderName
, or minimumRingSize
is now required on the consistentHash
block.
At least one of disableConnectionDrainOnFailover
, dropTrafficIfUnhealthy
, or failoverRatio
is now required on googleComputeRegionBackendServiceFailoverPolicy
In an attempt to avoid allowing empty blocks in config files, at least one of disableConnectionDrainOnFailover
, dropTrafficIfUnhealthy
, or failoverRatio
is now required on the failoverPolicy
block.
At least one of baseEjectionTime
, consecutiveErrors
, consecutiveGatewayFailure
, enforcingConsecutiveErrors
, enforcingConsecutiveGatewayFailure
, enforcingSuccessRate
, interval
, maxEjectionPercent
, successRateMinimumHosts
, successRateRequestVolume
, or successRateStdevFactor
is now required on googleComputeRegionBackendServiceOutlierDetection
In an attempt to avoid allowing empty blocks in config files, at least one of baseEjectionTime
, consecutiveErrors
, consecutiveGatewayFailure
, enforcingConsecutiveErrors
, enforcingConsecutiveGatewayFailure
, enforcingSuccessRate
, interval
, maxEjectionPercent
, successRateMinimumHosts
, successRateRequestVolume
, or successRateStdevFactor
is now required on the outlierDetection
block.
At least one of enable
or sampleRate
is now required on googleComputeRegionBackendServiceLogConfig
In an attempt to avoid allowing empty blocks in config files, at least one of enable
or sampleRate
is now required on the logConfig
block.
Resource: googleComputeRegionHealthCheck
Exactly one of httpHealthCheck
, httpsHealthCheck
, http2HealthCheck
, tcpHealthCheck
or sslHealthCheck
is required on googleComputeHealthCheck
In attempt to be more consistent with the API, exactly one of httpHealthCheck
, httpsHealthCheck
, http2HealthCheck
, tcpHealthCheck
or sslHealthCheck
is now required on the googleComputeRegionHealthCheck
.
At least one of host
, requestPath
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on googleComputeRegionHealthCheckHttpHealthCheck
, googleComputeRegionHealthCheckHttpsHealthCheck
and googleComputeRegionHealthCheckHttp2HealthCheck
In an attempt to avoid allowing empty blocks in config files, at least one of host
, requestPath
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on the httpHealthCheck
, httpsHealthCheck
and http2HealthCheck
blocks.
At least one of request
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on googleComputeRegionHealthCheckSslHealthCheck
and googleComputeRegionHealthCheckTcpHealthCheck
In an attempt to avoid allowing empty blocks in config files, at least one of request
, response
, port
, portName
, proxyHeader
, or portSpecification
is now required on the sslHealthCheck
and tcpHealthCheck
blocks.
Resource: googleComputeResourcePolicy
Exactly one of hourlySchedule
, dailySchedule
or weeklySchedule
is now required on googleComputeResourcePolicySnapshotSchedulePolicySchedule
In an attempt to avoid allowing empty blocks in config files, exactly one of hourlySchedule
, dailySchedule
or weeklySchedule
is now required on the snapshotSchedulePolicySchedule
block.
At least one of labels
, storageLocations
, or guestFlush
is now required on googleComputeResourcePolicySnapshotSchedulePolicySnapshotProperties
In an attempt to avoid allowing empty blocks in config files, at least one of labels
, storageLocations
, or guestFlush
is now required on the snapshotSchedulePolicySnapshotProperties
block.
Resource: googleComputeRoute
Exactly one of nextHopGateway
, nextHopInstance
, nextHopIp
, nextHopVpnTunnel
or nextHopIlb
is required on googleComputeRoute
In attempt to be more consistent with the API, exactly one of nextHopGateway
, nextHopInstance
, nextHopIp
, nextHopVpnTunnel
or nextHopIlb
is now required on the googleComputeRoute
.
Resource: googleComputeRouter
range
is now required on googleComputeRouterBgpAdvertisedIpRanges
In an attempt to avoid allowing empty blocks in config files, range
is now required on the bgpAdvertisedIpRanges
block.
Resource: googleComputeRouterPeer
range
is now required on block googleComputeRouterPeerAdvertisedIpRanges
In an attempt to avoid allowing empty blocks in config files, range
is now required on the advertisedIpRanges
block.
Resource: googleComputeSnapshot
rawKey
is now required on block googleComputeSnapshotSourceDiskEncryptionKey
In an attempt to avoid allowing empty blocks in config files, rawKey
is now required on the sourceDiskEncryptionKey
block.
Resource: googleComputeSubnetwork
enableFlowLogs
is now removed
enableFlowLogs
has been removed and should be replaced by the logConfig
block with configurations for flow logging. Enablement of flow logs is now controlled by whether logConfig
is defined or not instead of by the enableFlowLogs
variable. Users with enableFlowLogs =False
only need to remove the field.
At least one of aggregationInterval
, flowSampling
, or metadata
is now required on googleComputeSubnetworkLogConfig
In an attempt to avoid allowing empty blocks in config files, at least one of aggregationInterval
, flowSampling
, or metadata
is now required on the logConfig
block.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet-with-logging", {
enable_flow_logs: true,
ip_cidr_range: "10.2.0.0/16",
name: "log-test-subnetwork",
network: "${google_compute_network.custom-test.self_link}",
region: "us-central1",
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet-with-logging", {
ip_cidr_range: "10.2.0.0/16",
log_config: [
{
aggregation_interval: "INTERVAL_10_MIN",
flow_sampling: 0.5,
metadata: "INCLUDE_ALL_METADATA",
},
],
name: "log-test-subnetwork",
network: "${google_compute_network.custom-test.self_link}",
region: "us-central1",
});
Resource: googleContainerCluster
ipAllocationPolicy
will catch out-of-band changes, useIpAliases
removed
-> This change and "Automatic subnetwork creation for VPC-native clusters removed" are related; see the other entry for more details.
In 2X
, ipAllocationPolicy
wouldn't cause a diff if it was undefined in config but was set on the cluster itself. Additionally, it could be defined with useIpAliases
set to false
. However, this made it difficult to reason about whether a cluster was routes-based or VPC-native.
With 300
, Terraform will detect drift on the block. The configuration has also been simplified. Terraform creates a VPC-native cluster when ipAllocationPolicy
is defined (useIpAliases
is implicitly set to true and is no longer configurable). When the block is undefined, Terraform creates a routes-based cluster.
Other than removing the useIpAliases
field, most users of VPC-native clusters won't be affected. terraformPlan
will show a diff if a config doesn't contain ipAllocationPolicy
but the underlying cluster does. Routes-based cluster users may need to remove ipAllocationPolicy
if useIpAliases
had been set to false
.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.containerCluster.ContainerCluster(this, "primary", {
initial_node_count: 1,
ip_allocation_policy: [
{
use_ip_aliases: false,
},
],
location: "us-central1",
name: "my-cluster",
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.containerCluster.ContainerCluster(this, "primary", {
initial_node_count: 1,
location: "us-central1",
name: "my-cluster",
});
Automatic subnetwork creation for VPC-native clusters removed
Automatic creation of subnetworks in GKE has been removed. Now, users of VPC-native clusters will always need to provide a googleComputeSubnetwork
resource to use ipAllocationPolicy
. Routes-based clusters are unaffected.
Representing resources managed by another source in Terraform is painful, and leads to confusing patterns that often involve unnecessarily recreating user resources. A number of fields in GKE are dedicated to a feature that allows users to create a GKE-managed subnetwork.
This is a great fit for an imperative tool like gcloud
, but it's not required for Terraform. With Terraform, it's relatively easy to specify a subnetwork in config alongside the cluster. Not only does that allow configuring subnetwork features like flow logging, it's more explicit, allows the subnetwork to be used by other resources, and the subnetwork persists through cluster deletion.
Particularly, Shared VPC was incompatible with createSubnetwork
, and nodeIpv4Cidr
was easy to confuse with ipAllocationPolicyNodeIpv4CidrBlock
.
Detailed changes:
ipAllocationPolicyNodeIpv4CidrBlock
removed (This controls the primary range of the created subnetwork)ipAllocationPolicyCreateSubnetwork
,ipAllocationPolicySubnetworkName
removedipAllocationPolicy
will catch drift when not in configipAllocationPolicyUseIpAliases
removed- Enablement is now based on
ipAllocationPolicy
being defined instead - Conflict added between
nodeIpv4Cidr
,ipAllocationPolicy
Upgrade instructions
- Remove the removed fields from
googleContainerCluster
- Add a
googleComputeSubnetwork
to your config, import it usingterraformImport
- Reference the subnetwork using the
subnetwork
field on yourgoogleContainerCluster
-> Subnetworks originally created as part of createSubnetwork
will be deleted alongside the cluster. If there are other users of the subnetwork, deletion of the cluster will fail. After the original resources are deleted, terraformApply
will recreate the same subnetwork except that it won't be managed by a GKE cluster and other resources can use it safely.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkContainerNetwork =
new google.computeNetwork.ComputeNetwork(this, "container_network", {
auto_create_subnetworks: false,
name: "container-network",
});
new google.containerCluster.ContainerCluster(this, "primary", {
initial_node_count: 1,
ip_allocation_policy: [
{
cluster_ipv4_cidr_block: "10.0.0.0/16",
create_subnetwork: true,
node_ipv4_cidr_block: "10.2.0.0/16",
services_ipv4_cidr_block: "10.1.0.0/16",
use_ip_aliases: true,
},
],
location: "us-central1",
name: "my-cluster",
network: googleComputeNetworkContainerNetwork.name,
});
New Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkContainerNetwork =
new google.computeNetwork.ComputeNetwork(this, "container_network", {
auto_create_subnetworks: false,
name: "container-network",
});
const googleComputeSubnetworkContainerSubnetwork =
new google.computeSubnetwork.ComputeSubnetwork(this, "container_subnetwork", {
description: 'auto-created subnetwork for cluster "my-cluster"',
ip_cidr_range: "10.2.0.0/16",
name: "container-subnetwork",
network: googleComputeNetworkContainerNetwork.selfLink,
region: "us-central1",
});
new google.containerCluster.ContainerCluster(this, "primary", {
initial_node_count: 1,
ip_allocation_policy: [
{
cluster_ipv4_cidr_block: "10.0.0.0/16",
services_ipv4_cidr_block: "10.1.0.0/16",
},
],
location: "us-central1",
name: "my-cluster",
network: googleComputeNetworkContainerNetwork.name,
subnetwork: googleComputeSubnetworkContainerSubnetwork.name,
});
taint
field is now authoritative when set
The taint
field inside of nodeConfig
blocks on googleContainerCluster
and googleContainerNodePool
will no longer ignore GPU-related values when set.
Previously, the field ignored upstream taints when unset and ignored unset GPU taints when other taints were set. Now it will ignore upstream taints when set and act authoritatively when set, requiring all taints (including Kubernetes and GKE-managed ones) to be defined in config.
Additionally, an empty taint can now be specified with taint = []
. As a result of this change, the JSON/state representation of the field has changed, introducing an incompatibility for users who specify config in JSON instead of HCL or who use dynamic
blocks. See more details in the Attributes as Blocks documentation.
addonsConfigKubernetesDashboard
is now removed
The kubernetesDashboard
addon is deprecated for clusters on GKE and will soon be removed. It is recommended to use alternative GCP Console dashboards.
channel
is now required on googleContainerClusterReleaseChannel
In an attempt to avoid allowing empty blocks in config files, channel
is now required on the releaseChannel
block.
The disabled
field is now required on the addonsConfig
blocks for httpLoadBalancing
, horizontalPodAutoscaling
, istioConfig
, cloudrunConfig
and networkPolicyConfig
.
In an attempt to avoid allowing empty blocks in config files, disabled
is now required on the different googleContainerClusterAddonsConfig
blocks.
Exactly one of dailyMaintenanceWindow
or recurringWindow
is now required on googleContainerClusterMaintenancePolicy
In an attempt to avoid allowing empty blocks in config files, exactly one of dailyMaintenanceWindow
or recurringWindow
is now required on the maintenancePolicy
block.
At least one of httpLoadBalancing
, horizontalPodAutoscaling
, networkPolicyConfig
, cloudrunConfig
, or istioConfig
is now required on googleContainerClusterAddonsConfig
In an attempt to avoid allowing empty blocks in config files, at least one of httpLoadBalancing
, horizontalPodAutoscaling
, networkPolicyConfig
, cloudrunConfig
, or istioConfig
is now required on the addonsConfig
block.
At least one of username
, password
or clientCertificateConfig
is now required on googleContainerClusterMasterAuth
In an attempt to avoid allowing empty blocks in config files, at least one of username
, password
or clientCertificateConfig
is now required on the masterAuth
block.
enabled
is now required on block googleContainerClusterVerticalPodAutoscaling
In an attempt to avoid allowing empty blocks in config files, enabled
is now required on the verticalPodAutoscaling
block.
enabled
is now required on block googleContainerClusterNetworkPolicy
Previously the default value of enabled
was false
. In an attempt to avoid allowing empty blocks in config files, enabled
is now required on the networkPolicy
block.
enablePrivateEndpoint
is now required on block googleContainerClusterPrivateClusterConfig
In an attempt to avoid allowing empty blocks in config files, enablePrivateEndpoint
is now required on the privateClusterConfig
block.
loggingService
and monitoringService
defaults changed
GKE Stackdriver Monitoring (the GKE-specific Stackdriver experience) is now enabled at cluster creation by default, similar to the default in GKE 114
through other tools.
Terraform will now detect changes out of band when the field(s) are not defined in config, attempting to return them to their new defaults, and will be clear about what values will be set when creating a cluster.
terraformPlan
will report changes upon upgrading if the field was previously unset. Applying this change will enable the new Stackdriver service without recreating clusters. Users who wish to use another value should record their intended value in config; the old default values can be added to a googleContainerCluster
resource config block to preserve them.
Old Defaults
New Defaults
logging_service = "logging.googleapis.com/kubernetes"
monitoring_service = "monitoring.googleapis.com/kubernetes"
zone
, region
and additionalZones
are now removed
zone
and region
have been removed in favor of location
and additionalZones
has been removed in favor of nodeLocations
Resource: googleContainerNodePool
zone
and region
are now removed
zone
and region
have been removed in favor of location
Resource: googleDataprocAutoscalingPolicy
At least one of minInstances
, maxInstances
, or weight
is now required on googleDataprocAutoscalingPolicySecondaryWorkerConfig
In an attempt to avoid allowing empty blocks in config files, at least one of minInstances
, maxInstances
, or weight
is now required on the secondaryWorkerConfig
block.
Resource: googleDataprocCluster
At least one of stagingBucket
, gceClusterConfig
, masterConfig
, workerConfig
, preemptibleWorkerConfig
, softwareConfig
, initializationAction
or encryptionConfig
is now required on googleDataprocClusterClusterConfig
In an attempt to avoid allowing empty blocks in config files, at least one of stagingBucket
, gceClusterConfig
, masterConfig
, workerConfig
, preemptibleWorkerConfig
, softwareConfig
, initializationAction
or encryptionConfig
is now required on the clusterConfig
block.
At least one of imageVersion
, overrideProperties
or optionalComponents
is now required on googleDataprocClusterClusterConfigSoftwareConfig
In an attempt to avoid allowing empty blocks in config files, at least one of imageVersion
, overrideProperties
or optionalComponents
is now required on the clusterConfigSoftwareConfig
block.
At least one of numInstances
or diskConfig
is now required on googleDataprocClusterClusterConfigPreemptibleWorkerConfig
In an attempt to avoid allowing empty blocks in config files, at least one of numInstances
or diskConfig
is now required on the clusterConfigPreemptibleWorkerConfig
block.
At least one of zone
, network
, subnetwork
, tags
, serviceAccount
, serviceAccountScopes
, internalIpOnly
or metadata
is now required on googleDataprocClusterClusterConfigGceClusterConfig
In an attempt to avoid allowing empty blocks in config files, at least one of zone
, network
, subnetwork
, tags
, serviceAccount
, serviceAccountScopes
, internalIpOnly
or metadata
is now required on the gceClusterConfig
block.
At least one of numInstances
, imageUri
, machineType
, minCpuPlatform
, diskConfig
, or accelerators
is now required on googleDataprocClusterClusterConfigMasterConfig
and googleDataprocClusterClusterConfigWorkerConfig
In an attempt to avoid allowing empty blocks in config files, at least one of numInstances
, imageUri
, machineType
, minCpuPlatform
, diskConfig
, or accelerators
is now required on the clusterConfigMasterConfig
and clusterConfigWorkerConfig
blocks.
At least one of numLocalSsds
, bootDiskSizeGb
or bootDiskType
is now required on googleDataprocClusterClusterConfigPreemptibleWorkerConfigDiskConfig
, googleDataprocClusterClusterConfigMasterConfigDiskConfig
and googleDataprocClusterClusterConfigWorkerConfigDiskConfig
In an attempt to avoid allowing empty blocks in config files, at least one of numLocalSsds
, bootDiskSizeGb
or bootDiskType
is now required on the clusterConfigPreemptibleWorkerConfigDiskConfig
, clusterConfigMasterConfigDiskConfig
and clusterConfigWorkerConfigDiskConfig
blocks.
policyUri
is now required on googleDataprocClusterAutoscalingConfig
block.
In an attempt to avoid allowing empty blocks in config files, policyUri
is now required on the autoscalingConfig
block.
Resource: googleDataprocJob
At least one of queryFileUri
or queryList
is now required on hiveConfig
, pigConfig
, and sparksqlConfig
In an attempt to avoid allowing empty blocks in config files, at least one of queryFileUri
or queryList
is now required on the hiveConfig
, pigConfig
, and sparksqlConfig
blocks.
At least one of mainClass
or mainJarFileUri
is now required on googleDataprocJobSparkConfig
and googleDataprocJobHadoopConfig
In an attempt to avoid allowing empty blocks in config files, at least one of mainClass
or mainJarFileUri
is now required on the sparkConfig
and hadoopConfig
blocks.
driverLogLevels
is now required on loggingConfig
blocks for pysparkConfig
, hadoopConfig
, sparkConfig
, pigConfig
, and sparksqlConfig
.
In an attempt to avoid allowing empty blocks in config files, driverLogLevels
is now required on pysparkConfig
, hadoopConfig
, sparkConfig
, pigConfig
, and sparksqlConfig
blocks.
maxFailuresPerHour
is now required on block googleDataprocJobScheduling
In an attempt to avoid allowing empty blocks in config files, maxFailuresPerHour
is now required on the scheduling
block.
Resource: googleDnsManagedZone
At least one of kind
, nonExistence
, state
, or defaultKeySpecs
is now required on googleDnsManagedZoneDnssecConfig
In an attempt to avoid allowing empty blocks in config files, at least one of kind
, nonExistence
, state
, or defaultKeySpecs
is now required on the dnssecConfig
block.
targetNetwork
is now required on block googleDnsManagedZonePeeringConfig
In an attempt to avoid allowing empty blocks in config files, targetNetwork
is now required on the peeringConfig
block.
networkUrl
is now required on block googleDnsManagedZonePeeringConfigTargetNetwork
In an attempt to avoid allowing empty blocks in config files, networkUrl
is now required on the peeringConfigTargetNetwork
block.
targetNameServers
is now required on block googleDnsManagedZoneForwardingConfig
In an attempt to avoid allowing empty blocks in config files, targetNameServers
is now required on the forwardingConfig
block.
ipv4Address
is now required on block googleDnsManagedZoneForwardingConfigTargetNameServers
In an attempt to avoid allowing empty blocks in config files, ipv4Address
is now required on the forwardingConfigTargetNameServers
block.
targetNameServers
is now required on block googleDnsManagedZoneForwardingConfig
In an attempt to avoid allowing empty blocks in config files, targetNameServers
is now required on the forwardingConfig
block.
networks
is now required on block googleDnsManagedZonePrivateVisibilityConfig
In an attempt to avoid allowing empty blocks in config files, networks
is now required on the privateVisibilityConfig
block.
networkUrl
is now required on block googleDnsManagedZonePrivateVisibilityConfigNetworks
In an attempt to avoid allowing empty blocks in config files, networkUrl
is now required on the privateVisibilityConfigNetworks
block.
Resource: googleDnsPolicy
networkUrl
is now required on block googleDnsPolicyNetworks
In an attempt to avoid allowing empty blocks in config files, networkUrl
is now required on the networks
block.
targetNameServers
is now required on block googleDnsPolicyAlternativeNameServerConfig
In an attempt to avoid allowing empty blocks in config files, targetNameServers
is now required on the alternativeNameServerConfig
block.
ipv4Address
is now required on block googleDnsPolicyAlternativeNameServerConfigTargetNameServers
In an attempt to avoid allowing empty blocks in config files, ipv4Address
is now required on the alternativeNameServerConfigTargetNameServers
block.
Resource: googleFolderOrganizationPolicy
Exactly one of allow
or deny
is now required on googleFolderOrganizationPolicyListPolicy
In an attempt to avoid allowing empty blocks in config files, exactly one of allow
or deny
is now required on the listPolicy
block.
Exactly one of all
or values
is now required on googleFolderOrganizationPolicyListPolicyAllow
and googleFolderOrganizationPolicyListPolicyDeny
In an attempt to avoid allowing empty blocks in config files, exactly one of all
or values
is now required on the listPolicyAllow
and listPolicyDeny
blocks.
Resource: googleHealthcareHl7V2Store
At least one of allowNullHeader
or segmentTerminator
is now required on googleHealthcareHl7V2StoreParserConfig
In an attempt to avoid allowing empty blocks in config files, at least one of allowNullHeader
or segmentTerminator
is now required on the parserConfig
block.
Resource: googleLoggingMetric
At least one of linearBuckets
, exponentialBuckets
or explicitBuckets
is now required on googleLoggingMetricBucketOptions
In an attempt to avoid allowing empty blocks in config files, at least one of linearBuckets
, exponentialBuckets
or explicitBuckets
is now required on the bucketOptions
block.
At least one of numFiniteBuckets
, width
or offset
is now required on googleLoggingMetricBucketOptionsLinearBuckets
In an attempt to avoid allowing empty blocks in config files, at least one of numFiniteBuckets
, width
or offset
is now required on the bucketOptionsLinearBuckets
block.
At least one of numFiniteBuckets
, growthFactor
or scale
is now required on googleLoggingMetricBucketOptionsExponentialBuckets
In an attempt to avoid allowing empty blocks in config files, at least one of numFiniteBuckets
, growthFactor
or scale
is now required on the bucketOptionsExponentialBuckets
block.
bounds
is now required on googleLoggingMetricBucketOptionsExplicitBuckets
In an attempt to avoid allowing empty blocks in config files, bounds
is now required on the bucketOptionsExplicitBuckets
block.
Resource: googleMlengineModel
name
is now required on googleMlengineModelDefaultVersion
In an attempt to avoid allowing empty blocks in config files, name
is now required on the defaultVersion
block.
Resource: googleMonitoringAlertPolicy
labels
is now removed
labels
is removed as it was never used. See userLabels
for the correct field.
At least one of content
or mimeType
is now required on googleMonitoringAlertPolicyDocumentation
In an attempt to avoid allowing empty blocks in config files, at least one of content
or mimeType
is now required on the documentation
block.
Resource: googleMonitoringUptimeCheckConfig
Exactly one of resourceGroup
or monitoredResource
is now required on googleMonitoringUptimeCheckConfig
In attempt to be more consistent with the API, exactly one of resourceGroup
or monitoredResource
is now required on googleMonitoringUptimeCheckConfig
.
Exactly one of httpCheck
or tcpCheck
is now required on googleMonitoringUptimeCheckConfig
In attempt to be more consistent with the API, exactly one of httpCheck
or tcpCheck
is now required on googleMonitoringUptimeCheckConfig
.
At least one of authInfo
, port
, headers
, path
, useSsl
, or maskHeaders
is now required on googleMonitoringUptimeCheckConfigHttpCheck
In an attempt to avoid allowing empty blocks in config files, at least one of authInfo
, port
, headers
, path
, useSsl
, or maskHeaders
is now required on the httpCheck
block.
At least one of resourceType
or groupId
is now required on googleMonitoringUptimeCheckConfigResourceGroup
In an attempt to avoid allowing empty blocks in config files, at least one of resourceType
or groupId
is now required on the resourceGroup
block.
content
is now required on block googleMonitoringUptimeCheckConfigContentMatchers
In an attempt to avoid allowing empty blocks in config files, content
is now required on the contentMatchers
block.
username
and password
are now required on block googleMonitoringUptimeCheckConfigHttpCheckAuthInfo
In an attempt to avoid allowing empty blocks in config files, username
and password
are now required on the httpCheckAuthInfo
block.
isInternal
and internalChecker
are now removed
isInternal
and internalChecker
never worked, and are now removed.
Resource: googleOrganizationPolicy
Exactly one of allow
or deny
is now required on googleOrganizationPolicyListPolicy
In an attempt to avoid allowing empty blocks in config files, exactly one of allow
or deny
is now required on the listPolicy
block.
Exactly one of all
or values
is now required on googleOrganizationPolicyListPolicyAllow
and googleOrganizationPolicyListPolicyDeny
In an attempt to avoid allowing empty blocks in config files, exactly one of all
or values
is now required on the listPolicyAllow
and listPolicyDeny
blocks.
Resource: googleProjectIamAuditConfig
Audit configs are now authoritative on create
Audit configs are now authoritative on create, rather than merging with existing configs on create. Writing an audit config resource will now overwrite any existing audit configs on the given project.
Resource: googleProjectOrganizationPolicy
Exactly one of allow
or deny
is now required on googleProjectOrganizationPolicyListPolicy
In an attempt to avoid allowing empty blocks in config files, exactly one of allow
or deny
is now required on the listPolicy
block.
Exactly one of all
or values
is now required on googleProjectOrganizationPolicyListPolicyAllow
and googleProjectOrganizationPolicyListPolicyDeny
In an attempt to avoid allowing empty blocks in config files, exactly one of all
or values
is now required on the listPolicyAllow
and listPolicyDeny
blocks.
Resource: googleProjectService
bigqueryJsonGoogleapisCom
service can no longer be specified
bigqueryJsonGoogleapisCom
is being renamed to bigqueryGoogleapisCom
in the upstream API. As a result, bigqueryJsonGoogleapisCom
has been disallowed. Instead, please use bigqueryGoogleapisCom
. The provider will automatically convert between them as the upstream API migration continues.
Resource: googleProjectServices
googleProjectServices
has been removed from the provider
The googleProjectServices
resource was authoritative over the list of GCP services enabled on a project, so that services not explicitly set would be removed by Terraform.
However, this was dangerous to use in practice. Services have dependencies that are automatically enabled alongside them and GCP will add dependencies to services out of band, enabling them. If a user ran Terraform after this, Terraform would disable the service- and implicitly disable any service that relied on it.
The googleProjectService
resource is a much better match for most users' intent, managing a single service at a time. Setting several googleProjectService
resources is an assertion that "these services are set on this project", while googleProjectServices
was an assertion that "only these services are set on this project".
Users should migrate to using googleProjectService
resources, or using the "terraformGoogleModules/projectFactory/google//modules/projectServices"
module for a similar interface to googleProjectServices
.
-> Prior to 2130
, each googleProjectService
sent separate API enablement requests. From 2130
onwards, those requests are batched on write, and from 2200
onwards, batched on read. It's recommended that you upgrade to 2130+
before migrating if you encounter write quota issues or 2200+
before migrating if you encounter read quota issues when you migrate off googleProjectServices
.
Old Config
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.projectServices.ProjectServices(this, "project", {
disable_on_destroy: false,
project: "your-project-id",
services: ["iam.googleapis.com", "cloudresourcemanager.googleapis.com"],
});
New Config (module)
import * as ProjectServices from "./.gen/modules/terraform-google-modules/google/project-factory/modules/project_services";
new ProjectServices.ProjectServices(this, "project_services", {
activateApis: ["iam.googleapis.com", "cloudresourcemanager.googleapis.com"],
disableDependentServices: false,
disableServicesOnDestroy: false,
projectId: "your-project-id",
});
New Config (google_project_service)
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleProjectServiceService = new google.projectService.ProjectService(
this,
"service",
{
disable_on_destroy: false,
project: "your-project-id",
service: "${each.key}",
}
);
/*In most cases loops should be handled in the programming language context and
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
googleProjectServiceService.addOverride(
"for_each",
'${toset([\n "iam.googleapis.com",\n "cloudresourcemanager.googleapis.com",\n ])}'
);
Resource: googlePubsubSubscription
name
must now be a short name
name
previously could have been specified by a long name (e.g. projects/myProject/subscriptions/mySubscription
) or a shortname (e.g. mySubscription
). name
now must be the shortname.
ttl
is now required on googlePubsubSubscriptionExpirationPolicy
Previously, an empty expirationPolicy
block would allow the resource to never expire. In an attempt to avoid allowing empty blocks in config files, ttl
is now required on the expirationPolicy
block. ttl
should be set to ""
for the resource to never expire.
Resource: googleSecurityScannerScanConfig
At least one of googleAccount
or customAccount
is now required on googleSecurityScannerScanConfigAuthentication
In an attempt to avoid allowing empty blocks in config files, at least one of googleAccount
or customAccount
is now required on the authentication
block.
Resource: googleServiceAccountKey
pgpKey
, privateKeyFingerprint
, and privateKeyEncrypted
are now removed
googleServiceAccountKey
previously supported encrypting the private key with a supplied PGP key. This is no longer supported and has been removed as functionality. State should instead be treated as sensitive, and ideally encrypted using a remote state backend.
This will require re-provisioning your service account key, unfortunately. There is no known alternative at this time.
Resource: googleSqlDatabaseInstance
At least one of caCertificate
, clientCertificate
, clientKey
, connectRetryInterval
, dumpFilePath
, failoverTarget
, masterHeartbeatPeriod
, password
, sslCipher
, username
, or verifyServerCertificate
is now required on googleSqlDatabaseInstanceSettingsReplicaConfiguration
In an attempt to avoid allowing empty blocks in config files, at least one of caCertificate
, clientCertificate
, clientKey
, connectRetryInterval
, dumpFilePath
, failoverTarget
, masterHeartbeatPeriod
, password
, sslCipher
, username
, or verifyServerCertificate
is now required on the settingsReplicaConfiguration
block.
At least one of cert
, commonName
, createTime
, expirationTime
, or sha1Fingerprint
is now required on googleSqlDatabaseInstanceSettingsServerCaCert
In an attempt to avoid allowing empty blocks in config files, at least one of cert
, commonName
, createTime
, expirationTime
, or sha1Fingerprint
is now required on the settingsServerCaCert
block.
At least one of day
, hour
, or updateTrack
is now required on googleSqlDatabaseInstanceSettingsMaintenanceWindow
In an attempt to avoid allowing empty blocks in config files, at least one of day
, hour
, or updateTrack
is now required on the settingsMaintenanceWindow
block.
At least one of binaryLogEnabled
, enabled
, startTime
, or location
is now required on googleSqlDatabaseInstanceSettingsBackupConfiguration
In an attempt to avoid allowing empty blocks in config files, at least one of binaryLogEnabled
, enabled
, startTime
, or location
is now required on the settingsBackupConfiguration
block.
At least one of authorizedNetworks
, ipv4Enabled
, requireSsl
, or privateNetwork
is now required on googleSqlDatabaseInstanceSettingsIpConfiguration
In an attempt to avoid allowing empty blocks in config files, at least one of authorizedNetworks
, ipv4Enabled
, requireSsl
, and privateNetwork
is now required on the settingsIpConfiguration
block.
name
and value
are now required on block googleSqlDatabaseInstanceSettingsDatabaseFlags
In an attempt to avoid allowing empty blocks in config files, name
and value
are now required on the settingsDatabaseFlags
block.
value
is now required on block googleSqlDatabaseInstanceSettingsIpConfigurationAuthorizedNetworks
In an attempt to avoid allowing empty blocks in config files, value
is now required on the settingsIpConfigurationAuthorizedNetworks
block.
zone
is now required on block googleSqlDatabaseInstanceSettingsLocationPreference
In an attempt to avoid allowing empty blocks in config files, zone
is now required on the settingsLocationPreference
block.
Resource: googleStorageBucket
enabled
is now required on block googleStorageBucketVersioning
Previously the default value of enabled
was false
. In an attempt to avoid allowing empty blocks in config files, enabled
is now required on the versioning
block.
At least one of mainPageSuffix
or notFoundPage
is now required on googleStorageBucketWebsite
In an attempt to avoid allowing empty blocks in config files, at least one of mainPageSuffix
or notFoundPage
is now required on the website
block.
At least one of minTimeElapsedSinceLastModification
, maxTimeElapsedSinceLastModification
, includePrefixes
, or excludePrefixes
is now required on googleStorageTransferJobTransferSpecObjectConditions
In an attempt to avoid allowing empty blocks in config files, at least one of minTimeElapsedSinceLastModification
, maxTimeElapsedSinceLastModification
, includePrefixes
, or excludePrefixes
is now required on the transferSpecObjectConditions
block.
isLive
is now removed
Please use withState
instead, as isLive
is now removed.
Resource: googleStorageTransferJob
At least one of overwriteObjectsAlreadyExistingInSink
, deleteObjectsUniqueInSink
, or deleteObjectsFromSourceAfterTransfer
is now required on googleStorageTransferJobTransferSpecTransferOptions
In an attempt to avoid allowing empty blocks in config files, at least one of overwriteObjectsAlreadyExistingInSink
, deleteObjectsUniqueInSink
, or deleteObjectsFromSourceAfterTransfer
is now required on the transferSpecTransferOptions
block.
At least one of gcsDataSource
, awsS3DataSource
, or httpDataSource
is now required on googleStorageTransferJobTransferSpec
In an attempt to avoid allowing empty blocks in config files, at least one of gcsDataSource
, awsS3DataSource
, or httpDataSource
is now required on the transferSpec
block.
Resource: googleTpuNode
preemptible
is now required on block googleTpuNodeSchedulingConfig
In an attempt to avoid allowing empty blocks in config files, preemptible
is now required on the schedulingConfig
block.