Terraform Google Provider 3.0.0 Upgrade Guide

The 300 release of the Google provider for Terraform is a major version and includes some changes that you will need to consider when upgrading. This guide is intended to help with that process and focuses only on the changes necessary to upgrade from the final 2X series release to 300.

Most of the changes outlined in this guide have been previously marked as deprecated in the Terraform plan/apply output throughout previous provider releases, up to and including the final 2X series release. These changes, such as deprecation notices, can always be found in the CHANGELOG of the affected providers. google google-beta

What is 300Beta1?

With 300, we introduced a prerelease window for our major provider releases. 300Beta1 contains all of the changes in 300, and allows you to test it prior to the full upgrade. Currently 300 is not expected to contain new features not available in 300Beta1, only bugfixes for issues we're made aware of before 300's release. Using 300Beta1 in production is not recommended.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});

I accidentally upgraded to 3.0.0, how do I downgrade to 2X?

If you've inadvertently upgraded to 300, first see the Provider Version Configuration Guide to lock your provider version; if you've constrained the provider to a lower version such as shown in the previous version example in that guide, Terraform will pull in a 2X series release on terraformInit.

If you've only ran terraformInit or terraformPlan, your state will not have been modified and downgrading your provider is sufficient.

If you've ran terraformRefresh or terraformApply, Terraform may have made state changes in the meantime.

• If you're using a local state, or a remote state backend that does not support versioning, terraformRefresh with a downgraded provider is likely sufficient to revert your state. The Google provider generally refreshes most state information from the API, and the properties necessary to do so have been left unchanged.

• If you're using a remote state backend that supports versioning such as Google Cloud Storage, you can revert the Terraform state file to a previous version. If you do so and Terraform had created resources as part of a terraformApply in the meantime, you'll need to either delete them by hand or terraformImport them so Terraform knows to manage them.

Upgrade Topics

• Provider Version Configuration
• Provider
• ID Format Changes
• Data Source: googleContainerEngineVersions
• Resource: googleAccessContextManagerAccessLevel
• Resource: googleAccessContextManagerServicePerimeter
• Resource: googleAppEngineApplication
• Resource: googleAppEngineDomainMapping
• Resource: googleAppEngineStandardAppVersion
• Resource: googleBigqueryTable
• Resource: googleBigtableAppProfile
• Resource: googleBinaryAuthorizationPolicy
• Resource: googleCloudbuildTrigger
• Resource: googleCloudfunctionsFunction
• Resource: googleCloudiotRegistry
• Resource: googleCloudschedulerJob
• Resource: googleCloudRunService
• Resource: googleComposerEnvironment
• Resource: googleComputeBackendBucket
• Resource: googleComputeBackendService
• Resource: googleComputeFirewall
• Resource: googleComputeForwardingRule
• Resource: googleComputeGlobalForwardingRule
• Resource: googleComputeHealthCheck
• Resource: googleComputeImage
• Resource: googleComputeInstance
• Resource: googleComputeInstanceGroupManager
• Resource: googleComputeInstanceTemplate
• Resource: googleComputeNetwork
• Resource: googleComputeNetworkPeering
• Resource: googleComputeNodeTemplate
• Resource: googleComputeRegionBackendService
• Resource: googleComputeRegionHealthCheck
• Resource: googleComputeRegionInstanceGroupManager
• Resource: googleComputeResourcePolicy
• Resource: googleComputeRoute
• Resource: googleComputeRouter
• Resource: googleComputeRouterPeer
• Resource: googleComputeSnapshot
• Resource: googleComputeSubnetwork
• Resource: googleContainerCluster
• Resource: googleContainerNodePool
• Resource: googleDataprocAutoscalingPolicy
• Resource: googleDataprocCluster
• Resource: googleDataprocJob
• Resource: googleDnsManagedZone
• Resource: googleDnsPolicy
• Resource: googleFolderOrganizationPolicy
• Resource: googleHealthcareHl7V2Store
• Resource: googleLoggingMetric
• Resource: googleMlengineModel
• Resource: googleMonitoringAlertPolicy
• Resource: googleMonitoringUptimeCheckConfig
• Resource: googleOrganizationPolicy
• Resource: googleProjectIamAuditConfig
• Resource: googleProjectOrganizationPolicy
• Resource: googleProjectService
• Resource: googleProjectServices
• Resource: googlePubsubSubscription
• Resource: googleSecurityScannerScanConfig
• Resource: googleServiceAccountKey
• Resource: googleSqlDatabaseInstance
• Resource: googleStorageBucket
• Resource: googleStorageTransferJob
• Resource: googleTpuNode

Provider Version Configuration

-> Before upgrading to version 3.0.0, it is recommended to upgrade to the most recent 2X series release of the provider, make the changes noted in this guide, and ensure that your environment successfully runs terraformPlan without unexpected changes or deprecation notices.

It is recommended to use version constraints when configuring Terraform providers. If you are following that recommendation, update the version constraints in your Terraform configuration and run terraformInit to download the new version.

If you aren't using version constraints, you can use terraformInitUpgrade in order to upgrade your provider to the latest released version.

For example, given this previous configuration:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});

An updated configuration:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});

Provider

Terraform 0.11 no longer supported

Support for Terraform 0.11 has been deprecated, and Terraform 0.12 or higher is required to terraformInit the provider. See the blog post for more information. It is recommended that you upgrade to Terraform 0.12 before upgrading to version 3.0.0 of the provider.

userinfoEmail added to default scopes

userinfoEmail has been added to the default set of OAuth scopes in the provider. This provides the Terraform user specified by credentials' (generally a service account) email address to GCP APIs in addition to an obfuscated user id; particularly, it makes the email of the Terraform user available for some Kubernetes and IAP use cases.

If this was previously defined explicitly, the definition can now be removed.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {
  scopes: [
    "https://www.googleapis.com/auth/compute",
    "https://www.googleapis.com/auth/cloud-platform",
    "https://www.googleapis.com/auth/ndev.clouddns.readwrite",
    "https://www.googleapis.com/auth/devstorage.full_control",
    "https://www.googleapis.com/auth/userinfo.email",
  ],
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});

ID Format Changes

ID formats on many resources have changed. ID formats have standardized on being similar to the selfLink of a resource. Users who depended on particular ID formats in previous versions may be impacted.

Data Source: googleContainerEngineVersions

region and zone are now removed

Use location instead.

Resource: googleAccessContextManagerAccessLevel

osType is now required on block googleAccessContextManagerAccessLevelBasicConditionsDevicePolicyOsConstraints

In an attempt to avoid allowing empty blocks in config files, osType is now required on the basicConditionsDevicePolicyOsConstraints block.

Resource: googleAccessContextManagerServicePerimeter

At least one of resources, accessLevels, or restrictedServices is now required on googleAccesscontextmanagerServicePerimeterStatus

In an attempt to avoid allowing empty blocks in config files, at least one of resources, accessLevels, or restrictedServices is now required on the status block.

Resource: googleAppEngineApplication

splitHealthChecks is now required on block googleAppEngineApplicationFeatureSettings

In an attempt to avoid allowing empty blocks in config files, splitHealthChecks is now required on the featureSettings block.

Resource: googleAppEngineDomainMapping

sslManagementType is now required on googleAppEngineDomainMappingSslSettings

In an attempt to avoid allowing empty blocks in config files, sslManagementType is now required on the sslSettings block.

Resource: googleAppEngineStandardAppVersion

At least one of zip or files is now required on googleAppEngineStandardAppVersionDeployment

In an attempt to avoid allowing empty blocks in config files, at least one of zip or files is now required on the deployment block.

shell is now required on googleAppEngineStandardAppVersionEntrypoint

In an attempt to avoid allowing empty blocks in config files, shell is now required on the entrypoint block.

scriptPath is now required on googleAppEngineStandardAppVersionHandlersScript

In an attempt to avoid allowing empty blocks in config files, scriptPath is now required on the handlersScript block.

sourceUrl is now required on googleAppEngineStandardAppVersionDeploymentFiles and googleAppEngineStandardAppVersionDeploymentZip

In an attempt to avoid allowing empty blocks in config files, shell is now required on the deploymentFiles and deploymentZip blocks.

Resource: googleBigqueryTable

At least one of range or skipLeadingRows is now required on externalDataConfigurationGoogleSheetsOptions

In an attempt to avoid allowing empty blocks in config files, at least one of range or skipLeadingRows is now required on the externalDataConfigurationGoogleSheetsOptions block.

Resource: googleBigtableAppProfile

Exactly one of singleClusterRouting or multiClusterRoutingUseAny is now required on googleBigtableAppProfile

In attempt to be more consistent with the API, exactly one of singleClusterRouting or multiClusterRoutingUseAny is now required on googleBigtableAppProfile.

clusterId is now required on googleBigtableAppProfileSingleClusterRouting

In an attempt to avoid allowing empty blocks in config files, clusterId is now required on the singleClusterRouting block.

Resource: googleBinaryAuthorizationPolicy

namePattern is now required on googleBinaryAuthorizationPolicyAdmissionWhitelistPatterns

In an attempt to avoid allowing empty blocks in config files, namePattern is now required on the admissionWhitelistPatterns block.

evaluationMode and enforcementMode are now required on googleBinaryAuthorizationPolicyClusterAdmissionRules

In an attempt to avoid allowing empty blocks in config files, evaluationMode and enforcementMode are now required on the clusterAdmissionRules block.

Resource: googleCloudbuildTrigger

Exactly one of filename or build is now required on googleCloudbuildTrigger

In attempt to be more consistent with the API, exactly one of filename or build is now required on googleCloudbuildTrigger.

Exactly one of branchName, tagName or commitSha is now required on googleCloudbuildTriggerTriggerTemplate

In an attempt to avoid allowing empty blocks in config files, exactly one of branchName, tagName or commitSha is now required on the triggerTemplate block.

Exactly one of pullRequest or push is now required on googleCloudbuildTriggerGithub

In an attempt to avoid allowing empty blocks in config files, exactly one of pullRequest or push is now required on the github block.

Exactly one of branch or tagName is now required on googleCloudbuildTriggerGithubPush

In an attempt to avoid allowing empty blocks in config files, exactly one of branch or tagName is now required on the githubPush block.

steps is now required on googleCloudbuildTriggerBuild.

In an attempt to avoid allowing empty blocks in config files, steps is now required on the build block.

name is now required on googleCloudbuildTriggerBuildSteps

In an attempt to avoid allowing empty blocks in config files, name is now required on the buildSteps block.

name and path are now required on googleCloudbuildTriggerBuildStepsVolumes

In an attempt to avoid allowing empty blocks in config files, name and path are now required on the buildVolumes block.

Resource: googleCloudfunctionsFunction

The runtime option nodejs6 has been deprecated

nodejs6 has been deprecated and is no longer the default value for runtime. runtime is now required.

Resource: googleCloudiotRegistry

Replace singular event notification config field with plural eventNotificationConfigs

Use the plural field eventNotificationConfigs instead of eventNotificationConfig, which has now been removed. Since the Cloud IoT API now accept multiple event notification configs for a registry, the singular field no longer exists on the API resource and has been removed from Terraform to prevent conflicts.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudiotRegistry.CloudiotRegistry(this, "myregistry", {
  event_notification_config: [
    {
      pubsub_topic_name: "${google_pubsub_topic.event-topic.id}",
    },
  ],
  name: "%s",
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudiotRegistry.CloudiotRegistry(this, "myregistry", {
  event_notification_configs: [
    {
      pubsub_topic_name: "${google_pubsub_topic.event-topic.id}",
    },
  ],
  name: "%s",
});

publicKeyCertificate is now required on block googleCloudiotRegistryCredentials

In an attempt to avoid allowing empty blocks in config files, publicKeyCertificate is now required on the credentials block.

Resource: googleCloudRunService

Google Cloud Run Service is being released at v1 and there are breaking schema changes that have arisen from changing the underlying API. These breaking changes only affect the Beta version of the resource as it was not previously available in the GA provider.

To support partial rollouts of different revisions, the spec block is now nested under template and a second metadata block has been added alongside spec. Now users can make a change and, using a named revision, they can control the rollout of that revision with a higher granularity.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudRunService.CloudRunService(this, "default", {
  spec: [
    {
      container_concurrency: 10,
      containers: [
        {
          args: ["arrg2", "pirate"],
          image: "gcr.io/cloudrun/hello",
        },
      ],
    },
  ],
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.cloudRunService.CloudRunService(this, "default", {
  template: [
    {
      metadata: [
        {
          annotations: [
            {
              "autoscaling.knative.dev/maxScale": "1000",
              "run.googleapis.com/client-name": "terraform",
            },
          ],
          name: "revision-name",
        },
      ],
      spec: [
        {
          container_concurrency: 10,
          containers: [
            {
              args: ["arrg2", "pirate"],
              image: "gcr.io/cloudrun/hello",
            },
          ],
        },
      ],
    },
  ],
});

Resource: googleCloudschedulerJob

Exactly one of pubsubTarget, httpTarget or appEngineHttpTarget is required on googleCloudschedulerJob

In attempt to be more consistent with the API, exactly one of pubsubTarget, httpTarget or appEngineHttpTarget is now required on googleCloudschedulerJob.

serviceAccountEmail is now required on googleCloudschedulerJobHttpTargetOauthToken and googleCloudschedulerJobHttpTargetOidcToken.

In an attempt to avoid allowing empty blocks in config files, serviceAccountEmail is now required on the httpTargetOauthToken and httpTargetOidcToken blocks.

At least one of retryCount, maxRetryDuration, minBackoffDuration, maxBackoffDuration, or maxDoublings is now required on googleCloudSchedulerJobRetryConfig

In an attempt to avoid allowing empty blocks in config files, at least one of retryCount, maxRetryDuration, minBackoffDuration, maxBackoffDuration, or maxDoublings is now required on the retryConfig block.

At least one of service, version, or instance is now required on googleCloudSchedulerJobAppEngineHttpTargetAppEngineRouting

In an attempt to avoid allowing empty blocks in config files, at least one of service, version, or instance is now required on the appEngineHttpTargetAppEngineRouting block.

Resource: googleComposerEnvironment

At least one of airflowConfigOverrides, pypiPackages, envVariables, imageVersion, pythonVersion or schedulerCount is now required on googleComposerEnvironmentConfigSoftwareConfig

In an attempt to avoid allowing empty blocks in config files, at least one of airflowConfigOverrides, pypiPackages, envVariables, imageVersion, pythonVersion or schedulerCount is now required on the configSoftwareConfig block.

useIpAliases is now required on block googleComposerEnvironmentIpAllocationPolicy

Previously the default value of useIpAliases was true. In an attempt to avoid allowing empty blocks in config files, useIpAliases is now required on the ipAllocationPolicy block.

At least one of enablePrivateEndpoint or masterIpv4CidrBlock is now required on googleComposerEnvironmentConfigPrivateEnvironmentConfig

In an attempt to avoid allowing empty blocks in config files, at least one of enablePrivateEndpoint or masterIpv4CidrBlock is now required on the configPrivateEnvironmentConfig block.

At least one of nodeCount, nodeConfig, softwareConfig or privateEnvironmentConfig required on googleComposerEnvironmentConfig

In an attempt to avoid allowing empty blocks in config files, at least one of nodeCount, nodeConfig, softwareConfig or privateEnvironmentConfig is now required on the config block.

Resource: googleComputeBackendBucket

signedUrlCacheMaxAgeSec is now required on googleComputeBackendBucketAutoscalingPolicyCdnPolicy

Previously the default value of signedUrlCacheMaxAgeSec was 3600. In an attempt to avoid allowing empty blocks in config files, signedUrlCacheMaxAgeSec is now required on the autoscalingPolicyCdnPolicy block.

Resource: googleComputeBackendService

At least one of connectTimeout, maxRequestsPerConnection, maxConnections, maxPendingRequests, maxRequests, or maxRetries is now required on googleComputeBackendServiceCircuitBreakers

In an attempt to avoid allowing empty blocks in config files, at least one of connectTimeout, maxRequestsPerConnection, maxConnections, maxPendingRequests, maxRequests, or maxRetries is now required on the circuitBreakers block.

At least one of ttl, name, or path is now required on googleComputeBackendServiceConsistentHashHttpCookie

In an attempt to avoid allowing empty blocks in config files, at least one of ttl, name, or path is now required on the consistentHashHttpCookie block.

At least one of httpCookie, httpHeaderName, or minimumRingSize is now required on googleComputeBackendServiceConsistentHash

In an attempt to avoid allowing empty blocks in config files, at least one of httpCookie, httpHeaderName, or minimumRingSize is now required on the consistentHash block.

At least one of cacheKeyPolicy or signedUrlCacheMaxAgeSec is now required on googleComputeBackendServiceCdnPolicy

In an attempt to avoid allowing empty blocks in config files, at least one of cacheKeyPolicy or signedUrlCacheMaxAgeSec is now required on the cdnPolicy block.

At least one of includeHost, includeProtocol, includeQueryString, queryStringBlacklist, or queryStringWhitelist is now required on googleComputeBackendServiceCdnPolicyCacheKeyPolicy

In an attempt to avoid allowing empty blocks in config files, at least one of includeHost, includeProtocol, includeQueryString, queryStringBlacklist, or queryStringWhitelist is now required on the cdnPolicyCacheKeyPolicy block.

At least one of baseEjectionTime, consecutiveErrors, consecutiveGatewayFailure, enforcingConsecutiveErrors, enforcingConsecutiveGatewayFailure, enforcingSuccessRate, interval, maxEjectionPercent, successRateMinimumHosts, successRateRequestVolume, or successRateStdevFactor is now required on googleComputeBackendServiceOutlierDetection

In an attempt to avoid allowing empty blocks in config files, at least one of baseEjectionTime, consecutiveErrors, consecutiveGatewayFailure, enforcingConsecutiveErrors, enforcingConsecutiveGatewayFailure, enforcingSuccessRate, interval, maxEjectionPercent, successRateMinimumHosts, successRateRequestVolume, or successRateStdevFactor is now required on the outlierDetection block.

At least one of enable or sampleRate is now required on googleComputeBackendServiceLogConfig

In an attempt to avoid allowing empty blocks in config files, at least one of enable or sampleRate is now required on the logConfig block.

Resource: googleComputeFirewall

Exactly one of allow or deny is required on googleComputeFirewall

In attempt to be more consistent with the API, exactly one of allowed or denied is now required on googleComputeFirewall.

Resource: googleComputeForwardingRule

ipVersion is now removed

ipVersion is not used for regional forwarding rules.

ipAddress is now strictly validated to enforce literal IP address format

Previously documentation suggested Terraform could use the same range of valid IP Address formats for ipAddress as accepted by the API (e.g. named addresses or URLs to GCP Address resources). However, the server returns only literal IP addresses and thus caused diffs on re-apply (i.e. a permadiff). We amended documentation to say Terraform only accepts literal IP addresses.

This is now strictly validated. While this shouldn't have a large breaking impact as users would have already run into permadiff issues on re-apply, there might be validation errors for existing configs. The solution is be to replace other address formats with the IP address, either manually or by interpolating values from a googleComputeAddress resource.

Old Config (that would have permadiff)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeAddressMyAddr = new google.computeAddress.ComputeAddress(
  this,
  "my-addr",
  {
    name: "my-addr",
  }
);
new google.computeForwardingRule.ComputeForwardingRule(this, "frule", {
  address: googleComputeAddressMyAddr.selfLink,
  name: "my-forwarding-rule",
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeAddressMyAddr = new google.computeAddress.ComputeAddress(
  this,
  "my-addr",
  {
    name: "my-addr",
  }
);
new google.computeForwardingRule.ComputeForwardingRule(this, "frule", {
  address: googleComputeAddressMyAddr.address,
  name: "my-forwarding-rule",
});

Resource: googleComputeGlobalForwardingRule

ipAddress is now validated to enforce literal IP address format

See googleComputeForwardingRule.

Resource: googleComputeHealthCheck

Exactly one of httpHealthCheck, httpsHealthCheck, http2HealthCheck, tcpHealthCheck or sslHealthCheck is required on googleComputeHealthCheck

In attempt to be more consistent with the API, exactly one of httpHealthCheck, httpsHealthCheck, http2HealthCheck, tcpHealthCheck or sslHealthCheck is now required on googleComputeHealthCheck.

At least one of host, requestPath, response, port, portName, proxyHeader, or portSpecification is now required on googleComputeHealthCheckHttpHealthCheck, googleComputeHealthCheckHttpsHealthCheck and googleComputeHealthCheckHttp2HealthCheck

In an attempt to avoid allowing empty blocks in config files, at least one of host, requestPath, response, port, portName, proxyHeader, or portSpecification is now required on the httpHealthCheck, httpsHealthCheck and http2HealthCheck blocks.

At least one of request, response, port, portName, proxyHeader, or portSpecification is now required on googleComputeHealthCheckSslHealthCheck and googleComputeHealthCheckTcpHealthCheck

In an attempt to avoid allowing empty blocks in config files, at least one of request, response, port, portName, proxyHeader, or portSpecification is now required on the sslHealthCheck and tcpHealthCheck blocks.

Resource: googleComputeImage

type is now required on googleComputeImageGuestOsFeatures

In an attempt to avoid allowing empty blocks in config files, type is now required on the guestOsFeatures block.

Resource: googleComputeInstance

interface is now required on block googleComputeInstanceScratchDisk

Previously the default value of interface was scsi. In an attempt to avoid allowing empty blocks in config files, interface is now required on the scratchDisk block.

At least one of autoDelete, deviceName, diskEncryptionKeyRaw, kmsKeySelfLink, initializeParams, mode or source is now required on googleComputeInstanceBootDisk

In an attempt to avoid allowing empty blocks in config files, at least one of autoDelete, deviceName, diskEncryptionKeyRaw, kmsKeySelfLink, initializeParams, mode or source is now required on the bootDisk block.

At least one of size, type, image, or labels is now required on googleComputeInstanceBootDiskInitializeParams

In an attempt to avoid allowing empty blocks in config files, at least one of size, type, image, or labels is now required on the initializeParams block.

At least one of enableSecureBoot, enableVtpm, or enableIntegrityMonitoring is now required on googleComputeInstanceShieldedInstanceConfig

In an attempt to avoid allowing empty blocks in config files, at least one of enableSecureBoot, enableVtpm, or enableIntegrityMonitoring is now required on the shieldedInstanceConfig block.

At least one of onHostMaintenance, automaticRestart, preemptible, or nodeAffinities is now required on googleComputeInstanceScheduling

In an attempt to avoid allowing empty blocks in config files, at least one of onHostMaintenance, automaticRestart, preemptible, or nodeAffinities is now required on the scheduling block.

Resource: googleComputeInstanceGroupManager

The following changes apply to both googleComputeInstanceGroupManager and googleComputeRegionInstanceGroupManager.

instanceTemplate has been replaced by versionInstanceTemplate

Instance group managers should be using version blocks to reference which instance template to use for provisioning. To upgrade use a single version block with instanceTemplate in your config and by default all traffic will be directed to that version.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
  this,
  "my_igm",
  {
    base_instance_name: "igm",
    instance_template: "${google_compute_instance_template.my_tmpl.self_link}",
    name: "my-igm",
    zone: "us-central1-c",
  }
);

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
  this,
  "my_igm",
  {
    base_instance_name: "igm",
    name: "my-igm",
    version: [
      {
        instance_template:
          "${google_compute_instance_template.my_tmpl.self_link}",
        name: "prod",
      },
    ],
    zone: "us-central1-c",
  }
);

updateStrategy has been replaced by updatePolicy

To allow much greater control over the updates happening to instance groups updateStrategy has been replaced by updatePolicy. The functionality controlled by updateStrategy is now controlled by a combination of updatePolicyType and updatePolicyMinimalAction. updateStrategy =None can be achieved with type =Opportunistic. The previous values of restart and replace were both proactive types implicitly previously but can now be controlled explicitly.

For more details see the official guide.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
  this,
  "my_igm",
  {
    base_instance_name: "igm",
    instance_template: "${google_compute_instance_template.my_tmpl.self_link}",
    name: "my-igm",
    update_strategy: "NONE",
    zone: "us-central1-c",
  }
);

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeInstanceGroupManager.ComputeInstanceGroupManager(
  this,
  "my_igm",
  {
    base_instance_name: "igm",
    name: "my-igm",
    update_policy: [
      {
        minimal_action: "RESTART",
        type: "OPPORTUNISTIC",
      },
    ],
    version: [
      {
        instance_template:
          "${google_compute_instance_template.my_tmpl.self_link}",
        name: "prod",
      },
    ],
    zone: "us-central1-c",
  }
);

Resource: googleComputeInstanceTemplate

At least one of enableSecureBoot, enableVtpm, or enableIntegrityMonitoring is now required on googleComputeInstanceTemplateShieldedInstanceConfig

In an attempt to avoid allowing empty blocks in config files, at least one of enableSecureBoot, enableVtpm, or enableIntegrityMonitoring is now required on the shieldedInstanceConfig block.

At least one of onHostMaintenance, automaticRestart, preemptible, or nodeAffinities is now required on googleComputeInstanceTemplateScheduling

In an attempt to avoid allowing empty blocks in config files, at least one of onHostMaintenance, automaticRestart, preemptible, or nodeAffinities is now required on the scheduling block.

Disks with invalid scratch disk configurations are now rejected

The instance template API allows specifying invalid configurations in some cases, and an error is only returned when attempting to provision them. Terraform will now report that some configs that previously appeared valid at plan time are now invalid.

A disk with type "scratch" must have diskType "localSsd" and a size of 375GB. For example, the following is valid:

disk {
  auto_delete  = true
  type         = "SCRATCH"
  disk_type    = "local-ssd"
  disk_size_gb = 375
}

These configs would have been accepted by Terraform previously, but will now fail:

disk {
  source_image = "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20210217"
  auto_delete  = true
  type         = "SCRATCH"
}

disk {
  source_image = "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20210217"
  auto_delete  = true
  disk_type    = "local-ssd"
}

disk {
  auto_delete  = true
  type         = "SCRATCH"
  disk_type    = "local-ssd"
  disk_size_gb = 300
}

kmsKeySelfLink is now required on block googleComputeInstanceTemplateDiskEncryptionKey

In an attempt to avoid allowing empty blocks in config files, kmsKeySelfLink is now required on the diskEncryptionKey block.

Resource: googleComputeNetwork

ipv4Range is now removed

Legacy Networks are removed and you will no longer be able to create them using this field from Feb 1, 2020 onwards.

Resource: googleComputeNetworkPeering

autoCreateRoutes is now removed

autoCreateRoutes has been removed because it's redundant and not user-configurable.

Resource: googleComputeNodeTemplate

At least one of cpus or memory is now required on googleComputeNodeTemplateNodeTypeFlexibility

In an attempt to avoid allowing empty blocks in config files, at least one of cpus or memory is now required on the nodeTypeFlexibility block.

Resource: googleComputeRegionBackendService

At least one of connectTimeout, maxRequestsPerConnection, maxConnections, maxPendingRequests, maxRequests, or maxRetries is now required on googleComputeRegionBackendServiceCircuitBreakers

In an attempt to avoid allowing empty blocks in config files, at least one of connectTimeout, maxRequestsPerConnection, maxConnections, maxPendingRequests, maxRequests, or maxRetries is now required on the circuitBreakers block.

At least one of ttl, name, or path is now required on googleComputeRegionBackendServiceConsistentHashHttpCookie

In an attempt to avoid allowing empty blocks in config files, at least one of ttl, name, or path is now required on the consistentHashHttpCookie block.

At least one of httpCookie, httpHeaderName, or minimumRingSize is now required on googleComputeRegionBackendServiceConsistentHash

In an attempt to avoid allowing empty blocks in config files, at least one of httpCookie, httpHeaderName, or minimumRingSize is now required on the consistentHash block.

At least one of disableConnectionDrainOnFailover, dropTrafficIfUnhealthy, or failoverRatio is now required on googleComputeRegionBackendServiceFailoverPolicy

In an attempt to avoid allowing empty blocks in config files, at least one of disableConnectionDrainOnFailover, dropTrafficIfUnhealthy, or failoverRatio is now required on the failoverPolicy block.

At least one of baseEjectionTime, consecutiveErrors, consecutiveGatewayFailure, enforcingConsecutiveErrors, enforcingConsecutiveGatewayFailure, enforcingSuccessRate, interval, maxEjectionPercent, successRateMinimumHosts, successRateRequestVolume, or successRateStdevFactor is now required on googleComputeRegionBackendServiceOutlierDetection

In an attempt to avoid allowing empty blocks in config files, at least one of baseEjectionTime, consecutiveErrors, consecutiveGatewayFailure, enforcingConsecutiveErrors, enforcingConsecutiveGatewayFailure, enforcingSuccessRate, interval, maxEjectionPercent, successRateMinimumHosts, successRateRequestVolume, or successRateStdevFactor is now required on the outlierDetection block.

At least one of enable or sampleRate is now required on googleComputeRegionBackendServiceLogConfig

In an attempt to avoid allowing empty blocks in config files, at least one of enable or sampleRate is now required on the logConfig block.

Resource: googleComputeRegionHealthCheck

Exactly one of httpHealthCheck, httpsHealthCheck, http2HealthCheck, tcpHealthCheck or sslHealthCheck is required on googleComputeHealthCheck

In attempt to be more consistent with the API, exactly one of httpHealthCheck, httpsHealthCheck, http2HealthCheck, tcpHealthCheck or sslHealthCheck is now required on the googleComputeRegionHealthCheck.

At least one of host, requestPath, response, port, portName, proxyHeader, or portSpecification is now required on googleComputeRegionHealthCheckHttpHealthCheck, googleComputeRegionHealthCheckHttpsHealthCheck and googleComputeRegionHealthCheckHttp2HealthCheck

In an attempt to avoid allowing empty blocks in config files, at least one of host, requestPath, response, port, portName, proxyHeader, or portSpecification is now required on the httpHealthCheck, httpsHealthCheck and http2HealthCheck blocks.

At least one of request, response, port, portName, proxyHeader, or portSpecification is now required on googleComputeRegionHealthCheckSslHealthCheck and googleComputeRegionHealthCheckTcpHealthCheck

In an attempt to avoid allowing empty blocks in config files, at least one of request, response, port, portName, proxyHeader, or portSpecification is now required on the sslHealthCheck and tcpHealthCheck blocks.

Resource: googleComputeResourcePolicy

Exactly one of hourlySchedule, dailySchedule or weeklySchedule is now required on googleComputeResourcePolicySnapshotSchedulePolicySchedule

In an attempt to avoid allowing empty blocks in config files, exactly one of hourlySchedule, dailySchedule or weeklySchedule is now required on the snapshotSchedulePolicySchedule block.

At least one of labels, storageLocations, or guestFlush is now required on googleComputeResourcePolicySnapshotSchedulePolicySnapshotProperties

In an attempt to avoid allowing empty blocks in config files, at least one of labels, storageLocations, or guestFlush is now required on the snapshotSchedulePolicySnapshotProperties block.

Resource: googleComputeRoute

Exactly one of nextHopGateway, nextHopInstance, nextHopIp, nextHopVpnTunnel or nextHopIlb is required on googleComputeRoute

In attempt to be more consistent with the API, exactly one of nextHopGateway, nextHopInstance, nextHopIp, nextHopVpnTunnel or nextHopIlb is now required on the googleComputeRoute.

Resource: googleComputeRouter

range is now required on googleComputeRouterBgpAdvertisedIpRanges

In an attempt to avoid allowing empty blocks in config files, range is now required on the bgpAdvertisedIpRanges block.

Resource: googleComputeRouterPeer

range is now required on block googleComputeRouterPeerAdvertisedIpRanges

In an attempt to avoid allowing empty blocks in config files, range is now required on the advertisedIpRanges block.

Resource: googleComputeSnapshot

rawKey is now required on block googleComputeSnapshotSourceDiskEncryptionKey

In an attempt to avoid allowing empty blocks in config files, rawKey is now required on the sourceDiskEncryptionKey block.

Resource: googleComputeSubnetwork

enableFlowLogs is now removed

enableFlowLogs has been removed and should be replaced by the logConfig block with configurations for flow logging. Enablement of flow logs is now controlled by whether logConfig is defined or not instead of by the enableFlowLogs variable. Users with enableFlowLogs =False only need to remove the field.

At least one of aggregationInterval, flowSampling, or metadata is now required on googleComputeSubnetworkLogConfig

In an attempt to avoid allowing empty blocks in config files, at least one of aggregationInterval, flowSampling, or metadata is now required on the logConfig block.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet-with-logging", {
  enable_flow_logs: true,
  ip_cidr_range: "10.2.0.0/16",
  name: "log-test-subnetwork",
  network: "${google_compute_network.custom-test.self_link}",
  region: "us-central1",
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.computeSubnetwork.ComputeSubnetwork(this, "subnet-with-logging", {
  ip_cidr_range: "10.2.0.0/16",
  log_config: [
    {
      aggregation_interval: "INTERVAL_10_MIN",
      flow_sampling: 0.5,
      metadata: "INCLUDE_ALL_METADATA",
    },
  ],
  name: "log-test-subnetwork",
  network: "${google_compute_network.custom-test.self_link}",
  region: "us-central1",
});

Resource: googleContainerCluster

ipAllocationPolicy will catch out-of-band changes, useIpAliases removed

-> This change and "Automatic subnetwork creation for VPC-native clusters removed" are related; see the other entry for more details.

In 2X, ipAllocationPolicy wouldn't cause a diff if it was undefined in config but was set on the cluster itself. Additionally, it could be defined with useIpAliases set to false. However, this made it difficult to reason about whether a cluster was routes-based or VPC-native.

With 300, Terraform will detect drift on the block. The configuration has also been simplified. Terraform creates a VPC-native cluster when ipAllocationPolicy is defined (useIpAliases is implicitly set to true and is no longer configurable). When the block is undefined, Terraform creates a routes-based cluster.

Other than removing the useIpAliases field, most users of VPC-native clusters won't be affected. terraformPlan will show a diff if a config doesn't contain ipAllocationPolicy but the underlying cluster does. Routes-based cluster users may need to remove ipAllocationPolicy if useIpAliases had been set to false.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.containerCluster.ContainerCluster(this, "primary", {
  initial_node_count: 1,
  ip_allocation_policy: [
    {
      use_ip_aliases: false,
    },
  ],
  location: "us-central1",
  name: "my-cluster",
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.containerCluster.ContainerCluster(this, "primary", {
  initial_node_count: 1,
  location: "us-central1",
  name: "my-cluster",
});

Automatic subnetwork creation for VPC-native clusters removed

Automatic creation of subnetworks in GKE has been removed. Now, users of VPC-native clusters will always need to provide a googleComputeSubnetwork resource to use ipAllocationPolicy. Routes-based clusters are unaffected.

Representing resources managed by another source in Terraform is painful, and leads to confusing patterns that often involve unnecessarily recreating user resources. A number of fields in GKE are dedicated to a feature that allows users to create a GKE-managed subnetwork.

This is a great fit for an imperative tool like gcloud, but it's not required for Terraform. With Terraform, it's relatively easy to specify a subnetwork in config alongside the cluster. Not only does that allow configuring subnetwork features like flow logging, it's more explicit, allows the subnetwork to be used by other resources, and the subnetwork persists through cluster deletion.

Particularly, Shared VPC was incompatible with createSubnetwork, and nodeIpv4Cidr was easy to confuse with ipAllocationPolicyNodeIpv4CidrBlock.

Detailed changes:

• ipAllocationPolicyNodeIpv4CidrBlock removed (This controls the primary range of the created subnetwork)
• ipAllocationPolicyCreateSubnetwork, ipAllocationPolicySubnetworkName removed
• ipAllocationPolicy will catch drift when not in config
• ipAllocationPolicyUseIpAliases removed
• Enablement is now based on ipAllocationPolicy being defined instead
• Conflict added between nodeIpv4Cidr, ipAllocationPolicy

Upgrade instructions

1. Remove the removed fields from googleContainerCluster
2. Add a googleComputeSubnetwork to your config, import it using terraformImport
3. Reference the subnetwork using the subnetwork field on your googleContainerCluster

-> Subnetworks originally created as part of createSubnetwork will be deleted alongside the cluster. If there are other users of the subnetwork, deletion of the cluster will fail. After the original resources are deleted, terraformApply will recreate the same subnetwork except that it won't be managed by a GKE cluster and other resources can use it safely.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkContainerNetwork =
  new google.computeNetwork.ComputeNetwork(this, "container_network", {
    auto_create_subnetworks: false,
    name: "container-network",
  });
new google.containerCluster.ContainerCluster(this, "primary", {
  initial_node_count: 1,
  ip_allocation_policy: [
    {
      cluster_ipv4_cidr_block: "10.0.0.0/16",
      create_subnetwork: true,
      node_ipv4_cidr_block: "10.2.0.0/16",
      services_ipv4_cidr_block: "10.1.0.0/16",
      use_ip_aliases: true,
    },
  ],
  location: "us-central1",
  name: "my-cluster",
  network: googleComputeNetworkContainerNetwork.name,
});

New Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeNetworkContainerNetwork =
  new google.computeNetwork.ComputeNetwork(this, "container_network", {
    auto_create_subnetworks: false,
    name: "container-network",
  });
const googleComputeSubnetworkContainerSubnetwork =
  new google.computeSubnetwork.ComputeSubnetwork(this, "container_subnetwork", {
    description: 'auto-created subnetwork for cluster "my-cluster"',
    ip_cidr_range: "10.2.0.0/16",
    name: "container-subnetwork",
    network: googleComputeNetworkContainerNetwork.selfLink,
    region: "us-central1",
  });
new google.containerCluster.ContainerCluster(this, "primary", {
  initial_node_count: 1,
  ip_allocation_policy: [
    {
      cluster_ipv4_cidr_block: "10.0.0.0/16",
      services_ipv4_cidr_block: "10.1.0.0/16",
    },
  ],
  location: "us-central1",
  name: "my-cluster",
  network: googleComputeNetworkContainerNetwork.name,
  subnetwork: googleComputeSubnetworkContainerSubnetwork.name,
});

taint field is now authoritative when set

The taint field inside of nodeConfig blocks on googleContainerCluster and googleContainerNodePool will no longer ignore GPU-related values when set.

Previously, the field ignored upstream taints when unset and ignored unset GPU taints when other taints were set. Now it will ignore upstream taints when set and act authoritatively when set, requiring all taints (including Kubernetes and GKE-managed ones) to be defined in config.

Additionally, an empty taint can now be specified with taint = []. As a result of this change, the JSON/state representation of the field has changed, introducing an incompatibility for users who specify config in JSON instead of HCL or who use dynamic blocks. See more details in the Attributes as Blocks documentation.

addonsConfigKubernetesDashboard is now removed

The kubernetesDashboard addon is deprecated for clusters on GKE and will soon be removed. It is recommended to use alternative GCP Console dashboards.

channel is now required on googleContainerClusterReleaseChannel

In an attempt to avoid allowing empty blocks in config files, channel is now required on the releaseChannel block.

The disabled field is now required on the addonsConfig blocks for httpLoadBalancing, horizontalPodAutoscaling, istioConfig, cloudrunConfig and networkPolicyConfig.

In an attempt to avoid allowing empty blocks in config files, disabled is now required on the different googleContainerClusterAddonsConfig blocks.

Exactly one of dailyMaintenanceWindow or recurringWindow is now required on googleContainerClusterMaintenancePolicy

In an attempt to avoid allowing empty blocks in config files, exactly one of dailyMaintenanceWindow or recurringWindow is now required on the maintenancePolicy block.

At least one of httpLoadBalancing, horizontalPodAutoscaling , networkPolicyConfig, cloudrunConfig, or istioConfig is now required on googleContainerClusterAddonsConfig

In an attempt to avoid allowing empty blocks in config files, at least one of httpLoadBalancing, horizontalPodAutoscaling , networkPolicyConfig, cloudrunConfig, or istioConfig is now required on the addonsConfig block.

At least one of username, password or clientCertificateConfig is now required on googleContainerClusterMasterAuth

In an attempt to avoid allowing empty blocks in config files, at least one of username, password or clientCertificateConfig is now required on the masterAuth block.

enabled is now required on block googleContainerClusterVerticalPodAutoscaling

In an attempt to avoid allowing empty blocks in config files, enabled is now required on the verticalPodAutoscaling block.

enabled is now required on block googleContainerClusterNetworkPolicy

Previously the default value of enabled was false. In an attempt to avoid allowing empty blocks in config files, enabled is now required on the networkPolicy block.

enablePrivateEndpoint is now required on block googleContainerClusterPrivateClusterConfig

In an attempt to avoid allowing empty blocks in config files, enablePrivateEndpoint is now required on the privateClusterConfig block.

loggingService and monitoringService defaults changed

GKE Stackdriver Monitoring (the GKE-specific Stackdriver experience) is now enabled at cluster creation by default, similar to the default in GKE 114 through other tools.

Terraform will now detect changes out of band when the field(s) are not defined in config, attempting to return them to their new defaults, and will be clear about what values will be set when creating a cluster.

terraformPlan will report changes upon upgrading if the field was previously unset. Applying this change will enable the new Stackdriver service without recreating clusters. Users who wish to use another value should record their intended value in config; the old default values can be added to a googleContainerCluster resource config block to preserve them.

Old Defaults

logging_service    = "logging.googleapis.com"
monitoring_service = "monitoring.googleapis.com"

New Defaults

logging_service    = "logging.googleapis.com/kubernetes"
monitoring_service = "monitoring.googleapis.com/kubernetes"

zone, region and additionalZones are now removed

zone and region have been removed in favor of location and additionalZones has been removed in favor of nodeLocations

Resource: googleContainerNodePool

zone and region are now removed

zone and region have been removed in favor of location

Resource: googleDataprocAutoscalingPolicy

At least one of minInstances, maxInstances, or weight is now required on googleDataprocAutoscalingPolicySecondaryWorkerConfig

In an attempt to avoid allowing empty blocks in config files, at least one of minInstances, maxInstances, or weight is now required on the secondaryWorkerConfig block.

Resource: googleDataprocCluster

At least one of stagingBucket, gceClusterConfig, masterConfig, workerConfig, preemptibleWorkerConfig, softwareConfig, initializationAction or encryptionConfig is now required on googleDataprocClusterClusterConfig

In an attempt to avoid allowing empty blocks in config files, at least one of stagingBucket, gceClusterConfig, masterConfig, workerConfig, preemptibleWorkerConfig, softwareConfig, initializationAction or encryptionConfig is now required on the clusterConfig block.

At least one of imageVersion, overrideProperties or optionalComponents is now required on googleDataprocClusterClusterConfigSoftwareConfig

In an attempt to avoid allowing empty blocks in config files, at least one of imageVersion, overrideProperties or optionalComponents is now required on the clusterConfigSoftwareConfig block.

At least one of numInstances or diskConfig is now required on googleDataprocClusterClusterConfigPreemptibleWorkerConfig

In an attempt to avoid allowing empty blocks in config files, at least one of numInstances or diskConfig is now required on the clusterConfigPreemptibleWorkerConfig block.

At least one of zone, network, subnetwork, tags, serviceAccount, serviceAccountScopes, internalIpOnly or metadata is now required on googleDataprocClusterClusterConfigGceClusterConfig

In an attempt to avoid allowing empty blocks in config files, at least one of zone, network, subnetwork, tags, serviceAccount, serviceAccountScopes, internalIpOnly or metadata is now required on the gceClusterConfig block.

At least one of numInstances, imageUri, machineType, minCpuPlatform, diskConfig, or accelerators is now required on googleDataprocClusterClusterConfigMasterConfig and googleDataprocClusterClusterConfigWorkerConfig

In an attempt to avoid allowing empty blocks in config files, at least one of numInstances, imageUri, machineType, minCpuPlatform, diskConfig, or accelerators is now required on the clusterConfigMasterConfig and clusterConfigWorkerConfig blocks.

At least one of numLocalSsds, bootDiskSizeGb or bootDiskType is now required on googleDataprocClusterClusterConfigPreemptibleWorkerConfigDiskConfig, googleDataprocClusterClusterConfigMasterConfigDiskConfig and googleDataprocClusterClusterConfigWorkerConfigDiskConfig

In an attempt to avoid allowing empty blocks in config files, at least one of numLocalSsds, bootDiskSizeGb or bootDiskType is now required on the clusterConfigPreemptibleWorkerConfigDiskConfig, clusterConfigMasterConfigDiskConfig and clusterConfigWorkerConfigDiskConfig blocks.

policyUri is now required on googleDataprocClusterAutoscalingConfig block.

In an attempt to avoid allowing empty blocks in config files, policyUri is now required on the autoscalingConfig block.

Resource: googleDataprocJob

At least one of queryFileUri or queryList is now required on hiveConfig, pigConfig, and sparksqlConfig

In an attempt to avoid allowing empty blocks in config files, at least one of queryFileUri or queryList is now required on the hiveConfig, pigConfig, and sparksqlConfig blocks.

At least one of mainClass or mainJarFileUri is now required on googleDataprocJobSparkConfig and googleDataprocJobHadoopConfig

In an attempt to avoid allowing empty blocks in config files, at least one of mainClass or mainJarFileUri is now required on the sparkConfig and hadoopConfig blocks.

driverLogLevels is now required on loggingConfig blocks for pysparkConfig, hadoopConfig, sparkConfig, pigConfig, and sparksqlConfig.

In an attempt to avoid allowing empty blocks in config files, driverLogLevels is now required on pysparkConfig, hadoopConfig, sparkConfig, pigConfig, and sparksqlConfig blocks.

maxFailuresPerHour is now required on block googleDataprocJobScheduling

In an attempt to avoid allowing empty blocks in config files, maxFailuresPerHour is now required on the scheduling block.

Resource: googleDnsManagedZone

At least one of kind, nonExistence, state, or defaultKeySpecs is now required on googleDnsManagedZoneDnssecConfig

In an attempt to avoid allowing empty blocks in config files, at least one of kind, nonExistence, state, or defaultKeySpecs is now required on the dnssecConfig block.

targetNetwork is now required on block googleDnsManagedZonePeeringConfig

In an attempt to avoid allowing empty blocks in config files, targetNetwork is now required on the peeringConfig block.

networkUrl is now required on block googleDnsManagedZonePeeringConfigTargetNetwork

In an attempt to avoid allowing empty blocks in config files, networkUrl is now required on the peeringConfigTargetNetwork block.

targetNameServers is now required on block googleDnsManagedZoneForwardingConfig

In an attempt to avoid allowing empty blocks in config files, targetNameServers is now required on the forwardingConfig block.

ipv4Address is now required on block googleDnsManagedZoneForwardingConfigTargetNameServers

In an attempt to avoid allowing empty blocks in config files, ipv4Address is now required on the forwardingConfigTargetNameServers block.

targetNameServers is now required on block googleDnsManagedZoneForwardingConfig

In an attempt to avoid allowing empty blocks in config files, targetNameServers is now required on the forwardingConfig block.

networks is now required on block googleDnsManagedZonePrivateVisibilityConfig

In an attempt to avoid allowing empty blocks in config files, networks is now required on the privateVisibilityConfig block.

networkUrl is now required on block googleDnsManagedZonePrivateVisibilityConfigNetworks

In an attempt to avoid allowing empty blocks in config files, networkUrl is now required on the privateVisibilityConfigNetworks block.

Resource: googleDnsPolicy

networkUrl is now required on block googleDnsPolicyNetworks

In an attempt to avoid allowing empty blocks in config files, networkUrl is now required on the networks block.

targetNameServers is now required on block googleDnsPolicyAlternativeNameServerConfig

In an attempt to avoid allowing empty blocks in config files, targetNameServers is now required on the alternativeNameServerConfig block.

ipv4Address is now required on block googleDnsPolicyAlternativeNameServerConfigTargetNameServers

In an attempt to avoid allowing empty blocks in config files, ipv4Address is now required on the alternativeNameServerConfigTargetNameServers block.

Resource: googleFolderOrganizationPolicy

Exactly one of allow or deny is now required on googleFolderOrganizationPolicyListPolicy

In an attempt to avoid allowing empty blocks in config files, exactly one of allow or deny is now required on the listPolicy block.

Exactly one of all or values is now required on googleFolderOrganizationPolicyListPolicyAllow and googleFolderOrganizationPolicyListPolicyDeny

In an attempt to avoid allowing empty blocks in config files, exactly one of all or values is now required on the listPolicyAllow and listPolicyDeny blocks.

Resource: googleHealthcareHl7V2Store

At least one of allowNullHeader or segmentTerminator is now required on googleHealthcareHl7V2StoreParserConfig

In an attempt to avoid allowing empty blocks in config files, at least one of allowNullHeader or segmentTerminator is now required on the parserConfig block.

Resource: googleLoggingMetric

At least one of linearBuckets, exponentialBuckets or explicitBuckets is now required on googleLoggingMetricBucketOptions

In an attempt to avoid allowing empty blocks in config files, at least one of linearBuckets, exponentialBuckets or explicitBuckets is now required on the bucketOptions block.

At least one of numFiniteBuckets, width or offset is now required on googleLoggingMetricBucketOptionsLinearBuckets

In an attempt to avoid allowing empty blocks in config files, at least one of numFiniteBuckets, width or offset is now required on the bucketOptionsLinearBuckets block.

At least one of numFiniteBuckets, growthFactor or scale is now required on googleLoggingMetricBucketOptionsExponentialBuckets

In an attempt to avoid allowing empty blocks in config files, at least one of numFiniteBuckets, growthFactor or scale is now required on the bucketOptionsExponentialBuckets block.

bounds is now required on googleLoggingMetricBucketOptionsExplicitBuckets

In an attempt to avoid allowing empty blocks in config files, bounds is now required on the bucketOptionsExplicitBuckets block.

Resource: googleMlengineModel

name is now required on googleMlengineModelDefaultVersion

In an attempt to avoid allowing empty blocks in config files, name is now required on the defaultVersion block.

Resource: googleMonitoringAlertPolicy

labels is now removed

labels is removed as it was never used. See userLabels for the correct field.

At least one of content or mimeType is now required on googleMonitoringAlertPolicyDocumentation

In an attempt to avoid allowing empty blocks in config files, at least one of content or mimeType is now required on the documentation block.

Resource: googleMonitoringUptimeCheckConfig

Exactly one of resourceGroup or monitoredResource is now required on googleMonitoringUptimeCheckConfig

In attempt to be more consistent with the API, exactly one of resourceGroup or monitoredResource is now required on googleMonitoringUptimeCheckConfig.

Exactly one of httpCheck or tcpCheck is now required on googleMonitoringUptimeCheckConfig

In attempt to be more consistent with the API, exactly one of httpCheck or tcpCheck is now required on googleMonitoringUptimeCheckConfig.

At least one of authInfo, port, headers, path, useSsl, or maskHeaders is now required on googleMonitoringUptimeCheckConfigHttpCheck

In an attempt to avoid allowing empty blocks in config files, at least one of authInfo, port, headers, path, useSsl, or maskHeaders is now required on the httpCheck block.

At least one of resourceType or groupId is now required on googleMonitoringUptimeCheckConfigResourceGroup

In an attempt to avoid allowing empty blocks in config files, at least one of resourceType or groupId is now required on the resourceGroup block.

content is now required on block googleMonitoringUptimeCheckConfigContentMatchers

In an attempt to avoid allowing empty blocks in config files, content is now required on the contentMatchers block.

username and password are now required on block googleMonitoringUptimeCheckConfigHttpCheckAuthInfo

In an attempt to avoid allowing empty blocks in config files, username and password are now required on the httpCheckAuthInfo block.

isInternal and internalChecker are now removed

isInternal and internalChecker never worked, and are now removed.

Resource: googleOrganizationPolicy

Exactly one of allow or deny is now required on googleOrganizationPolicyListPolicy

In an attempt to avoid allowing empty blocks in config files, exactly one of allow or deny is now required on the listPolicy block.

Exactly one of all or values is now required on googleOrganizationPolicyListPolicyAllow and googleOrganizationPolicyListPolicyDeny

In an attempt to avoid allowing empty blocks in config files, exactly one of all or values is now required on the listPolicyAllow and listPolicyDeny blocks.

Resource: googleProjectIamAuditConfig

Audit configs are now authoritative on create

Audit configs are now authoritative on create, rather than merging with existing configs on create. Writing an audit config resource will now overwrite any existing audit configs on the given project.

Resource: googleProjectOrganizationPolicy

Exactly one of allow or deny is now required on googleProjectOrganizationPolicyListPolicy

In an attempt to avoid allowing empty blocks in config files, exactly one of allow or deny is now required on the listPolicy block.

Exactly one of all or values is now required on googleProjectOrganizationPolicyListPolicyAllow and googleProjectOrganizationPolicyListPolicyDeny

In an attempt to avoid allowing empty blocks in config files, exactly one of all or values is now required on the listPolicyAllow and listPolicyDeny blocks.

Resource: googleProjectService

bigqueryJsonGoogleapisCom service can no longer be specified

bigqueryJsonGoogleapisCom is being renamed to bigqueryGoogleapisCom in the upstream API. As a result, bigqueryJsonGoogleapisCom has been disallowed. Instead, please use bigqueryGoogleapisCom. The provider will automatically convert between them as the upstream API migration continues.

Resource: googleProjectServices

googleProjectServices has been removed from the provider

The googleProjectServices resource was authoritative over the list of GCP services enabled on a project, so that services not explicitly set would be removed by Terraform.

However, this was dangerous to use in practice. Services have dependencies that are automatically enabled alongside them and GCP will add dependencies to services out of band, enabling them. If a user ran Terraform after this, Terraform would disable the service- and implicitly disable any service that relied on it.

The googleProjectService resource is a much better match for most users' intent, managing a single service at a time. Setting several googleProjectService resources is an assertion that "these services are set on this project", while googleProjectServices was an assertion that "only these services are set on this project".

Users should migrate to using googleProjectService resources, or using the "terraformGoogleModules/projectFactory/google//modules/projectServices" module for a similar interface to googleProjectServices.

-> Prior to 2130, each googleProjectService sent separate API enablement requests. From 2130 onwards, those requests are batched on write, and from 2200 onwards, batched on read. It's recommended that you upgrade to 2130+ before migrating if you encounter write quota issues or 2200+ before migrating if you encounter read quota issues when you migrate off googleProjectServices.

Old Config

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.projectServices.ProjectServices(this, "project", {
  disable_on_destroy: false,
  project: "your-project-id",
  services: ["iam.googleapis.com", "cloudresourcemanager.googleapis.com"],
});

New Config (module)

import * as ProjectServices from "./.gen/modules/terraform-google-modules/google/project-factory/modules/project_services";
new ProjectServices.ProjectServices(this, "project_services", {
  activateApis: ["iam.googleapis.com", "cloudresourcemanager.googleapis.com"],
  disableDependentServices: false,
  disableServicesOnDestroy: false,
  projectId: "your-project-id",
});

New Config (google_project_service)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleProjectServiceService = new google.projectService.ProjectService(
  this,
  "service",
  {
    disable_on_destroy: false,
    project: "your-project-id",
    service: "${each.key}",
  }
);
/*In most cases loops should be handled in the programming language context and 
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
googleProjectServiceService.addOverride(
  "for_each",
  '${toset([\n    "iam.googleapis.com",\n    "cloudresourcemanager.googleapis.com",\n  ])}'
);

Resource: googlePubsubSubscription

name must now be a short name

name previously could have been specified by a long name (e.g. projects/myProject/subscriptions/mySubscription) or a shortname (e.g. mySubscription). name now must be the shortname.

ttl is now required on googlePubsubSubscriptionExpirationPolicy

Previously, an empty expirationPolicy block would allow the resource to never expire. In an attempt to avoid allowing empty blocks in config files, ttl is now required on the expirationPolicy block. ttl should be set to "" for the resource to never expire.

Resource: googleSecurityScannerScanConfig

At least one of googleAccount or customAccount is now required on googleSecurityScannerScanConfigAuthentication

In an attempt to avoid allowing empty blocks in config files, at least one of googleAccount or customAccount is now required on the authentication block.

Resource: googleServiceAccountKey

pgpKey, privateKeyFingerprint, and privateKeyEncrypted are now removed

googleServiceAccountKey previously supported encrypting the private key with a supplied PGP key. This is no longer supported and has been removed as functionality. State should instead be treated as sensitive, and ideally encrypted using a remote state backend.

This will require re-provisioning your service account key, unfortunately. There is no known alternative at this time.

Resource: googleSqlDatabaseInstance

At least one of caCertificate, clientCertificate, clientKey, connectRetryInterval, dumpFilePath, failoverTarget, masterHeartbeatPeriod, password, sslCipher, username, or verifyServerCertificate is now required on googleSqlDatabaseInstanceSettingsReplicaConfiguration

In an attempt to avoid allowing empty blocks in config files, at least one of caCertificate, clientCertificate, clientKey, connectRetryInterval, dumpFilePath, failoverTarget, masterHeartbeatPeriod, password, sslCipher, username, or verifyServerCertificate is now required on the settingsReplicaConfiguration block.

At least one of cert, commonName, createTime, expirationTime, or sha1Fingerprint is now required on googleSqlDatabaseInstanceSettingsServerCaCert

In an attempt to avoid allowing empty blocks in config files, at least one of cert, commonName, createTime, expirationTime, or sha1Fingerprint is now required on the settingsServerCaCert block.

At least one of day, hour, or updateTrack is now required on googleSqlDatabaseInstanceSettingsMaintenanceWindow

In an attempt to avoid allowing empty blocks in config files, at least one of day, hour, or updateTrack is now required on the settingsMaintenanceWindow block.

At least one of binaryLogEnabled, enabled, startTime, or location is now required on googleSqlDatabaseInstanceSettingsBackupConfiguration

In an attempt to avoid allowing empty blocks in config files, at least one of binaryLogEnabled, enabled, startTime, or location is now required on the settingsBackupConfiguration block.

At least one of authorizedNetworks, ipv4Enabled, requireSsl, or privateNetwork is now required on googleSqlDatabaseInstanceSettingsIpConfiguration

In an attempt to avoid allowing empty blocks in config files, at least one of authorizedNetworks, ipv4Enabled, requireSsl, and privateNetwork is now required on the settingsIpConfiguration block.

name and value are now required on block googleSqlDatabaseInstanceSettingsDatabaseFlags

In an attempt to avoid allowing empty blocks in config files, name and value are now required on the settingsDatabaseFlags block.

value is now required on block googleSqlDatabaseInstanceSettingsIpConfigurationAuthorizedNetworks

In an attempt to avoid allowing empty blocks in config files, value is now required on the settingsIpConfigurationAuthorizedNetworks block.

zone is now required on block googleSqlDatabaseInstanceSettingsLocationPreference

In an attempt to avoid allowing empty blocks in config files, zone is now required on the settingsLocationPreference block.

Resource: googleStorageBucket

enabled is now required on block googleStorageBucketVersioning

Previously the default value of enabled was false. In an attempt to avoid allowing empty blocks in config files, enabled is now required on the versioning block.

At least one of mainPageSuffix or notFoundPage is now required on googleStorageBucketWebsite

In an attempt to avoid allowing empty blocks in config files, at least one of mainPageSuffix or notFoundPage is now required on the website block.

At least one of minTimeElapsedSinceLastModification, maxTimeElapsedSinceLastModification, includePrefixes, or excludePrefixes is now required on googleStorageTransferJobTransferSpecObjectConditions

In an attempt to avoid allowing empty blocks in config files, at least one of minTimeElapsedSinceLastModification, maxTimeElapsedSinceLastModification, includePrefixes, or excludePrefixes is now required on the transferSpecObjectConditions block.

isLive is now removed

Please use withState instead, as isLive is now removed.

Resource: googleStorageTransferJob

At least one of overwriteObjectsAlreadyExistingInSink, deleteObjectsUniqueInSink, or deleteObjectsFromSourceAfterTransfer is now required on googleStorageTransferJobTransferSpecTransferOptions

In an attempt to avoid allowing empty blocks in config files, at least one of overwriteObjectsAlreadyExistingInSink, deleteObjectsUniqueInSink, or deleteObjectsFromSourceAfterTransfer is now required on the transferSpecTransferOptions block.

At least one of gcsDataSource, awsS3DataSource, or httpDataSource is now required on googleStorageTransferJobTransferSpec

In an attempt to avoid allowing empty blocks in config files, at least one of gcsDataSource, awsS3DataSource, or httpDataSource is now required on the transferSpec block.

Resource: googleTpuNode

preemptible is now required on block googleTpuNodeSchedulingConfig

In an attempt to avoid allowing empty blocks in config files, preemptible is now required on the schedulingConfig block.