chore: upgrade modules to terraform provider v6

Author: daniel-cit

0-bootstrap/README.md

@@ -361,6 +361,7 @@ Each step has instructions for this change.
 | default\_region\_2 | Secondary default region to create resources where applicable. | `string` | `"us-west1"` | no |
 | default\_region\_gcs | Case-Sensitive default region to create gcs resources where applicable. | `string` | `"US"` | no |
 | default\_region\_kms | Secondary default region to create kms resources where applicable. | `string` | `"us"` | no |
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
 | groups | Contain the details of the Groups to be created. | <pre>object({<br>    create_required_groups = optional(bool, false)<br>    create_optional_groups = optional(bool, false)<br>    billing_project        = optional(string, null)<br>    required_groups = object({<br>      group_org_admins     = string<br>      group_billing_admins = string<br>      billing_data_users   = string<br>      audit_data_users     = string<br>    })<br>    optional_groups = optional(object({<br>      gcp_security_reviewer    = optional(string, "")<br>      gcp_network_viewer       = optional(string, "")<br>      gcp_scc_admin            = optional(string, "")<br>      gcp_global_secrets_admin = optional(string, "")<br>      gcp_kms_admin            = optional(string, "")<br>    }), {})<br>  })</pre> | n/a | yes |
 | initial\_group\_config | Define the group configuration when it is initialized. Valid values are: WITH\_INITIAL\_OWNER, EMPTY and INITIAL\_GROUP\_CONFIG\_UNSPECIFIED. | `string` | `"WITH_INITIAL_OWNER"` | no |

0-bootstrap/main.tf

@@ -35,8 +35,9 @@ locals {
 }
 
 resource "google_folder" "bootstrap" {
-  display_name = "${var.folder_prefix}-bootstrap"
-  parent       = local.parent
+  display_name        = "${var.folder_prefix}-bootstrap"
+  parent              = local.parent
+  deletion_protection = var.folder_deletion_protection
 }
 
 module "seed_bootstrap" {

0-bootstrap/variables.tf

@@ -96,6 +96,12 @@ variable "project_deletion_policy" {
   default     = "PREVENT"
 }
 
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}
+
 /* ----------------------------------------
     Specific to Groups creation
    ---------------------------------------- */

1-org/envs/shared/README.md

@@ -12,6 +12,7 @@
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | gcp\_groups | Groups to grant specific roles in the Organization.<br>  platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.<br>  security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security<br>  network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.<br>  scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.<br>  audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.<br>  global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage | <pre>object({<br>    audit_viewer         = optional(string, null)<br>    security_reviewer    = optional(string, null)<br>    network_viewer       = optional(string, null)<br>    scc_admin            = optional(string, null)<br>    global_secrets_admin = optional(string, null)<br>    kms_admin            = optional(string, null)<br>  })</pre> | `{}` | no |
 | log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no |
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |

1-org/envs/shared/folders.tf

@@ -19,11 +19,13 @@
  *****************************************/
 
 resource "google_folder" "common" {
-  display_name = "${local.folder_prefix}-common"
-  parent       = local.parent
+  display_name        = "${local.folder_prefix}-common"
+  parent              = local.parent
+  deletion_protection = var.folder_deletion_protection
 }
 
 resource "google_folder" "network" {
-  display_name = "${local.folder_prefix}-network"
-  parent       = local.parent
+  display_name        = "${local.folder_prefix}-network"
+  parent              = local.parent
+  deletion_protection = var.folder_deletion_protection
 }

1-org/envs/shared/variables.tf

@@ -199,3 +199,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

2-environments/envs/development/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |

2-environments/envs/development/main.tf

@@ -22,5 +22,6 @@ module "env" {
   remote_state_bucket = var.remote_state_bucket
   tfc_org_name        = var.tfc_org_name
 
-  project_deletion_policy = var.project_deletion_policy
+  project_deletion_policy    = var.project_deletion_policy
+  folder_deletion_protection = var.folder_deletion_protection
 }

2-environments/envs/development/variables.tf

@@ -30,3 +30,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

2-environments/envs/nonproduction/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |

2-environments/envs/nonproduction/main.tf

@@ -22,5 +22,6 @@ module "env" {
   remote_state_bucket = var.remote_state_bucket
   tfc_org_name        = var.tfc_org_name
 
-  project_deletion_policy = var.project_deletion_policy
+  project_deletion_policy    = var.project_deletion_policy
+  folder_deletion_protection = var.folder_deletion_protection
 }

2-environments/envs/nonproduction/variables.tf

@@ -30,3 +30,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

2-environments/envs/production/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |

2-environments/envs/production/main.tf

@@ -22,7 +22,8 @@ module "env" {
   remote_state_bucket = var.remote_state_bucket
   tfc_org_name        = var.tfc_org_name
 
-  project_deletion_policy = var.project_deletion_policy
+  project_deletion_policy    = var.project_deletion_policy
+  folder_deletion_protection = var.folder_deletion_protection
 
   assured_workload_configuration = {
     enabled           = false

2-environments/envs/production/variables.tf

@@ -31,3 +31,8 @@ variable "project_deletion_policy" {
   default     = "PREVENT"
 }
 
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

2-environments/modules/env_baseline/README.md

@@ -6,6 +6,7 @@
 | assured\_workload\_configuration | Assured Workload configuration. See https://cloud.google.com/assured-workloads ."<br>  enabled: If the assured workload should be created.<br>  location: The location where the workload will be created.<br>  display\_name: User-assigned resource display name.<br>  compliance\_regime: Supported Compliance Regimes. See https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/ComplianceRegime .<br>  resource\_type: The type of resource. One of CONSUMER\_FOLDER, KEYRING, or ENCRYPTION\_KEYS\_PROJECT. | <pre>object({<br>    enabled           = optional(bool, false)<br>    location          = optional(string, "us-central1")<br>    display_name      = optional(string, "FEDRAMP-MODERATE")<br>    compliance_regime = optional(string, "FEDRAMP_MODERATE")<br>    resource_type     = optional(string, "CONSUMER_FOLDER")<br>  })</pre> | `{}` | no |
 | env | The environment to prepare (ex. development) | `string` | n/a | yes |
 | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes |
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    secret_budget_amount                        = optional(number, 1000)<br>    secret_alert_spent_percents                 = optional(list(number), [1.2])<br>    secret_alert_pubsub_topic                   = optional(string, null)<br>    secret_budget_alert_spend_basis             = optional(string, "FORECASTED_SPEND")<br>    kms_budget_amount                           = optional(number, 1000)<br>    kms_alert_spent_percents                    = optional(list(number), [1.2])<br>    kms_alert_pubsub_topic                      = optional(string, null)<br>    kms_budget_alert_spend_basis                = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |

2-environments/modules/env_baseline/folders.tf

@@ -19,8 +19,9 @@
 *****************************************/
 
 resource "google_folder" "env" {
-  display_name = "${local.folder_prefix}-${var.env}"
-  parent       = local.parent
+  display_name        = "${local.folder_prefix}-${var.env}"
+  parent              = local.parent
+  deletion_protection = var.folder_deletion_protection
 }
 
 resource "time_sleep" "wait_60_seconds" {

2-environments/modules/env_baseline/variables.tf

@@ -87,3 +87,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

4-projects/business_unit_1/development/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | gcs\_custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | `null` | no |
 | instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `null` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `null` | no |

4-projects/business_unit_1/development/main.tf

@@ -35,4 +35,5 @@ module "env" {
   subnet_region                = coalesce(var.instance_region, local.default_region)
   subnet_ip_range              = "10.3.64.0/21"
   project_deletion_policy      = var.project_deletion_policy
+  folder_deletion_protection   = var.folder_deletion_protection
 }

4-projects/business_unit_1/development/variables.tf

@@ -62,3 +62,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

4-projects/business_unit_1/nonproduction/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | gcs\_custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | `null` | no |
 | instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `null` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `null` | no |

4-projects/business_unit_1/nonproduction/main.tf

@@ -35,4 +35,5 @@ module "env" {
   subnet_region                = coalesce(var.instance_region, local.default_region)
   subnet_ip_range              = "10.3.128.0/21"
   project_deletion_policy      = var.project_deletion_policy
+  folder_deletion_protection   = var.folder_deletion_protection
 }

4-projects/business_unit_1/nonproduction/variables.tf

@@ -62,3 +62,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

4-projects/business_unit_1/production/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | gcs\_custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | `null` | no |
 | instance\_region | Region which the peered subnet will be created (Should be same region as the VM that will be created on step 5-app-infra on the peering project). | `string` | `null` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `null` | no |

4-projects/business_unit_1/production/main.tf

@@ -35,4 +35,5 @@ module "env" {
   subnet_region                = coalesce(var.instance_region, local.default_region)
   subnet_ip_range              = "10.3.192.0/21"
   project_deletion_policy      = var.project_deletion_policy
+  folder_deletion_protection   = var.folder_deletion_protection
 }

4-projects/business_unit_1/production/variables.tf

@@ -62,3 +62,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

4-projects/modules/base_env/README.md

@@ -7,6 +7,7 @@
 | business\_unit | The business (ex. business\_unit\_1). | `string` | n/a | yes |
 | env | The environment to prepare (ex. development). | `string` | n/a | yes |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
 | gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"bkt"` | no |
 | gcs\_custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | n/a | yes |

4-projects/modules/base_env/business_unit_folder.tf

@@ -19,6 +19,7 @@ locals {
 }
 
 resource "google_folder" "env_business_unit" {
-  display_name = local.env_business_unit_folder_name
-  parent       = local.env_folder_name
+  display_name        = local.env_business_unit_folder_name
+  parent              = local.env_folder_name
+  deletion_protection = var.folder_deletion_protection
 }

4-projects/modules/base_env/variables.tf

@@ -186,3 +186,9 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

helpers/foundation-deployer/global.tfvars.example

@@ -27,6 +27,8 @@ foundation_code_path = "FULL_PATH_TO_FOLDER_WHERE_THE_EXAMPLE_FOUNDATION_CODE_WA
 // See https://cloud.google.com/sdk/gcloud/reference/config/set#EXAMPLES
 validator_project_id = "EXISTING_PROJECT_ID"
 
+project_deletion_policy    = "DELETE"
+folder_deletion_protection = false
 
 // 0-bootstrap inputs
 // https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md#inputs