Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update hashicorp/google-beta requirement from >= 5.9.0, < 6 to >= 5.9.0, < 7 in /examples/complete-example #18

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 9, 2024

Updates the requirements on hashicorp/google-beta to permit the latest version.

Release notes

Sourced from hashicorp/google-beta's releases.

v6.2.0

FEATURES:

  • New Data Source: google_certificate_manager_certificates (#8099)
  • New Resource: google_backup_dr_backup_vault (#8083)
  • New Resource: google_scc_v2_folder_scc_big_query_export (#8079)
  • New Resource: google_scc_v2_project_scc_big_query_export (#8070)

IMPROVEMENTS:

  • assuredworkload: added field partner_service_billing_account to google_assured_workloads_workload (#8097)
  • bigtable: added support for column_family.type in google_bigtable_table (#8069)
  • cloudrunv2: added template.service_mesh to google_cloud_run_v2_service (#8096)
  • compute: added boot_disk.interface field to google_compute_instance resource (#8075)
  • container: added node_pool_auto_config.node_kublet_config.insecure_kubelet_readonly_port_enabled field to google_container_cluster. (#8076)
  • container: added insecure_kubelet_readonly_port_enabled to node_pool.node_config.kubelet_config and node_config.kubelet_config in google_container_node_pool resource. (#8071)
  • container: added insecure_kubelet_readonly_port_enabled to node_pool_defaults.node_config_defaults, node_pool.node_config.kubelet_config, and node_config.kubelet_config in google_container_cluster resource. (#8071)
  • container: added support for in-place updates for google_compute_node_pool.node_config.gcfs_config and google_container_cluster.node_config.gcfs_cluster and google_container_cluster.node_pool.node_config.gcfs_cluster (#8101)
  • iambeta: added x509 field to google_iam_workload_identity_pool_provider resource (#8110)
  • networkconnectivity: added include_export_ranges to google_network_connectivity_spoke (#8088)
  • pubsub: added cloud_storage_config.max_messages and cloud_storage_config.avro_config.use_topic_schema fields to google_pubsub_subscription resource (#8086)
  • redis: added the maintenance_policy field to the google_redis_cluster resource (#8087)
  • resourcemanager: added tags field to google_project to allow setting tags for projects at creation time (#8091)
  • securitycenter: added support for empty streaming_config.filter values in google_scc_notification_config resources (#8105)

BUG FIXES:

  • compute: fixed google_compute_interconnect to support correct available_features option of IF_MACSEC (#8082)
  • compute: fixed a bug where advertised_route_priority was accidentally set to 0 during updates in google_compute_router_peer (#8102)
  • compute: fixed a permadiff caused by setting start_time in an incorrect H:mm format in google_compute_resource_policies resources (#8067)
  • compute: fixed network_interface.subnetwork_project validation to match with the project in network_interface.subnetwork field when network_interface.subnetwork has full self_link in google_compute_instance resource (#8089)
  • kms: updated the google_kms_autokey_config resource's folder field to accept values that are either full resource names (folders/{folder_id}) or just the folder id ({folder_id} only) (#8100)
  • storage: added retry support for 429 errors in google_storage_bucket resource (#8092)
Changelog

Sourced from hashicorp/google-beta's changelog.

6.2.0 (September 9, 2024)

FEATURES:

  • New Data Source: google_certificate_manager_certificates (#8099)
  • New Resource: google_backup_dr_backup_vault (#8083)
  • New Resource: google_scc_v2_folder_scc_big_query_export (#8079)
  • New Resource: google_scc_v2_project_scc_big_query_export (#8070)

IMPROVEMENTS:

  • assuredworkload: added field partner_service_billing_account to google_assured_workloads_workload (#8097)
  • bigtable: added support for column_family.type in google_bigtable_table (#8069)
  • cloudrunv2: added template.service_mesh to google_cloud_run_v2_service (#8096)
  • compute: added boot_disk.interface field to google_compute_instance resource (#8075)
  • container: added node_pool_auto_config.node_kublet_config.insecure_kubelet_readonly_port_enabled field to google_container_cluster. (#8076)
  • container: added insecure_kubelet_readonly_port_enabled to node_pool.node_config.kubelet_config and node_config.kubelet_config in google_container_node_pool resource. (#8071)
  • container: added insecure_kubelet_readonly_port_enabled to node_pool_defaults.node_config_defaults, node_pool.node_config.kubelet_config, and node_config.kubelet_config in google_container_cluster resource. (#8071)
  • container: added support for in-place updates for google_compute_node_pool.node_config.gcfs_config and google_container_cluster.node_config.gcfs_cluster and google_container_cluster.node_pool.node_config.gcfs_cluster (#8101)
  • iambeta: added x509 field to google_iam_workload_identity_pool_provider resource (#8110)
  • networkconnectivity: added include_export_ranges to google_network_connectivity_spoke (#8088)
  • pubsub: added cloud_storage_config.max_messages and cloud_storage_config.avro_config.use_topic_schema fields to google_pubsub_subscription resource (#8086)
  • redis: added the maintenance_policy field to the google_redis_cluster resource (#8087)
  • resourcemanager: added tags field to google_project to allow setting tags for projects at creation time (#8091)
  • securitycenter: added support for empty streaming_config.filter values in google_scc_notification_config resources (#8105)

BUG FIXES:

  • compute: fixed google_compute_interconnect to support correct available_features option of IF_MACSEC (#8082)
  • compute: fixed a bug where advertised_route_priority was accidentally set to 0 during updates in google_compute_router_peer (#8102)
  • compute: fixed a permadiff caused by setting start_time in an incorrect H:mm format in google_compute_resource_policies resources (#8067)
  • compute: fixed network_interface.subnetwork_project validation to match with the project in network_interface.subnetwork field when network_interface.subnetwork has full self_link in google_compute_instance resource (#8089)
  • kms: updated the google_kms_autokey_config resource's folder field to accept values that are either full resource names (folders/{folder_id}) or just the folder id ({folder_id} only) (#8100)
  • storage: added retry support for 429 errors in google_storage_bucket resource (#8092)

6.1.0 (September 4, 2024)

FEATURES:

  • New Data Source: google_kms_crypto_key_latest_version (#8032)
  • New Data Source: google_kms_crypto_key_versions (#8026)

IMPROVEMENTS:

  • databasemigrationservice: added support in google_database_migration_service_connection_profile for creating DMS connection profiles that link to existing Cloud SQL instances/AlloyDB clusters. (#8062)
  • alloydb: added subscription_type and trial_metadata field to google_alloydb_cluster resource (#8042)
  • bigquery: added encryption_configuration field to google_bigquery_data_transfer_config resource (#8045)
  • bigqueryanalyticshub: added selected_resources, and restrict_direct_table_access to google_bigquery_analytics_hub_listing resource (#8029)
  • bigqueryanalyticshub: added sharing_environment_config to google_bigquery_analytics_hub_data_exchange resource (#8029)
  • cloudtasks: added http_target field to google_cloud_tasks_queue resource (#8033)
  • compute: added accelerators field to google_compute_node_template resource (#8063)
  • compute: allowed disabling server_tls_policy during update in google_compute_target_https_proxy resources (#8023)
  • datastream: added transaction_logs and change_tables to datastream_stream resource (#8031)
  • discoveryengine: added chunking_config and layout_parsing_config fields to google_discovery_engine_data_store resource (#8049)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

….0, < 7

Updates the requirements on [hashicorp/google-beta](https://github.com/hashicorp/terraform-provider-google-beta) to permit the latest version.
- [Release notes](https://github.com/hashicorp/terraform-provider-google-beta/releases)
- [Changelog](https://github.com/hashicorp/terraform-provider-google-beta/blob/main/CHANGELOG.md)
- [Commits](hashicorp/terraform-provider-google-beta@v5.9.0...v6.2.0)

---
updated-dependencies:
- dependency-name: hashicorp/google-beta
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Sep 9, 2024
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 9, 2024

Dependabot tried to add @approvers as a reviewer to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/clouddrove/terraform-gcp-gke/pulls/18/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the clouddrove/terraform-gcp-gke repository. // See: https://docs.github.com/rest/pulls/review-requests#request-reviewers-for-a-pull-request

@anmolnagpal
Copy link
Contributor

Terraform Security Scan Failed

Show Output
Result #1 HIGH Cluster pod security policy is not enforced. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enforce-pod-security-policy
      Impact Pods could be operating with more permissions than required to be effective
  Resolution Use security policies for pods to restrict permissions to those needed to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enforce-pod-security-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#pod_security_policy_config
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Cluster does not have master authorized networks enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-master-networks
      Impact Unrestricted network access to the master
  Resolution Enable master authorized networks

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-master-networks/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster has legacy metadata endpoints enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:578-728
────────────────────────────────────────────────────────────────────────────────
  501    resource "google_container_node_pool" "pools" {
  ...  
  578node_config {
  579image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
  580machine_type     = lookup(each.value, "machine_type", "e2-medium")
  581min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
  582dynamic "gcfs_config" {
  583for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
  584content {
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-metadata-endpoints-disabled
      Impact Legacy metadata endpoints don't require metadata headers
  Resolution Disable legacy metadata endpoints

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/metadata-endpoints-disabled/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Cluster does not have a network policy enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:23
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   23  [       enabled  = network_policy.value.enabled (false)
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-network-policy
      Impact Unrestricted inter-cluster communication
  Resolution Enable network policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-network-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Cluster does not have private nodes. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6  │   provider = google-beta
    78  │   name            = var.name
    9  │   description     = var.description
   10  │   project         = var.project_id
   11  │   resource_labels = var.cluster_resource_labels
   1213  └   location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-private-cluster
      Impact Nodes may be exposed to the public internet
  Resolution Enable private cluster

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-private-cluster/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Cluster does not use GCE resource labels. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:11
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   11  [   resource_labels = var.cluster_resource_labels
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-cluster-labels
      Impact Asset management can be limited/more difficult
  Resolution Set cluster resource labels

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-cluster-labels/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             265.754µs
  parsing              35.963517ms
  adaptation           297.637µs
  checks               9.308966ms
  total                45.835874ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     188
  files read           11

  results
  ──────────────────────────────────────────
  passed               16
  ignored              0
  critical             0
  high                 3
  medium               2
  low                  1

  16 passed, 6 potential problem(s) detected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants