v37.0.0-rc2

This release fixes some minor issues in the previous release candidate, and expands on FAST support for add-ons.

FAST

• [#2821] FAST SWP networking add-on, refactor CAS module interface (ludoo)
• [#2818] Top level folder factory support for automation SA IAM (sruffilli)
• [#2817] Fix permadiff in stage 0 vpc-sc service account, add schemas to hierarchical policy YAML files (ludoo)
• [#2815] [FAST] Add missing permission to ngfwEnterprise org (LucaPrete)
• [#2813] feat: restructure how var files are provided to workflow templates (Liam-Johnston)
• [#2810] Small fixes and improvements to FAST netsec/net (ludoo)
• [#2800] Implement FAST stage add-ons, refactor netsec as add-on (ludoo)
• [#2801] Add optional support for fw policies via new vpc_configs variable, refactor factories variable in net stages (ludoo)
• [#2787] Leverage environments for folder and project creation in FAST resman and security (ludoo)

MODULES

• [#2821] incompatible change: FAST SWP networking add-on, refactor CAS module interface (ludoo)
• [#2820] incompatible change: Do not create service agent resources in project module for services not explicitly enabled (ludoo)

v37.0.0-rc1

This is a preview of the upcoming v37.0.0 release, containing breaking changes to FAST.

• [#2800] Implement FAST stage add-ons, refactor netsec as add-on (ludoo)
• [#2801] Add optional support for fw policies via new vpc_configs variable, refactor factories variable in net stages (ludoo)
• [#2787] Leverage environments for folder and project creation in FAST resman and security (ludoo)

v36.1.0

This release will be shortly followed by a release candidate for v37.0.0 containing the FAST changes, as has become our custom.

What's Changed

• Updating yaml naming in prod subnet folder to match other lifecycles by @mtndrew404 in #2733
• SWP module refactor by @ludoo in #2737
• Add basename to SWP policy rules factory by @LucaPrete in #2739
• Support switchover in alloydb module by @simonebruzzechesse in #2738
• Allow override of GKE Nodepool SA Display Name by @robrankin in #2734
• Add support for secret manager config to gke cluster modules by @ludoo in #2741
• Fix parent id lookup for networking and security in resource management stage by @ludoo in #2744
• Add optional automated MD5 generation to net-vlan-attachment module by @LucaPrete in #2745
• Bump path-to-regexp and express in /blueprints/gke/binauthz/image by @dependabot in #2749
• Add ability to autogenerate md5 keys in net-vpn-ha by @LucaPrete in #2748
• Bump path-to-regexp and express in /blueprints/apigee/apigee-x-foundations/functions/instance-monitor by @dependabot in #2752
• Add support for routing mode to net-swp module by @ludoo in #2751
• remove default location in tag value - cloud-run-v2 tags.tf by @Mattible in #2755
• Add path_template_match and path_template_rewrite support to net-lb-app-ext by @rosmo in #2718
• Add disk encyption key to the google_compute_instance_template - Sovereign support by @rune92 in #2750
• Add support for password validation policy to cloudsql module by @ludoo in #2740
• Add confidential compute support to google_dataproc_cluster module, bump provider versions by @steenblik in #2736
• Update net-vlan-attachment module readme by @LucaPrete in #2757
• Ignore ssl certificates if none are passed in net-lb-app-int module by @ludoo in #2764
• Refactor GKE cluster modules access configurations, add support for DNS endpoint by @ludoo in #2761
• Update issue templates by @juliocc in #2765
• Allow optional creation of billing resources in FAST boostrap stage by @ludoo in #2766
• Fix workspace logs sink in FAST bootstrap stage by @ludoo in #2767
• Support customizable resource names in FAST stage 0 by @ludoo in #2768
• Support customizable resource names to fast stage 1 by @ludoo in #2769
• Use separate versions.tofu for OpenTofu constraints by @wiktorn in #2771
• Fix for perma-diff when using PSC NEGs. by @wiktorn in #2772
• [FAST] Remove unused stage 1 CICD variables by @LucaPrete in #2774
• New BindPlane OP Management console on GKE SecOps blueprint by @simonebruzzechesse in #2721
• Add support for log views and log scopes by @juliocc in #2776
• Document tag_bindings definition as map(string) by @juliocc in #2777
• Fix failing tests for OpenTofu by @wiktorn in #2778
• Fix handling of SSL certificates in external load balancer modules by @rodriguezsergio in #2780
• Fix bindplane cos module by @simonebruzzechesse in #2781
• Update net-lb-app-ext security_settings variables by @wenzizone in #2783
• Fix validation message in cas module by @ludoo in #2784
• Make PSA connection more robust by @wiktorn in #2786
• Fix cycle in the autopilot-cluster blueprint by @wiktorn in #2790
• Fabric e2e fixes by @juliocc in #2791
• fix non-empty plan after apply for vertex mlops by @wiktorn in #2792
• Add docker image tag to bindplane config variable by @simonebruzzechesse in #2796
• ADR proposal for FAST add-on stages by @ludoo in #2798
• Add Alerts, Logging, Channels Factories by @joshw123 in #2758
• Added BGP priority variable for dedicated interconnect because it was… by @apichick in #2802
• New tool versions.py to manage versions.tf/tofu by @juliocc in #2803
• Bump golang.org/x/net from 0.23.0 to 0.33.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/restarter by @dependabot in #2807
• ASN should be optional in router_config variable as it is not necessa… by @apichick in #2806
• Add intercepting sinks to the organization and folder modules by @rshokati2 in #2799
• Bump golang.org/x/net from 0.23.0 to 0.33.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker by @dependabot in #2808

New Contributors

• @mtndrew404 made their first contribution in #2733
• @Mattible made their first contribution in #2755
• @rune92 made their first contribution in #2750
• @rodriguezsergio made their first contribution in #2780
• @wenzizone made their first contribution in #2783
• @rshokati2 made their first contribution in #2799

Full Changelog: v36.0.1...v36.1.0

v36.0.1

This release fixes an issue in FAST when using an organization-managed billing account, which was introduced in v36.0.0.

What's Changed

• Run tests and linting when pushing to master or fast-dev by @juliocc in #2730
• Add missing role to FAST stage 0 org-level delegated IAM grants by @ludoo in #2731

Full Changelog: v36.0.0...v36.0.1

v36.0.0

What's Changed

• Extend tests to fast-dev by @ludoo in #2646
• Refactor of FAST resource management and subsequent stages by @ludoo in #2648
• Final fixes for v36.0.0-rc1 by @ludoo in #2652
• Fix permadiff in bootstrap IAM by @ludoo in #2656
• Refactor changelog for the new release process by @ludoo in #2660
• Add missing roles to project factory ro SA in stage 1 by @ludoo in #2683
• Add missing billing roles to project factory ro SA in stage 1 by @ludoo in #2685
• Streamline environments variable across stages by @ludoo in #2688
• Make project iam viewer name consistent with GCP naming by @juliocc in #2694
• Unify usage of top level folders short_name by @juliocc in #2693
• Remove REGIONAL/MULTI_REGIONAL buckets from FAST by @juliocc in #2697
• Allow disabling network security stage by @juliocc in #2701
• Expose factories_config for resman top level folders by @juliocc in #2707
• Remove stale resman validation by @juliocc in #2714

Full Changelog: v35.1.0...v36.0.0

v35.1.0

What's Changed

• Add required enabled field introduced in Terraform version 5.41.0 by @jacobmammoliti in #2653
• fix Vertex-ML-Ops e2e tests by @wiktorn in #2631
• Migrate blueprints/data-solutions/vertex-mlops to google_workbench_instance by @wiktorn in #2632
• Fix Vertex MLOps blueprint by @wiktorn in #2659
• Update service agents spec by @juliocc in #2658
• New SecOps blueprints section and SecOps GKE Forwarder by @simonebruzzechesse in #2514
• add enable_object_retention argument by @kejti23 in #2657
• Update SWP by @LucaPrete in #2666
• SWP: remove condition from addresses variable and make it null by default by @LucaPrete in #2668
• Additional examples for Cloud Run and Cloud SQL by @wiktorn in #2669
• Fix the location of the GCS and NFS attributes by @wintermi in #2670
• bump modules/README github tag reference by @kaue in #2673
• Fix "inconsistent conditional result types" error in modules/vpc-sc by @joelvoss in #2676
• Swap groups_iam/iam_group for iam_by_principals in bootstrap README by @robrankin in #2680
• Keeping my contributor status :) by @drebes in #2681
• Add support for service account in pubsub module bigquery subscriptions by @ludoo in #2682
• Fix gcs & NFS mounts for cloud-run-v2 service by @wiktorn in #2686
• Fix initial user on secondary cluster issue by @simonebruzzechesse in #2687
• Fix examples for GCS mount by @wiktorn in #2692
• Fix E2E tests by @wiktorn in #2699
• Fix non-empty plan after mixing CloudSQL with other mounts by @wiktorn in #2700
• Move direct vpc out of BETA by @wiktorn in #2702
• Added outputs to apigee-x-foundations blueprint (instances and lbs) by @apichick in #2704
• Add Automation Service Accounts Output by @joshw123 in #2640
• Added outputs to apigee-x-foundations blueprint (PSC NEGs) by @apichick in #2705
• Allow providing network for Direct VPC access by @wiktorn in #2711
• Add hierarchical namespace support to GCS module by @juliocc in #2712
• add GPU options to compute-vm module by @ooshrioo in #2689
• Allow setting GCS location default/override in project factory by @ludoo in #2715
• Change tfdoc pre-commit hook script to use while read by @rosmo in #2717
• Add location to cert-manager issuance config and fix issuance config reference by @LucaPrete in #2720
• Add support for workload_metadata_config in Standard GKE clusters by @Tirthankar17 in #2716
• Fix not setting user defined password by @wiktorn in #2723
• Allow factory files to be empty by @LucaPrete in #2719
• Added min_instances, max_instances, min_throughput and max_throughtpu… by @apichick in #2706
• Fix typo on maintenance config by @simonebruzzechesse in #2727
• enable_private_path_for_google_cloud_services added to CloudSQL by @fulyagonultas in #2726

New Contributors

• @jacobmammoliti made their first contribution in #2653
• @wintermi made their first contribution in #2670
• @kaue made their first contribution in #2673
• @joelvoss made their first contribution in #2676
• @robrankin made their first contribution in #2680
• @ooshrioo made their first contribution in #2689
• @Tirthankar17 made their first contribution in #2716

Full Changelog: v35.0.0...v35.1.0

v36.0.0-rc1

This release implements several breaking changes and new features in FAST. Please refer to the FAST stage1 documentation and the FAST upgrading instructions for more details.

Release contents:

• [#2649] Final fixes for v36.0.0-rc1 (ludoo)
• [#2648] incompatible change: Refactor of FAST resource management and subsequent stages (ludoo)

v35.0.0

BLUEPRINTS

• [#2643] Add codespell to pre-commit (wiktorn)
• [#2629] Bump cookie and express in /blueprints/apigee/apigee-x-foundations/functions/instance-monitor (dependabot[bot])
• [#2623] Bump cookie and express in /blueprints/gke/binauthz/image (dependabot[bot])
• [#2609] Add support for bundling net monitoring tool in a Docker image, and deploying via CR Job (ludoo)
• [#2585] Apigee x foundations certificate manager (apichick)
• [#2584] README fixes to FAST docs (skalolazka)
• [#2574] Bump path-to-regexp and express in /blueprints/apigee/apigee-x-foundations/functions/instance-monitor (dependabot[bot])
• [#2573] Bump path-to-regexp and express in /blueprints/gke/binauthz/image (dependabot[bot])
• [#2536] incompatible change: Add support for google provider 6.x (sruffilli)

FAST

• [#2649] Clarify fast-dev purpose (juliocc)
• [#2643] Add codespell to pre-commit (wiktorn)
• [#2641] Adding DNS for GKE control plane to private google access APIs (aurelienlegrand)
• [#2630] [FAST] Fix stage 2 simple NVA wrong location - causing test failures (LucaPrete)
• [#2611] Add TFE integration for backend and CICD (lnesteroff)
• [#2620] added output for tfvars_globals (lnesteroff)
• [#2544] GCVE network mode for 2-networking-b-nva stage (eliamaldini)
• [#2616] Support log exclusions in FAST bootstrap log sinks (ludoo)
• [#2604] fixed tfe wif definition variables (lnesteroff)
• [#2600] FAST: Adds support for PSC transitivity to 2-a (sruffilli)
• [#2598] added terraform enterprise/hcp terraform def to wif providers (lnesteroff)
• [#2584] README fixes to FAST docs (skalolazka)
• [#2582] Make it explicit in FAST docs that stages need to be run once before CI/CD setup (ludoo)
• [#2581] Update FAST stage diagrams (ludoo)
• [#2579] FAST resman mt fixes (ludoo)
• [#2568] Update a few references from 3-project-factory to 2-project-factory (lyricnz)
• [#2558] Update variables.tf (eliamaldini)
• [#2564] Enables compute.setNewProjectDefaultToZonalDNSOnly and essentialcontacts.allowedContactDomains (sruffilli)
• [#2563] Update list of imported org policies (sruffilli)

MODULES

• [#2642] Reorganize ADRs and new versioning ADR (juliocc)
• [#2643] Add codespell to pre-commit (wiktorn)
• [#2645] feat(modules/secret-manager): add support for version_destroy_ttl (frits-v)
• [#2639] incompatible change: Add option to attach multiple snapshot schedule to disks (shujaatsscripts)
• [#2638] Fix ipv6 output in net-vpc module, add support for extra volumes in cloud run v2 module (ludoo)
• [#2625] Add Project Factory Logging Data Option (joshw123)
• [#2617] fix(artifact-registry): fix a move issue with tf>1.7 (NitriKx)
• [#2608] Additional job attributes in cloud run v2 module (ludoo)
• [#2599] incompatible change: Alloydb variables refactor (simonebruzzechesse)
• [#2606] feat: implement the new iam interface in artifact-registry (NitriKx)
• [#2595] Allow manage existing SSM instance (lnesteroff)
• [#2572] Added biglake-catalog module (apichick)
• [#2593] Fix looker README and add custom url for looker instance module (simonebruzzechesse)
• [#2590] Fix permadiff on iap attribute in net-lb-app-int module (eliamaldini)
• [#2565] New looker core module (simonebruzzechesse)
• [#2587] Project Module CMEK: added CloudRun (artemBogdantsev)
• [#2586] Add location for each SSM IAM resource (lnesteroff)
• [#2569] Secure source manager ([apichick](https:...

v34.1.0

Final Release before provider upgrade to 6.x

What's Changed

BLUEPRINTS

• [#2557] Bump provider to 5.43.1 ahead of next release (juliocc)

FAST

• [#2545] Add documentation instructions for potential issues in cicd-github and bootstrap stages (ludoo)

MODULES

• [#2557] Bump provider to 5.43.1 ahead of next release (juliocc)
• [#2556] Updated the auto pilot gke security posture configuration (oluakingcp)
• [#2553] Added the GKE security_posture configuration (oluakingcp)
• [#2546] Full examples for CMEK examples (wiktorn)

TOOLS

• [#2557] Bump provider to 5.43.1 ahead of next release (juliocc)
• [#2552] Upload hidden files (wiktorn)

New Contributors

• @oluakingcp made their first contribution in #2553

Full Changelog: v34.0.0...v34.1.0

v34.0.0

From this release we are adding a few changes that should facilitate upgrading between FAST versions:

• high level migration considerations in the release notes (here)
• a set of pre-computed moved blocks that transition resources to the new formats where possible for bootstrap, resource management, and networking "a" stages
• the release version embedded as a comment in versions.tf files across the whole repository

We emphasize that upgrading FAST is not one of the stated goals of this project, whose main goal is not to publish a product but to produce a set of modules and a Landing Zones toolkit that dynamically evolve to capture patterns seen in the field, and improved designs supporting new product features. One of the many discussions on this topic can be found in #2512.

FAST migration from v33.0.0 to v34.0.0

Bootstrap stage

No destructive changes. A few IAM bindings are re-applied cleanly.

Resource management stage

Network security IaC resources change names from resman-netsec to resman-nsec and need recreation. Network security state should be transitioned to local before applying resource management, and re-transitioned to remote after refreshing resman output files and netsec provider.

Project factory dev and prod resources will change internal names, the moved blocks in the provided file should seamlessly rename them in state. You might get errors during apply on the service accounts, but a second apply cycle succeeds.

Release changelog

BLUEPRINTS

• [#2543] Prepare v34.0.0 release (ludoo)
• [#2542] Use generic project name in HA VPN over IC blueprint (juliocc)
• [#2530] Add managed folders support to gcs module (juliocc)
• [#2531] Update stable provider too to 5.43 (juliocc)
• [#2525] Bump provider to last release of version 5 (juliocc)
• [#2502] Add deletion_policy to project module (juliocc)
• [#2469] Fix E2E tests (wiktorn)
• [#2463] Typo in README: well know -> well-known (derailed-dash)

FAST

• [#2543] Prepare v34.0.0 release (ludoo)
• [#2541] Moved blocks and fix to resman for FAST v33-v34 transition (ludoo)
• [#2484] [FAST] TLS inspection support for NGFW Enterprise (LucaPrete)
• [#2530] Add managed folders support to gcs module (juliocc)
• [#2511] [FAST] Add permissions to nsec-r SA (LucaPrete)
• [#2509] Depend network security stage from fast features in FAST resman stage (ludoo)
• [#2505] incompatible change: Refactor FAST project factory and supporting documentation (ludoo)
• [#2499] Firewall policy module factory schema (ludoo)
• [#2498] DNS rpz module factory schema (ludoo)
• [#2497] Net vpc firewall factory schema (ludoo)
• [#2494] Additional module schemas (ludoo)
• [#2491] Organization module factory schemas (ludoo)
• [#2483] Add boostrap output with log destination ids (juliocc)
• [#2482] [FAST] Rename netsec stage to nsec (LucaPrete)
• [#2477] VPC-SC factory JSON Schemas (ludoo)
• [#2471] Rename 1-vpc-sc stage to 1-vpcsc (juliocc)
• [#2470] Make policyReader binding additive in bootstrap (juliocc)
• [#2466] [FAST] Sets projects_data_path optional, as in the project factory module (LucaPrete)
• [#2464] Fix peering routes config in fast a network stage (ludoo)
• [#2460] incompatible change: VPC-SC as separate FAST stage 1 (ludoo)

MODULES

• [#2543] Prepare v34.0.0 release (ludoo)
• [#2538] Module net-vpc fix for reserved ranges (jamesdalf)
• [#2539] Exposing aws_v4_authentication configuration in global external alb (okguru1)
• [#2537] Add send_secondary_ip_range_if_empty=true to google_compute_subnetwork (sruffilli)
• [#2533] Added the possibility of setting the duration of a GCE instance. (luigi-bitonti)
• [#2535] Allow customizable prefix in net-vpc module PSA configs (ludoo)
• [#2528] Support budget restriction read only (kejti23)
• [#2530] Add managed folders support to gcs module (juliocc)
• [#2531] Update stable provider too to 5.43 (juliocc)
• [#2525] Bump provider to last release of version 5 (juliocc)
• [#2523] feat: Add security_policy to backend service configuration (EmileHofsink)
• [#2521] net-vpc module add overlap CIDR subnet attribute (jamesdalf)
• [[#2518](https://github.com/...