diff --git a/.changelog/4376.txt b/.changelog/4376.txt new file mode 100644 index 00000000000..8ec013c0699 --- /dev/null +++ b/.changelog/4376.txt @@ -0,0 +1,3 @@ +```release-note:none + +``` diff --git a/website/docs/r/google_folder_organization_policy.html.markdown b/website/docs/r/google_folder_organization_policy.html.markdown index 7a4690f9d7e..52f6fbba462 100644 --- a/website/docs/r/google_folder_organization_policy.html.markdown +++ b/website/docs/r/google_folder_organization_policy.html.markdown @@ -10,8 +10,7 @@ description: |- # google\_folder\_organization\_policy Allows management of Organization policies for a Google Folder. For more information see -[the official -documentation](https://cloud.google.com/resource-manager/docs/organization-policy/overview) and +[the official documentation](https://cloud.google.com/resource-manager/docs/organization-policy/overview) and [API](https://cloud.google.com/resource-manager/reference/rest/v1/folders/setOrgPolicy). ## Example Usage diff --git a/website/docs/r/google_project.html.markdown b/website/docs/r/google_project.html.markdown index 4a88c0d8b67..43e5137219d 100644 --- a/website/docs/r/google_project.html.markdown +++ b/website/docs/r/google_project.html.markdown @@ -14,28 +14,20 @@ Allows creation and management of a Google Cloud Platform project. Projects created with this resource must be associated with an Organization. See the [Organization documentation](https://cloud.google.com/resource-manager/docs/quickstarts) for more details. -The service account used to run Terraform when creating a `google_project` -resource must have `roles/resourcemanager.projectCreator`. See the +The user or service account that is running Terraform when creating a `google_project` +resource must have `roles/resourcemanager.projectCreator` on the specified organization. See the [Access Control for Organizations Using IAM](https://cloud.google.com/resource-manager/docs/access-control-org) doc for more information. -Note that prior to 0.8.5, `google_project` functioned like a data source, -meaning any project referenced by it had to be created and managed outside -Terraform. As of 0.8.5, `google_project` functions like any other Terraform -resource, with Terraform creating and managing the project. To replicate the old -behavior, either: +~> This resource reads the specified billing account on every terraform apply and plan operation so you must have permissions on the specified billing account. -* Use the project ID directly in whatever is referencing the project, using the - [google_project_iam_policy](/docs/providers/google/r/google_project_iam.html) - to replace the old `policy_data` property. -* Use the [import](/docs/import/usage.html) functionality - to import your pre-existing project into Terraform, where it can be referenced and - used just like always, keeping in mind that Terraform will attempt to undo any changes - made outside Terraform. +~> It is recommended to use the `constraints/compute.skipDefaultNetworkCreation` [constraint](/docs/providers/google/r/google_organization_policy.html) to remove the default network instead of setting `auto_create_network` to false. -~> It's important to note that any project resources that were added to your Terraform config -prior to 0.8.5 will continue to function as they always have, and will not be managed by -Terraform. Only newly added projects are affected. +To get more information about projects, see: + +* [API documentation](https://cloud.google.com/resource-manager/reference/rest/v1/projects) +* How-to Guides + * [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects) ## Example Usage @@ -85,8 +77,8 @@ The following arguments are supported: * `billing_account` - (Optional) The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with Terraform - must have Billing Account Administrator privileges (`roles/billing.admin`) in - the organization. See [Google Cloud Billing API Access Control](https://cloud.google.com/billing/v1/how-tos/access-control) + must have at mininum Billing Account User privileges (`roles/billing.user`) on the billing account. + See [Google Cloud Billing API Access Control](https://cloud.google.com/billing/docs/how-to/billing-access) for more details. * `skip_delete` - (Optional) If true, the Terraform resource can be deleted diff --git a/website/docs/r/google_project_default_service_accounts.html.markdown b/website/docs/r/google_project_default_service_accounts.html.markdown index 41a69725313..40474453d83 100644 --- a/website/docs/r/google_project_default_service_accounts.html.markdown +++ b/website/docs/r/google_project_default_service_accounts.html.markdown @@ -14,7 +14,15 @@ Allows management of Google Cloud Platform project default service accounts. When certain service APIs are enabled, Google Cloud Platform automatically creates service accounts to help get started, but this is not recommended for production environments as per [Google's documentation](https://cloud.google.com/iam/docs/service-accounts#default). See the [Organization documentation](https://cloud.google.com/resource-manager/docs/quickstarts) for more details. -~> This resource works on a best-effort basis, as no API formally describes the default service accounts. If the default service accounts change their name or additional service accounts are added, this resource will need to be updated. + +~> **WARNING** Some Google Cloud products do not work if the default service accounts are deleted so it is better to `DEPRIVILEGE` as +Google **CAN NOT** recover service accounts that have been deleted for more than 30 days. +Also Google recommends using the `constraints/iam.automaticIamGrantsForDefaultServiceAccounts` [constraint](/docs/providers/google/r/google_organization_policy.html) +to disable automatic IAM Grants to default service accounts. + +~> This resource works on a best-effort basis, as no API formally describes the default service accounts +and it is for users who are unable to use constraints. If the default service accounts change their name +or additional service accounts are added, this resource will need to be updated. ## Example Usage