fix: remove unused vars, add upgrade guide (#596)

BREAKING CHANGE: Some unused variables were removed. See the upgrade guide for details.
BREAKING CHANGE: Buckets now enable uniform bucket-level access by default. See the upgrade guide for details.

README.md

@@ -126,7 +126,6 @@ determining that location is as follows:
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
 | consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |
@@ -136,7 +135,6 @@ determining that location is as follows:
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | group\_name | A group to control the project by being assigned group\_role (defaults to project editor) | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
-| impersonate\_service\_account | An optional service account to impersonate. This cannot be used with credentials\_path. If this service account is not specified and credentials\_path is absent, the module will use Application Default Credentials. | `string` | `""` | no |
 | labels | Map of labels for project | `map(string)` | `{}` | no |
 | lien | Add a lien on the project to prevent accidental deletion | `bool` | `false` | no |
 | name | The name for the project | `string` | n/a | yes |

docs/upgrading_to_project_factory_v11.0.md

@@ -0,0 +1,32 @@
+# Upgrading to Project Factory v11.0
+
+The v11.0 release of Project Factory is a backwards incompatible release.
+
+## Migration Instructions
+
+### Unused variables have been removed
+
+Variables `credentials_path` and `impersonate_service_account` have been removed as we have removed the need for gcloud and local-execs in [v10.0](https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/docs/upgrading_to_project_factory_v10.0.md). This change should be no-op.
+
+```diff
+ module "project-factory" {
+   source  = "terraform-google-modules/project-factory/google"
+-  version = "~> 10.0"
++  version = "~> 11.0"
+
+   name                            = "pf-test-1"
+   random_project_id               = "true"
+   org_id                          = "1234567890"
+   usage_bucket_name               = "pf-test-1-usage-report-bucket"
+   usage_bucket_prefix             = "pf/test/1/integration"
+   billing_account                 = "ABCDEF-ABCDEF-ABCDEF"
+-  credentials_path                = "..."
+-  impersonate_service_account     = "..."
+ }
+```
+
+### Uniform Bucket Level Access is enabled by default
+
+Uniform Bucket Level Access is enabled by default and controlled by the `bucket_ula` variable.
+
+If you want to keep Uniform Bucket Level Access disabled, this variable should be set to false.

examples/gke_shared_vpc/README.md

@@ -29,7 +29,6 @@ More information about GKE with Shared VPC can be found here: https://cloud.goog
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_account | billing account | `any` | n/a | yes |
-| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | `any` | n/a | yes |
 | org\_id | organization id | `any` | n/a | yes |
 | shared\_vpc | The ID of the host project which hosts the shared VPC | `any` | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$PROJECT\_ID/regions/$REGION/subnetworks/$SUBNET\_ID) | `list(string)` | `[]` | no |

examples/gke_shared_vpc/main.tf

@@ -14,18 +14,12 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_path
-}
-
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "null" {
@@ -44,6 +38,5 @@ module "project-factory" {
   billing_account      = var.billing_account
   svpc_host_project_id = var.shared_vpc
   activate_apis        = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com"]
-  credentials_path     = local.credentials_file_path
   shared_vpc_subnets   = var.shared_vpc_subnets
 }

examples/gke_shared_vpc/variables.tf

@@ -14,10 +14,6 @@
  * limitations under the License.
  */
 
-variable "credentials_path" {
-  description = "Path to a Service Account credentials file with permissions documented in the readme"
-}
-
 variable "org_id" {
   description = "organization id"
 }

examples/group_project/README.md

@@ -22,7 +22,6 @@ Expected variables:
 | admin\_email | Admin user email on Gsuite. This should be a user account, not a service account. | `any` | n/a | yes |
 | api\_sa\_group | An existing G Suite group email to place the Google APIs Service Account for the project in | `any` | n/a | yes |
 | billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
-| credentials\_file\_path | Service account json auth path | `any` | n/a | yes |
 | organization\_id | The organization id for the associated services | `any` | n/a | yes |
 | project\_group\_name | The name of a G Suite group to create for controlling the project | `any` | n/a | yes |
 

examples/group_project/main.tf

@@ -14,25 +14,18 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_file_path
-}
-
 /******************************************
   Provider configuration
  *****************************************/
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "gsuite" {
-  credentials             = file(local.credentials_file_path)
   impersonated_user_email = var.admin_email
 
   oauth_scopes = [
@@ -57,7 +50,6 @@ module "project-factory" {
   name              = "group-sample-project"
   org_id            = var.organization_id
   billing_account   = var.billing_account
-  credentials_path  = local.credentials_file_path
   create_group      = true
   group_name        = var.project_group_name
   api_sa_group      = var.api_sa_group

examples/group_project/variables.tf

@@ -18,10 +18,6 @@ variable "admin_email" {
   description = "Admin user email on Gsuite. This should be a user account, not a service account."
 }
 
-variable "credentials_file_path" {
-  description = "Service account json auth path"
-}
-
 variable "organization_id" {
   description = "The organization id for the associated services"
 }

examples/project-hierarchy/README.md

@@ -27,7 +27,6 @@ Expected variables:
 |------|-------------|------|---------|:--------:|
 | admin\_email | Admin user email on Gsuite | `any` | n/a | yes |
 | billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | organization\_id | The organization id for the associated services | `any` | n/a | yes |
 
 ## Outputs

examples/project-hierarchy/main.tf

@@ -14,25 +14,18 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_path
-}
-
 /******************************************
   Provider configuration
  *****************************************/
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "gsuite" {
-  credentials             = file(local.credentials_file_path)
   impersonated_user_email = var.admin_email
 
   oauth_scopes = [
@@ -63,7 +56,6 @@ module "project-prod-gke" {
   org_id            = var.organization_id
   billing_account   = var.billing_account
   folder_id         = google_folder.prod.id
-  credentials_path  = local.credentials_file_path
 }
 
 module "project-factory" {
@@ -73,5 +65,4 @@ module "project-factory" {
   org_id            = var.organization_id
   billing_account   = var.billing_account
   folder_id         = google_folder.prod.id
-  credentials_path  = local.credentials_file_path
 }

examples/project-hierarchy/variables.tf

@@ -26,8 +26,3 @@ variable "billing_account" {
   description = "The ID of the billing account to associate this project with"
 }
 
-variable "credentials_path" {
-  description = "Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials."
-  default     = ""
-}
-

examples/simple_project/README.md

@@ -14,7 +14,6 @@ Expected variables:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | organization\_id | The organization id for the associated services | `any` | n/a | yes |
 
 ## Outputs

examples/simple_project/main.tf

@@ -14,21 +14,15 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_path
-}
-
 /******************************************
   Provider configuration
  *****************************************/
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.38"
+  version = "~> 3.38"
 }
 
 provider "null" {
@@ -45,7 +39,6 @@ module "project-factory" {
   name                    = "simple-sample-project"
   org_id                  = var.organization_id
   billing_account         = var.billing_account
-  credentials_path        = local.credentials_file_path
   default_service_account = "deprivilege"
 
   activate_api_identities = [{

examples/simple_project/variables.tf

@@ -21,8 +21,3 @@ variable "organization_id" {
 variable "billing_account" {
   description = "The ID of the billing account to associate this project with"
 }
-
-variable "credentials_path" {
-  description = "Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials."
-  default     = ""
-}

main.tf

@@ -48,8 +48,6 @@ module "project-factory" {
   activate_api_identities            = var.activate_api_identities
   usage_bucket_name                  = var.usage_bucket_name
   usage_bucket_prefix                = var.usage_bucket_prefix
-  credentials_path                   = var.credentials_path
-  impersonate_service_account        = var.impersonate_service_account
   shared_vpc_subnets                 = var.shared_vpc_subnets
   labels                             = var.labels
   bucket_project                     = var.bucket_project

modules/core_project_factory/main.tf

@@ -42,7 +42,7 @@ locals {
     "%[email protected]",
     google_project.main.number,
   )
-  activate_apis       = var.impersonate_service_account != "" ? concat(var.activate_apis, ["iamcredentials.googleapis.com"]) : var.activate_apis
+  activate_apis       = var.activate_apis
   api_s_account_fmt   = format("serviceAccount:%s", local.api_s_account)
   project_bucket_name = var.bucket_name != "" ? var.bucket_name : format("%s-state", local.temp_project_id)
   create_bucket       = var.bucket_project != "" ? true : false

modules/core_project_factory/variables.tf

@@ -127,18 +127,6 @@ variable "usage_bucket_prefix" {
   default     = ""
 }
 
-variable "credentials_path" {
-  description = "Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials."
-  type        = string
-  default     = ""
-}
-
-variable "impersonate_service_account" {
-  description = "An optional service account to impersonate. If this service account is not specified, Terraform will fall back to credential file or Application Default Credentials."
-  type        = string
-  default     = ""
-}
-
 variable "shared_vpc_subnets" {
   description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
   type        = list(string)

modules/gsuite_enabled/README.md

@@ -14,7 +14,6 @@ module "project-factory" {
 
   billing_account   = "ABCDEF-ABCDEF-ABCDEF"
   create_group      = true
-  credentials_path  = "${local.credentials_file_path}"
   group_name        = "test_sa_group"
   group_role        = "roles/editor"
   name              = "pf-test-1"
@@ -73,7 +72,6 @@ The roles granted are specifically:
 | consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_group | Whether to create the group or not | `bool` | `false` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |
@@ -83,7 +81,6 @@ The roles granted are specifically:
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
 | group\_name | A group to control the project by being assigned group\_role - defaults to ${project\_name}-editors | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
-| impersonate\_service\_account | An optional service account to impersonate. If this service account is not specified, Terraform will fall back to credential file or Application Default Credentials. | `string` | `""` | no |
 | labels | Map of labels for project | `map(string)` | `{}` | no |
 | lien | Add a lien on the project to prevent accidental deletion | `bool` | `false` | no |
 | name | The name for the project | `any` | n/a | yes |

modules/gsuite_enabled/main.tf

@@ -89,8 +89,6 @@ module "project-factory" {
   activate_apis                     = var.activate_apis
   usage_bucket_name                 = var.usage_bucket_name
   usage_bucket_prefix               = var.usage_bucket_prefix
-  credentials_path                  = var.credentials_path
-  impersonate_service_account       = var.impersonate_service_account
   shared_vpc_subnets                = var.shared_vpc_subnets
   labels                            = var.labels
   bucket_project                    = var.bucket_project

modules/gsuite_enabled/variables.tf

@@ -112,17 +112,6 @@ variable "usage_bucket_prefix" {
   default     = ""
 }
 
-variable "credentials_path" {
-  description = "Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials."
-  default     = ""
-}
-
-variable "impersonate_service_account" {
-  description = "An optional service account to impersonate. If this service account is not specified, Terraform will fall back to credential file or Application Default Credentials."
-  type        = string
-  default     = ""
-}
-
 variable "shared_vpc_subnets" {
   description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
   type        = list(string)

modules/svpc_service_project/README.md

@@ -44,7 +44,6 @@ module "service-project" {
 | budget\_amount | The amount to use for a budget alert | `number` | `null` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |
@@ -53,7 +52,6 @@ module "service-project" {
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | group\_name | A group to control the project by being assigned group\_role (defaults to project editor) | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
-| impersonate\_service\_account | An optional service account to impersonate. This cannot be used with credentials\_path. If this service account is not specified and credentials\_path is absent, the module will use Application Default Credentials. | `string` | `""` | no |
 | labels | Map of labels for project | `map(string)` | `{}` | no |
 | lien | Add a lien on the project to prevent accidental deletion | `bool` | `false` | no |
 | name | The name for the project | `string` | n/a | yes |

modules/svpc_service_project/main.tf

@@ -48,8 +48,6 @@ module "project-factory" {
   usage_bucket_name                 = var.usage_bucket_name
   usage_bucket_prefix               = var.usage_bucket_prefix
   bucket_versioning                 = var.bucket_versioning
-  credentials_path                  = var.credentials_path
-  impersonate_service_account       = var.impersonate_service_account
   shared_vpc_subnets                = var.shared_vpc_subnets
   labels                            = var.labels
   bucket_project                    = var.bucket_project