NOTES:
2.20.3 is a backport release, and some changes will not appear in 3.X series releases until 3.12.0. To upgrade to 3.X you will need to perform a large jump in versions, and it is strongly advised that you attempt to upgrade to 3.X instead of using this release.2.20.3 is primarily a preventative fix, in anticipation of a change in API response messages adding a default value.BUG FIXES:
google_compute_instance_template resources with network_interface[*].name set. (#1815)BUG FIXES:
BUG FIXES:
BUG FIXES:
Note: 2.20.1 is a backport release. The changes in it are unavailable in 3.0.0-beta.1 through 3.2.0.
BUG FIXES:
BREAKING CHANGES:
google_compute_instance_iam_* resources now support IAM Conditions. If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply. (#1360)google_iap_app_engine_version_iam_* resources now support IAM Conditions. If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply. (#1352)google_iap_web_backend_service_iam_* resources now support IAM Conditions. If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply. (#1352)google_project_iam_* resources now support IAM Conditions. If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply. (#1321)backend.group field is now required for google_compute_region_backend_service. Configurations without this would not have worked, so this isn't considered an API break. (#1311)FEATURES:
google_data_fusion_instance (#1339)IMPROVEMENTS:
google_bigtable_table (#1350)load_balancing_scheme for google_compute_forwarding_rule now accepts INTERNAL_MANAGED as a value. (#1311)google_compute_region_backend_service to include backend.balancing_mode, backend.capacity_scaler, backend.max_connections, backend.max_connections_per_endpoint, backend.max_connections_per_instance, backend.max_rate, backend.max_rate_per_endpoint, backend.max_rate_per_instance, and backend.max_utilization (#1311)id for many IAM resources to the reference resource long name. Updated instance_name on google_compute_instance_iam and subnetwork on google_compute_subnetwork to their respective long names in state (#1360)google_compute_instance_iam_* resources (#1360)google_iap_app_engine_version_iam_* resources (#1352)google_iap_web_backend_service_iam_* resources (#1352)display_name field to google_logging_metric resource (#1344)validate_ssl to google_monitoring_uptime_check_config (#1243)google_project_service read calls, so fewer API requests are made (#1354)google_project_iam_* resources (#1321)google_storage_notification (#1368)BUG FIXES:
min_replicas in google_compute_autoscaler and google_compute_region_autoscaler would set that field to its server-side default instead of 0. (#1351)network blocks are defined without network_urls (#1345)DEPRECATIONS:
compute: deprecated enable_flow_logs on google_compute_subnetwork. The presence of the log_config block signals that flow logs are enabled for a subnetwork (#1320)compute: deprecated instance_template for google_compute_instance_group_manager and google_compute_region_instance_group_manager . Use version.instance_template instead. (#1309)compute: deprecated update_strategy for google_compute_instance_group_manager . Use update_policy instead. (#1309)container: deprecated google_container_cluster ip_allocation_policy.create_subnetwork, ip_allocation_policy.subnetwork_name, ip_allocation_policy.node_ipv4_cidr_block. Define an explicit google_compute_subnetwork and use subnetwork instead. (#1312)container: deprecated google_container_cluster ip_allocation_policy.use_ip_aliases. If it's set to true, remove it from your config. If false, remove ip_allocation_policy as a whole. (#1312)iam: Deprecated pgp_key on google_service_account_key resource. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information. (#1326)BREAKING CHANGES:
google_service_account_iam_* resources now support IAM Conditions. If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply. (#1188)FEATURES:
compute: added google_compute_router datasource (#1233)IMPROVEMENTS:
cloudbuild: added ability to specify name for cloud_build_trigger to avoid name collisions when creating multiple triggers at once. (#1277)compute: added support for multiple versions of instance_template and granular control of the update policies for google_compute_instance_group_manager and google_compute_region_instance_group_manager. (#1309)container: added taint field in GKE resources to the GA google provider (#1296)container: fix a diff created in the cloud console when MaintenanceExclusions are added. (#1310)container: added maintenance_policy.recurring_window support to google_container_cluster, significantly increasing expressive range. (#1292)compute: added google_compute_instance support for display device (Virtual Displays) (#1313)iam: added support for IAM Conditions to the google_service_account_iam_* resources (beta provider only) (#1188)iam: added description to google_service_account. (#1291)BUG FIXES:
appengine: Resolved permadiff in google_app_engine_domain_mapping.ssl_settings.certificate_id. (#1303)storage: Fixed error in google_storage_bucket where locked retention policies would cause a bucket to report failure on all updates (even though updates were applied correctly). (#1307)container: Fixed nil reference to ShieldedNodes. (#1314)BUGS:
resourcemanager: fixed deleting the default network in google_project (#1299)KNOWN ISSUES:
resourcemanager: google_project auto_create_network is failing to delete networks when set to false. Use an earlier provider version to resolve.DEPRECATIONS:
container: The kubernetes_dashboard addon is deprecated for google_container_cluster. (#1247)FEATURES:
google_app_engine_application_url_dispatch_rules (#1262)IMPROVEMENTS:
all: increased support for custom endpoints across the provider (#1244)appengine: added the ability to delete the parent service of google_app_engine_standard_app_version (#1222)container: Added shielded_instance_config attribute to node_config (#1198)container: Allow the configuration of release channels when creating GKE clusters. (#1260)dataflow: added ip_configuration option to job. (#1284)pubsub: Added field oidc_token to google_pubsub_subscription (#1265)sql: added location field to backup_configuration block in google_sql_database_instance (#1282)BUGS:
all: fixed the custom endpoint version used by older legacy REST clients (#1274)bigquery: fix issue with google_bigquery_data_transfer_config params crashing on boolean values (#1263)cloudrun: fixed the apiVersion sent in google_cloud_run_domain_mapping requests (#1251)compute: added support for updating multiple fields at once to google_compute_subnetwork (#1269)compute: fixed diffs in google_compute_instance_group's network field when equivalent values were specified (#1286)compute: fixed issues updating google_compute_instance_group‘s instances field when config/state values didn’t match (#1286)iam: fixed bug where IAM binding wouldn't replace members if they were deleted outside of terraform. (#1272)pubsub: Fixed permadiff due to interaction of organization policies and google_pubsub_topic. (#1281)NOTES:
google_project_services users of provider versions prior to 2.17.0 should update, as past versions of the provider will not handle an upcoming rename of bigquery-json.googleapis.com to bigquery.googleapis.com well. See https://github.com/terraform-providers/terraform-provider-google/issues/4590 for details. (#1234)DEPRECATIONS:
google_project_services (#1218)FEATURES:
google_bigtable_gc_policy (#1213)google_binary_authorization_attestor_iam_policy (#1166)google_compute_region_ssl_certificate (#1183)google_compute_region_target_http_proxy (#1183)google_compute_region_target_https_proxy (#1183)google_iap_app_engine_service_iam_* (#1205)google_iap_app_engine_version_iam_* (#1205)google_storage_bucket_access_control (#1177)IMPROVEMENTS:
monitoring-read scope available. (#1208)google_bigtable_instance (#1224)github field in google_cloudbuild_trigger. (#1229)default_max_pods_per_node to ga. (#1235)google_containeranalysis_note to ga (#1166)BUGS:
app_engine_http_target.app_engine_routing on google_cloud_scheduler_job (#1131)quic_override on google_compute_https_target_proxy to empty. (#1219)region_backend_service.backends.failover was not detected. (#1236)google_compute_router_peer to default if empty for advertise_mode (#1163)google_compute_router_nat when referencing subnetwork via name (#1194)google_compute_router_nat when referencing subnetwork via name (#1194)master_ipv4_cidr_block in google_container_cluster (#1211)KNOWN ISSUES:
google_project_services resource may have seen the bigquery.googleapis.com service added and the bigquery-json.googleapis.com service removed, causing a diff. This was later reverted, causing another diff. This issue is being tracked as https://github.com/terraform-providers/terraform-provider-google/issues/4590.FEATURES:
google_compute_region_url_map is now available. To support this, the protocol for google_compute_region_backend_service can now be set to HTTP, HTTPS, HTTP2, and SSL. (#1161)google_runtimeconfig_config_iam_* resources (#1138)google_compute_resource_policy and google_compute_disk_resource_policy_attachment to manage google_compute_disk resource policies as fine-grained resources (#1085)ENHANCEMENTS:
python_version and ability to set image_version in google_composer_environment in the GA provider (#1143)google_compute_global_forwarding_rule now supports metadata_filters. (#1160)google_compute_backend_service now supports locality_lb_policy, outlier_detection, consistent_hash, and circuit_breakers. (#1118)guest_os_features to resource google_compute_image (#1156)drain_nat_ips to google_compute_router_nat (#1155)google_netblock_ip_ranges data source now has a private-googleapis field, for the IP addresses used for Private Google Access for services that do not support VPC Service Controls API access. (#1102)google_project_iam_* Properly set the project field in state (#1158)BUG FIXES:
subfolder_matches were not set in google_cloudiot_registry event_notification_configs (#1175)FEATURES:
google_iap_web_iam_binding/_member/_policy are now available for managing IAP web IAM permissions (#1044)google_iap_web_backend_service_binding/_member/_policy are now available for managing IAM permissions on IAP enabled backend services (#1044)google_iap_web_type_compute_iam_binding/_member/_policy are now available for managing IAM permissions on IAP enabled compute services (#1044)google_iap_web_type_app_engine_iam_binding/_member/_policy are now available for managing IAM permissions on IAP enabled App Engine applications (#1044)google_app_engine_domain_mapping (#1079)google_cloudfunctions_function_iam_policy, google_cloudfunctions_function_iam_binding, and google_cloudfunctions_function_iam_member (#1121)google_compute_reservation allows you to reserve instance capacity in GCE. (#1086)google_compute_region_health_check is now available. This and google_compute_health_check now include additional support for HTTP2 health checks. (#1058)ENHANCEMENTS:
google_compute_router_peer (#1104)tunnel_id to google_compute_vpn_tunnel and gateway_id to google_compute_vpn_gateway (#1106)google_compute_subnetwork now includes the purpose and role fields. (#1051)purpose field to google_compute_address (#1115)mode option to google_compute_instance.boot_disk (#1119)google_compute_firewall does not show a diff if allowed or denied rules are specified with uppercase protocol values (#1144)log_config block to compute_backend_service (Beta only) (#1137)metric_descriptor.unit to google_logging_metric resource (#1117)BUG FIXES:
master_authorized_networks_config is removed from the google_container_cluster configuration. (#1133)google_service_account_ and google_service_account_iam_* validation less restrictive to allow for more default service accounts (#1109)google_logging_metric explicit bucket option can now be set (#1096)google_sql_database_instance (#1108)MISC:
DEPRECATIONS:
resource_cloudiot_registry's event_notification_config field has been deprecated. (#1064)FEATURES:
google_bigtable_app_profile is now available (#988)google_ml_engine_model (#957)google_dataproc_autoscaling_policy (#1078)google_kms_secret_ciphertext (#1011)ENHANCEMENTS:
num_nodes can now be updated in google_bigtable_instance (#1067)resource_cloudiot_registry now has fields plural event_notification_configs and log_level, and event_notification_config has been deprecated. (#1064)google_compute_region_instance_group_manager.update_policy now supports instance_redistribution_type (#1073)oauth_token and oidc_token on resource google_cloud_scheduler_job (#1024)BUG FIXES:
google_project_iam_custom_role now sets the project properly on import. (#1089)google_sql_database. (#1061)KNOWN ISSUES:
bigtable: google_bigtable_instance may cause a panic on Terraform 0.11. This was resolved in 2.17.0.FEATURES:
google_vpc_access_connector resource and the vpc_connector option on the google_cloudfunctions_function resource. (#1004)google_scc_source resource for managing Cloud Security Command Center sources in Terraform (#1033)google_compute_network_endpoint_group(#999)ENHANCEMENTS:
google_bigquery_data_transfer_config (which include scheduled queries). (#975)google_bigtable_instance max number of cluster blocks is now 4 (#995)globalPolicyEvaluationMode to google_binary_authorization_policy. (#987)google_compute_router_nat (#979)google_netblock_ip_ranges to support multiple useful IP address ranges that have a special meaning on GCP. (#986)google_project, google_folder, and google_*_organization_policy (#971)user_project_override, which allows billing, quota checks, and service enablement checks to occur against the project a resource is in instead of the project the credentials are from. (#1010)BUG FIXES:
key_name in google_container_cluster.database_encryption is no longer a required field. (#1032)FEATURES:
google_kms_crypto_key_version - Provides access to KMS key version data with Google Cloud KMS. (#964)google_cloud_run_service - Set up a cloud run service (#757)google_cloud_run_domain_mapping - Allows custom domains to map to a cloud run service (#757)ENHANCEMENTS:
binary_authorization_attestor. (#964)google_composer_environment (#908)google_compute_health_check (#933)google_compute_network_endpoint and add location-only import formats (#947)resource_policies to resource google_compute_disk (#960)workload_identity_config in google_container_cluster can now be updated without recreating the cluster. (#896)labels on resource google_dataflow_job (#970)optional_components to resource resource_dataproc_cluster (#961)retention_policy to resource google_storage_bucket (#949)BUG FIXES:
google_dataproc_cluster software_config.0.image_version to prevent permadiff when server uses more specific versions of config value (#969)google_organization_iam_policy, google_folder_iam_policy) (#967)google_storage_bucket Set website metadata during read (#925)NOTES:
FEATURES:
google_bigtable_instance_iam_binding, google_bigtable_instance_iam_member, and google_bigtable_instance_iam_policy are now available. (#923)google_sourcerepo_repository_iam_* Add support for source repo repository IAM resources (#914)ENHANCEMENTS:
external_data_configuration to google_bigquery_table. (#696)google_firestore_index query_scope can have COLLECTION_GROUP specified. (#919)BUG FIXES:
google_backend_service (#916)google_container_cluster deeper nil checks to prevent crash on empty object (#934)google_container_cluster keep clusters in state if they are created in an error state and don't get correctly cleaned up. (#929)google_container_node_pool Correctly set nodepool autoscaling in state when disabled in the API (#931)google_container_cluster will now wait to act until the cluster can be operated on, respecting timeouts. (#927)google_monitoring_uptime_check_config on a deprecated field. (#944)google_service_networking_connection correctly delete the connection when the resource is destroyed. (#935)google_storage_transfer_job schedule_end_date caused requests to fail if unset. (#936)google_storage_object_acl Prevent panic when using interpolated object names. (#917)DEPRECATIONS:
is_internal and internal_checkers from google_monitoring_uptime_check_config. (#888)FEATURES:
google_compute_project_default_network_tier (#882)google_healthcare_dataset_iam_binding (#899)google_healthcare_dataset_iam_member (8#99)google_healthcare_dataset_iam_policy (#899)google_healthcare_dicom_store_iam_binding (#899)google_healthcare_dicom_store_iam_member (#899)google_healthcare_dicom_store_iam_policy (#899)google_healthcare_fhir_store_iam_binding (#899)google_healthcare_fhir_store_iam_member (#899)google_healthcare_fhir_store_iam_policy (#899)google_healthcare_hl7_v2_store_iam_binding (#899)google_healthcare_hl7_v2_store_iam_member (#899)google_healthcare_hl7_v2_store_iam_policy (#899)ENHANCEMENTS:
google_compute_backend_service, including max_connections_per_endpoint and max_rate_per_endpoint (#854)google_compute_instance_group_manager and google_compute_region_instance_group_manager (#909)node_config.sandbox_config is supported on GKE node pool definitions, allowing you to configure GKE Sandbox. (#863)google_container_cluster add support for GKE resource usage (#825)google_folder improve error message on delete (#878)google_*_iam_policy resources to get simpler diffs (#881)google_kms_crypto_key now supports labels. (#885)google_pubsub_topic supports KMS keys with kms_key_name. (#894)BUG FIXES:
google_service_networking_connection fix update (#871)BUG FIXES:
google_kms_crypto_key resources (#873)google_storage_bucket fix for crash that occurs when running plan on old buckets (#870)google_storage_bucket allow updating bucket_policy_only to false (#870)FEATURES:
google_compute_resource_policy is now available which can be used to schedule disk snapshots. (#1850)google_compute_external_vpn_gateway is now available which can be used to connect to external VPN gateways. (#833)google_compute_network_endpoint_group) and fine-grained resource endpoints (google_compute_network_endpoint) are now available. (#781)ENHANCEMENTS:
google_compute_instance, google_container_cluster, google_dataproc_cluster, and google_sql_database_instance (#862)google_container_cluster Stop guest_accelerator from having a permadiff for accelerators with count=0 (#851)google_container_cluster supports authenticator_groups_config to allow Google Groups-based authentication. (#669)google_container_cluster supports enable_intranode_visibility. (#801)google_container_cluster supports Workload Identity to access GCP APIs in GKE applications with workload_identity_config. (#824)google_dataproc_cluster supports min_cpu_platform (#424], [#848)google_dns_record_set: allow importing dns record sets in any project (#853)kms_crypto_key supports purpose (#845)google_storage_bucket now supports enabling bucket_policy_only access control. (#1878)google_storage_bucket_iam_*) now all support import (#835)google_pubsub_topic Updates for labels are now supported (#832)BUG FIXES:
google_bigquery_dataset Relax IAM role restrictions on BQ datasets (#857)google_project_iam When importing resources project no longer needs to be set in the config post import (#805)google_sql_user User's can now be updated to change their password (#810)google_compute_instance_template Fixed issue so project can now be specified by interpolated varibles. (#816)google_compute_instance_template Throw error when using incompatible disk fields instead of continual plan diff (#812)google_compute_instance_from_template Make sure disk type is expanded to a URL (#771)google_compute_instance_template Attempt to put disks in state in the same order they were specified (#771)google_container_cluster and google_node_pool now retry correctly when polling for status of an operation. (#818)google_container_cluster istio_config.auth will no longer permadiff on AUTH_NONE when an auth method other than TLS is defined. (#834)google_dns_record_set overrides all existing record types on create, not just NS (#850)google_monitoring_notification_channel Allow setting enabled to false (#864)google_pubsub_subscription and google_pubsub_topic resources can be created inside VPC service controls. (#827)google_redis_instance Fall back to region from location_id when region isn't specified (#847)DEPRECATIONS:
auto_create_routes field on google_compute_network_peering has been deprecated because it is not user configurable. (#3394)FEATURES:
google_compute_ha_vpn_gateway is now available. This is an alternative to google_compute_vpn_gateway that can be set up to provide higher availability. (#704)google_compute_ssl_certificate (#742)google_composer_image_versions (#752)ENHANCEMENTS:
app_engine_application location validation. (#760)google_compute_vpn_tunnel supports HA fields vpn_gateway, vpn_gateway_interface, peer_gcp_gateway, peer_external_gateway, vpn_gateway_interface (#704)google_container_cluster add support for vertical pod autoscaling (#749)google_compute_router_interface now supports specifying an interconnect_attachment. (#769)google_compute_router_nat now supports specifying a log_config block. (#743)google_compute_router_nat now supports more import formats. (#785)google_compute_network_peering now supports importing/exporting custom routes (#754)google_compute_backend_service now supports self-managed internal load balancing (#772)google_compute_region_backend_service now supports failover policies (#789)google_compute_backend_service, google_compute_global_forwarding_rule. (#772)google_container_cluster now supports vertical_pod_autoscaling (#733)services_ipv4_cidr for container_cluster. (#804)google_dataflow_job now supports setting machine type (#1862)google_dns_managed_zone now supports DNSSec (#737)google_kms_key_ring is now autogenerated. (#748)google_pubsub_subscription supports setting an expiration_policy with no ttl. (#783)BUG FIXES:
google_binary_authorization_policy can be used with attestors in another project. (#778)google_compute_region_backend_service was unable to perform a state migration. (#775)google_compute_network. (#782)google_compute_vpn_tunnel now supports sending an empty external gateway interface id. (#759)google_container_cluster will no longer diff unnecessarily on issue_client_certificate. (#788)google_container_cluster can enable client certificates on GKE 1.12+ series releases. (#788)google_container_cluster now retries the call to remove default node pools during cluster creation (#799)NOTE:
google_compute_backend_bucket_signed_url_key and google_compute_backend_service_signed_url_key were introduced in 2.4.0.BACKWARDS INCOMPATIBILITIES:
google_cloudfunctions_function.runtime now has an explicit default value of nodejs6. Users who have a different value set in the API but the value undefined in their config will see a diff. (#697)FEATURES:
google_compute_instance_iam_binding, google_compute_instance_iam_member, and google_compute_instance_iam_policy are now available. (#685)google_dataproc_job_iam_policy, google_dataproc_job_iam_member, google_dataproc_job_iam_binding, google_dataproc_cluster_iam_policy, google_dataproc_cluster_iam_member, google_dataproc_cluster_iam_binding) are now available. #709google_iap_tunnel_instance_iam_binding, google_iap_tunnel_instance_iam_member, and google_iap_tunnel_instance_iam_policy are now available. (#687)ENHANCEMENTS:
google_client_config datasource (#668)google_compute_instance now supports shielded_instance_config for verifiable integrity of your VM instances. (#711)google_compute_backend_service now supports HTTP2 protocol (beta API feature) #708google_compute_instance_template now supports shielded_instance_config for verifiable integrity of your VM instances. (#711)BUG FIXES:
google_cloudfunctions_function.runtime now has an explicit default value of nodejs6. (#697)google_monitoring_alert_policy is more likely to succeed (#684)google_kms_crypto_key now (in addition to marking all crypto key versions for destruction) correctly disables auto-rotation for destroyed keys (#705)KNOWN ISSUES:
google_cloudfunctions_functions without a runtime set will fail to create due to an upstream API change. You can work around this by setting an explicit runtime in 2.X series releases.DEPRECATIONS:
google_monitoring_alert_policy labels was deprecated, as the field was never used and it was typed incorrectly. (#635)FEATURES:
google_compute_node_types for sole-tenant node types is now available. (#614)google_compute_node_group for sole-tenant nodes is now available. (#643)google_compute_node_template for sole-tenant nodes is now available. (#614)google_firestore_index is now available to configure composite indexes on Firestore. (#632)google_logging_metric is now available to configure Stackdriver logs-based metrics. (#1702)google_compute_network_endpoint_group (#630)google_security_scanner_scan_config is now available for configuring scan runs with Cloud Security Scanner. (#641)ENHANCEMENTS:
google_compute_subnetwork now supports log_config to configure flow logs' logging behaviour. (#619)google_container_cluster now supports database_encryption to configure etcd encryption. (#649)google_dataflow_job's network and subnetwork can be configured. (#631)google_monitoring_alert_policy user_labels support was added. (#635)google_compute_region_backend_service is now generated with Magic Modules, adding configurable timeouts, multiple import formats, creation_timestamp output. (#645)iam_compute_subnetwork is now GA. (#656)google_pubsub_subscription now supports setting an expiration_policy. (#1703)BUG FIXES:
google_bigquery_table will work with a larger range of projects id formats. (#658)google_cloudfunctions_fucntion no longer restricts an outdated list of regions (#659)google_compute_instance now retries updating metadata when fingerprints are mismatched. (#583)google_compute_instance and google_compute_instance_template now support node affinities for scheduling on sole tenant nodes [#663](https://github.com/terraform-providers/terraform-provider-google-beta/pull/663)google_compute_managed_ssl_certificate will no longer diff when using an absolute FQDN. (#591)google_compute_disk resources using google-beta will properly detach users at deletion instead of failing. (#640)google_compute_subnetwork.secondary_ip_ranges doesn't cause a diff on out of band changes, allows updating to empty list of ranges. (#3496)google_container_cluster setting networks / subnetworks by name works with location. (#634)google_container_cluster removed an overly restrictive validation restricting node_pool and remove_default_node_pool being specified at the same time. (#637)data_source_google_storage_bucket_object now correctly URL encodes the slashes in a file name (#587)BUG FIXES:
google_compute_backend_service handles empty/nil iap block created by previous providers properly. (#622)google_compute_backend_service allows multiple instance types in backends.group again. (#625)google_dns_managed_zone does not permadiff when visiblity is set to default and returned as empty from API (#624)google_projects now handles paginated results from listing projects (#626)google_project_iam_policy/member/binding now attempts to retry for read-only operations as well as retrying read-write operations(#620)google_kms_crypto_key.rotation_period now can be an empty string to allow for unset behavior in modules (#627)KNOWN ISSUES:
google_compute_subnetwork will fail to reorder secondary_ip_range values at apply timegoogle_compute_subnetworks used with a VPC-native GKE cluster will have a diff if that cluster creates secondary ranges automatically.BACKWARDS INCOMPATIBILITIES:
google_compute_instance_group will not reconcile instances recreated within the same terraform apply due to underlying 0.12 SDK changes in the provider. (#616)google_compute_subnetwork will have a diff if secondary_ip_range values defined in config don't exactly match real state; if so, they will need to be reconciled. (#3432)google_container_cluster will have a diff if master_authorized_networks.cidr_blocks defined in config doesn't exactly match the real state; if so, it will need to be reconciled. (#603)BUG FIXES:
google_container_cluster catch out of band changes to master_authorized_networks.cidr_blocks. (#603)NOTES: This 2.4.1 release is a bugfix release for 2.4.0. It backports the fixes applied in the 2.5.1 release to the 2.4.0 series.
BUG FIXES:
google_compute_backend_service handles empty/nil iap block created by previous providers properly. (#622)google_compute_backend_service allows multiple instance types in backends.group again. (#625)google_dns_managed_zone does not permadiff when visiblity is set to default and returned as empty from API (#624)KNOWN ISSUES:
google_compute_backend_service resources created with past provider versions won't work with 2.4.0. You can pin your provider version or manually delete them and recreate them until this is resolved. (https://github.com/terraform-providers/terraform-provider-google/issues/3441)google_dns_managed_zone.visibility will cause a diff if set to public. Setting it to "" (defaulting to public) will work around this. (https://github.com/terraform-providers/terraform-provider-google/issues/3435)BACKWARDS INCOMPATIBILITIES:
google_access_context_manager_service_perimeter unrestricted_services field was removed based on a removal in the underlying API. (#576)FEATURES:
google_compute_backend_bucket_signed_url_key is now available. (#530)google_compute_backend_service_signed_url_key is now available. (#577)google_service_account_access_token is now available. (#575)ENHANCEMENTS:
google_compute_backend_service is now generated with Magic Modules, adding configurable timeouts, multiple import formats, creation_timestamp output. (#569)google_compute_backend_service now supports load_balancing_scheme and cdn_policy.signed_url_cache_max_age_sec. (#584)google_compute_network now supports delete_default_routes_on_create to delete pre-created routes at network creation time. (#592)google_compute_autoscaler now supports metric.single_instance_assignment (#580)google_dns_policy now supports enable_logging. (#573)google_dns_managed_zone now supports peering_config to enable DNS Peering. (#572)BUG FIXES:
google_container_cluster will ignore out of band changes on node_ipv4_cidr_block. (#558)google_container_cluster will now reject config with both node_pool and remove_default_node_pool defined (#600)google_container_cluster will allow >20 cidr_blocks in master_authorized_networks_config. (#594)data.google_netblock_ip_ranges.cidr_blocks will better handle ipv6 input. (#590)google_sql_database_instance will retry reads during Terraform refreshes if it hits a rate limit. (#579)DEPRECATIONS:
google_container_cluster zone and region fields are deprecated in favour of location, additional_zones in favour of node_locations. (#461)google_container_node_pool zone and region fields are deprecated in favour of location. (#461)data.google_container_cluster zone and region fields are deprecated in favour of location. (#461)google_container_engine_versions zone and region fields are deprecated in favour of location. (#461)FEATURES:
google_*_organization_policy Adding datasources for folder and project org policy (#468)ENHANCEMENTS:
google_compute_disk, google_compute_region_disk now support physical_block_size_bytes (#526)google_container_cluster adds a unified location field for regions and zones, node_locations to manage extra zones for multi-zonal clusters and specific zones for regional clusters. (#461)google_container_node_pool adds a unified location field for regions and zones. (#461)data.google_container_cluster adds a unified location field for regions and zones. (#461)google_container_engine_versions adds a unified location field for regions and zones. (#461)google_dataflow_job has support for custom service accounts with service_account_email. (#527)google_monitoring_uptime_check will properly recreate to perform updates. (#485)google_*_organization_policy Add import support for folder and project organization_policies (#512)google_sql_ssl_cert Allow project to be specified at resource level (#524)google_storage_bucket avoids calls to the compute api during import (#529)google_storage_bucket.storage_class supports updating. (#548)BUG FIXES:
google_compute_disk will properly detach instances again. (#538)google_container_cluster, google_container_node_pool properly suppress new GKE 1.12 metadata values. (#522)KNOWN ISSUES:
google_compute_disk is unable to detach instances at deletion time.FEATURES:
data.google_projects for retrieving a list of projects based on a filter. (#493)google_tpu_node for Cloud TPU Nodes (#494)google_dns_policy for Cloud DNS policies. (#488)ENHANCEMENTS:
google_compute_disk and google_compute_region_disk will now detach themselves from a more up to date set of users at delete time. (#480)google_compute_network is now generated by Magic Modules, supporting configurable timeouts and more import formats. (#509)google_compute_firewall will validate the maximum size of service account lists at plan time. (#508)google_container_cluster can now disable VPC Native clusters with ip_allocation_policy.use_ip_aliases (#489)data.google_container_engine_versions supports version_prefix to allow fuzzy version matching. Using this field, Terraform can match the latest version of a major, minor, or patch release. (#506)google_pubsub_subscription now supports configuring message_retention_duration and retain_acked_messages. (#503)BUG FIXES:
google_app_engine_application correctly outputs gcr_domain. (#479)data.google_compute_subnetwork outputs the self_link field again. (#481)google_compute_attached_disk is now removed from state if the instance was removed. (#497)google_container_cluster private_cluster_config now has a diff suppress to prevent a permadiff for and allows for empty master_ipv4_cidr_block (#460)google_container_cluster import behavior fixed/documented for TF-state-only fields (remove_default_node_pool, min_master_version) (#476][#487][#495)google_storage_transfer_job will no longer crash when accessing nil dates. (#499)FEATURES:
google_compute_managed_ssl_certificate. (#458)google_client_openid_userinfo for retrieving the email used to authenticate with GCP. (#459)ENHANCEMENTS:
data.google_compute_subnetwork can now be addressed by self_link as an alternative to the existing name/region/project fields. (#429)google_dns_managed_zone. (#268)google_pubsub_topic is now generated using Magic Modules, adding Open in Cloud Shell examples, configurable timeouts, and the labels field. (#432)google_pubsub_subscription is now generated using Magic Modules, adding Open in Cloud Shell examples, configurable timeouts, update support, and the labels field. (#432)google_sql_database_instance now provides public_ip_address and private_ip_address outputs of the first public and private IP of the instance respectively. (#454)BUG FIXES:
google_sql_database_instance allows the empty string to be set for private_network. (#454)BACKWARDS INCOMPATIBILITIES:
google_bigtable_instance zone field is no longer inferred from the provider.google_bigtable_table now reads family from the table's column family in Cloud Bigtable instead of creating a new column family (#70)google_bigtable_instance.cluster.num_nodes will fail at plan time if DEVELOPMENT instances have num_nodes = "0" set explicitly. If it has been set, unset the field. (#82)google_cloudbuild_trigger.build.step.args is now a list instead of space separated strings. (#308)google_cloudfunctions_function.retry_on_failure has been removed. Use event_trigger.failure_policy.retry instead. (#75)google_cloudfunctions_function.trigger_bucket and google_cloudfunctions_function.trigger_topic have been removed. Use event trigger instead. (#30)google_composer_environment.node_config.zone is now Required. (#396)google_compute_instance, google_compute_instance_from_template metadata field is now authoritative and will remove values not explicitly set in config. [#2208](https://github.com/terraform-providers/terraform-provider-google/pull/2208)google_compute_region_instance_group_manager field update_strategy is now deprecated in the beta provider only. It will only function in the google provider, (#76)google_compute_global_forwarding_rule field labels is now removed (#81)google_compute_project_metadata resource is now authoritative and will remove values not explicitly set in config. [#2205](https://github.com/terraform-providers/terraform-provider-google/pull/2205)google_compute_url_map resource is now authoritative and will remove values not explicitly set in config. [#2245](https://github.com/terraform-providers/terraform-provider-google/pull/2245)google_compute_snapshot.snapshot_encryption_key_raw, google_compute_snapshot.snapshot_encryption_key_sha256, google_compute_snapshot.source_disk_encryption_key_raw, google_compute_snapshot.source_disk_encryption_key_sha256 fields are now removed. Use google_compute_snapshot.snapshot_encryption_key.0.raw_key, google_compute_snapshot.snapshot_encryption_key.0.sha256, google_compute_snapshot.source_disk_encryption_key.0.raw_key, google_compute_snapshot.source_disk_encryption_key.0.sha256 instead. (#202)google_compute_instance_group_manager is no longer imported by the provider-level region. Set the appropriate provider-level zone instead. (#248)google_compute_region_instance_group_manager.update_strategy in the google-beta provider has been removed. (#189)google_compute_instance, google_compute_instance_template, google_compute_instance_from_template have had the network_interface.address field removed. (#190)google_compute_instance has had the network_interface.access_config.assigned_nat_ip field removed (#48)google_compute_disk is no longer imported by the provider-level region. Set the appropriate provider-level zone instead. (#249)google_compute_router_nat.subnetwork.source_ip_ranges_to_nat is now Required inside subnetwork blocks. (#281)google_compute_ssl_certificate's private_key field is no longer stored in state in cleartext; it is now SHA256 encoded. (#400)google_container_cluster fields (private_cluster, master_ipv4_cidr_block) are removed. Use private_cluster_config and private_cluster_config.master_ipv4_cidr_block instead. (#78)google_container_node_pool's name_prefix field has been restored and is no longer deprecated. (#2975)google_sql_database_instance resource is now authoritative and will remove values not explicitly set in config. [#2203](https://github.com/terraform-providers/terraform-provider-google/pull/2203)google_endpoints_service.protoc_output was removed. Use google_endpoints_service.protoc_output_base64 instead. (#79)google_project_iam_policy is now authoritative and will remove values not explicitly set in config. Several fields were removed that made it authoritative: authoritative, restore_policy, and disable_project. This resource is very dangerous! Ensure you are not using the removed fields (authoritative, restore_policy, disable_project). (#25)google_service_account_key.service_account_id has been removed. Use the name field instead. (#80)google_project.app_engine has been removed. Use the google_app_engine_application resource instead. (#74)google_organization_custom_role.deleted is now an output-only attribute. Use terraform destroy, or remove the resource from your config instead. (#191)google_project_custom_role.deleted is now an output-only attribute. Use terraform destroy, or remove the resource from your config instead. (#199)google_project_service will now error instead of silently disabling dependent services if disable_dependent_services is unset. (#384)google_storage_object_acl.role_entity is now authoritative and will remove values not explicitly set in config. Use google_storage_object_access_control for fine-grained management. (#26)google_storage_default_object_acl.role_entity is now authoritative and will remove values not explicitly set in config. (#47)google_*_iam_binding Change all IAM bindings to be authoritative (#291)FEATURES:
google_access_context_manager_access_policy for managing the container for an organization's access levels. (#96)google_access_context_manager_access_level for managing an organization's access levels. (#149)google_access_context_manager_service_perimeter for managing service perimeters in an access policy. (#246)google_app_engine_firewall_rule (#271][#336)google_monitoring_group (#120)google_project_iam_audit_config (#265)google_storage_transfer_job for managing recurring storage transfers with Google Cloud Storage. (#256)google_cloud_scheduler_job for managing the cron job scheduling service with Google Cloud Scheduler. (#378)google_storage_bucket_object (#223)google_storage_transfer_project_service_account data source for retrieving the Storage Transfer service account for a project (#247)google_kms_crypto_key (#359)google_kms_key_ring (#359)ENHANCEMENTS:
access_token config option to allow Terraform to authenticate using short-lived Google OAuth 2.0 access token (#330)europe-west2 and australia-southeast1 to valid location set for google_bigquery_dataset (#41)default_partition_expiration_ms field to google_bigquery_dataset resource. (#127)delete_contents_on_destroy field to google_bigquery_dataset resource. (#413)time_partitioning.require_partition_filter to google_bigquery_table resource. (#324)column_family at create time to google_bigtable_table. [#2228](https://github.com/terraform