<!-- This change is generated by MagicModules. --> /cc @rileykarson
24 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
Terraform Google Provider Version 2 Upgrade Guide | docs-google-provider-version-2-upgrade | Terraform Google Provider Version 2 Upgrade Guide |
Terraform Google Provider Version 2 Upgrade Guide
Version 2.0.0 of the Google provider for Terraform is a major release and includes some changes that you will need to consider when upgrading. This guide is intended to help with that process and focuses only on changes from version 1.19.1 to version 2.0.0.
Most of the changes outlined in this guide have been previously marked as deprecated in the Terraform plan/apply output throughout previous provider releases, up to and including 1.19.1. These changes, such as deprecation notices, can always be found in the Terraform Google Provider CHANGELOG.
Upgrade topics:
- Provider Version Configuration
google-beta
provider- Open in Cloud Shell
- Data Sources
- Resource:
google_bigquery_dataset
- Resource:
google_bigtable_instance
- Resource:
google_binary_authorizaton_attestor
- Resource:
google_binary_authorizaton_policy
- Resource:
google_cloudbuild_trigger
- Resource:
google_cloudfunctions_function
- Resource:
google_compute_backend_service
- Resource:
google_compute_disk
- Resource:
google_compute_global_forwarding_rule
- Resource:
google_compute_image
- Resource:
google_compute_instance
- Resource:
google_compute_instance_from_template
- Resource:
google_compute_instance_group_manager
- Resource:
google_compute_instance_template
- Resource:
google_compute_project_metadata
- Resource:
google_compute_region_instance_group_manager
- Resource:
google_compute_snapshot
- Resource:
google_compute_subnetwork_iam_*
- Resource:
google_compute_target_pool
- Resource:
google_compute_url_map
- Resource:
google_container_analysis_note
- Resource:
google_container_cluster
- Resource:
google_container_node_pool
- Resource:
google_dataproc_cluster
- Resource:
google_endpoints_service
- Resource:
google_filestore_instance
- Resource:
google_organization_custom_role
- Resource:
google_project
- Resource:
google_project_custom_role
- Resource:
google_project_iam_policy
- Resource:
google_service_account
- Resource:
google_sql_database_instance
- Resource:
google_storage_default_object_acl
- Resource:
google_storage_object_acl
- Resource:
google_*_iam_binding
Provider Version Configuration
!> WARNING: This topic is placeholder documentation until version 2.0.0 is released later this year.
-> Before upgrading to version 2.0.0, it is recommended to upgrade to the most recent version of the provider (1.19.1) and ensure that your environment successfully runs terraform plan
without unexpected changes or deprecation notices.
It is recommended to use version constraints when configuring Terraform providers. If you are following that recommendation, update the version constraints in your Terraform configuration and run terraform init
to download the new version.
For example, given this previous configuration:
provider "google" {
# ... other configuration ...
version = "~> 1.19.0"
}
An updated configuration:
provider "google" {
# ... other configuration ...
version = "~> 2.0.0"
}
google-beta
provider
The google-beta
provider is now necessary to be able to configure resources with beta features.
This new provider enables full import support of beta features and gives users who
wish to use only the most stable APIs and features more confidence that they are doing so
by continuing to use the google
provider.
Beta GCP Features have no deprecation policy and no SLA, but are otherwise considered to be feature-complete with only minor outstanding issues after their Alpha period. Beta is when GCP features are publicly announced, and is when they generally become publicly available. For more information see the official documentation on GCP launch stages.
Because the API for beta features can change before their GA launch, there may be breaking changes
in the google-beta
provider in minor release versions. These changes will be announced in the
Terraform google-beta
Provider CHANGELOG.
To have resources at different API versions, set up provider blocks for each version:
provider "google" {
credentials = "${file("account.json")}"
project = "my-project-id"
region = "us-central1"
}
provider "google-beta" {
credentials = "${file("account.json")}"
project = "my-project-id"
region = "us-central1"
}
In each resource, state which provider that resource should be used with:
resource "google_compute_instance" "ga-instance" {
provider = "google"
# ...
}
resource "google_compute_instance" "beta-instance" {
provider = "google-beta"
# ...
}
See Provider Versions
for more details on how to use google-beta
.
Open in Cloud Shell
2.0.0 is the first release including Open in Cloud Shell. Examples in the documentation for Magic Modules resources now have Open in Cloud Shell links in their documentation that open them in an interactive editor and shell - all without leaving the browser. See the blog post announcing the feature for more details.
Data Sources
See the Resource
sections in this document for properties that may have been removed.
Resource: google_bigquery_dataset
access
is now a Set
The order of entries in access
no longer matters. Any configurations that
interpolate based on an item at a specific index will need to be updated, as items
may have been reordered.
Resource: google_bigtable_instance
cluster_id
, zone
, num_nodes
, and storage_type
have moved into a cluster
block
Example previous configuration:
resource "google_bigtable_instance" "instance" {
name = "tf-instance"
cluster_id = "tf-instance-cluster"
zone = "us-central1-b"
num_nodes = 3
storage_type = "HDD"
}
Example updated configuration:
resource "google_bigtable_instance" "instance" {
name = "tf-instance"
cluster {
cluster_id = "tf-instance-cluster"
zone = "us-central1-b"
num_nodes = 3
storage_type = "HDD"
}
}
zone
is no longer inferred from the provider
cluster.zone
is now required, even if the provider block has a zone set.
Resource: google_binary_authorization_attestor
binary authorization resources have been removed from the GA provider
Use the google-beta
provider to use these resources.
Resource: google_binary_authorization_policy
binary authorization resources have been removed from the GA provider
Use the google-beta
provider to use these resources.
Resource: google_cloudbuild_trigger
build.step.args
is now a list instead of space separated strings.
Example updated configuration:
resource "google_cloudbuild_trigger" "build_trigger" {
trigger_template {
branch_name = "master-updated"
repo_name = "some-repo-updated"
}
build {
images = ["gcr.io/$PROJECT_ID/$REPO_NAME:$SHORT_SHA"]
tags = ["team-a", "service-b", "updated"]
step {
name = "gcr.io/cloud-builders/gsutil"
args = ["cp", "gs://mybucket/remotefile.zip", "localfile-updated.zip"]
}
step {
name = "gcr.io/cloud-builders/go"
args = ["build", "my_package_updated"]
}
step {
name = "gcr.io/cloud-builders/docker"
args = ["build", "-t", "gcr.io/$PROJECT_ID/$REPO_NAME:$SHORT_SHA", "-f", "Dockerfile", "."]
}
step {
name = "gcr.io/$PROJECT_ID/$REPO_NAME:$SHORT_SHA"
args = ["test"]
}
}
}
Resource: google_cloudfunctions_function
trigger_bucket
, trigger_topic
, and retry_on_failure
have been removed
Use the event_trigger
block instead.
Example updated configuration:
resource "google_cloudfunctions_function" "function" {
name = "example-function"
available_memory_mb = 128
source_archive_bucket = "${google_storage_bucket.bucket.name}"
source_archive_object = "${google_storage_bucket_object.archive.name}"
timeout = 61
entry_point = "helloGCS"
event_trigger {
event_type = "providers/cloud.storage/eventTypes/object.change"
resource = "${google_storage_bucket.bucket.name}"
failure_policy {
retry = true
}
}
}
resource "google_storage_bucket" "bucket" {
name = "example-bucket"
}
resource "google_storage_bucket_object" "archive" {
name = "index.zip"
bucket = "${google_storage_bucket.bucket.name}"
source = "path/to/source.zip"
}
See the documentation at
google_cloudfunctions_function
for more details.
Resource: google_compute_backend_service
custom_request_headers
has been removed from the GA provider
Use the google-beta
provider to set this field.
iap
may cause spurious updates
Due to technical limitations around how Terraform can diff fields, you may see a spurious update where the client secret in your config replaces an incorrect value that was recorded in state, the SHA256 hash of the secret's value.
You may also encounter the same behaviour on import.
Resource: google_compute_disk
disk_encryption_key_raw
and disk_encryption_key_sha256
have been removed.
Use the disk_encryption_key
block instead:
data "google_compute_image" "my_image" {
family = "debian-9"
project = "debian-cloud"
}
resource "google_compute_disk" "foobar" {
name = "example-disk"
image = "${data.google_compute_image.my_image.self_link}"
size = 50
type = "pd-ssd"
zone = "us-central1-a"
disk_encryption_key {
raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
}
}
Resource: google_compute_global_forwarding_rule
labels
has been removed from the GA provider
Use the google-beta
provider to set this field.
Resource: google_compute_image
create_timeout
has been removed
Use the standard timeouts block instead.
Resource: google_compute_instance
create_timeout
has been removed
Use the standard timeouts block instead.
metadata
is now authoritative
Terraform will remove values not explicitly set in this field. Any metadata
values
that were added outside of Terraform should be added to the config.
network
has been removed
Use network_interface
instead.
network_interface.*.address
has been removed
Use network_interface.*.network_ip
instead.
Resource: google_compute_instance_from_template
metadata
is now authoritative
Terraform will remove values not explicitly set in this field. Any metadata
values
that were added outside of Terraform should be added to the config.
network_interface.*.address
has been removed
Use network_interface.*.network_ip
instead.
Resource: google_compute_instance_group_manager
version
, auto_healing_policies
, rolling_update_policy
have been removed from the GA provider
Use the google-beta
provider to use these fields.
rolling_update_policy
has been renamed to update_policy
in google-beta
.
Resource: google_compute_instance_template
network_interface.*.address
has been removed
Use network_interface.*.network_ip
instead.
Resource: google_compute_project_metadata
metadata
is now authoritative
Terraform will remove values not explicitly set in this field. Any metadata
values
that were added outside of Terraform should be added to the config.
Resource: google_compute_region_instance_group_manager
version
, auto_healing_policies
, rolling_update_policy
have been removed from the GA provider
Use the google-beta
provider to use these fields.
rolling_update_policy
has been renamed to update_policy
in google-beta
.
update_strategy
no longer has any effect and is removed
With rolling_update_policy
removed, update_strategy
has no effect anymore.
Before updating, remove it from your config.
Resource: google_compute_snapshot
snapshot_encryption_key_raw
and snapshot_encryption_key_sha256
have been removed.
Use the snapshot_encryption_key
block instead:
data "google_compute_image" "my_image" {
family = "debian-9"
project = "debian-cloud"
}
resource "google_compute_disk" "my_disk" {
name = "my-disk"
image = "${data.google_compute_image.my_image.self_link}"
size = 10
type = "pd-ssd"
zone = "us-central1-a"
}
resource "google_compute_snapshot" "my_snapshot" {
name = "my-snapshot"
source_disk = "${google_compute_disk.my_disk.name}"
zone = "us-central1-a"
snapshot_encryption_key {
raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
}
}
source_disk_encryption_key_raw
and source_disk_encryption_key_sha256
have been removed.
Use the source_disk_encryption_key
block instead:
data "google_compute_image" "my_image" {
family = "debian-9"
project = "debian-cloud"
}
resource "google_compute_disk" "my_disk" {
name = "my-disk"
image = "${data.google_compute_image.my_image.self_link}"
size = 10
type = "pd-ssd"
zone = "us-central1-a"
disk_encryption_key {
raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
}
}
resource "google_compute_snapshot" "my_snapshot" {
name = "my-snapshot"
source_disk = "${google_compute_disk.my_disk.name}"
zone = "us-central1-a"
source_disk_encryption_key {
raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
}
}
Resource: google_compute_subnetwork_iam_*
subnetwork IAM resources have been removed from the GA provider
Use the google-beta
provider to use these resources.
Resource: google_compute_target_pool
instances
is now a Set
The order of entries in instances
no longer matters. Any configurations that
interpolate based on an item at a specific index will need to be updated, as items
may have been reordered.
Resource: google_compute_url_map
host_rule
, path_matcher
, and test
are now authoritative
Terraform will remove values not explicitly set in these fields. Any host_rule
, path_matcher
, or test
values that were added outside of Terraform should be added to the config.
Resource: google_container_analysis_note
container analysis resources have been removed from the GA provider
Use the google-beta
provider to use these resources.
Resource: google_container_cluster
enable_binary_authorization
, enable_tpu
, pod_security_policy_config
, private_cluster
, and master_ipv4_cidr_block
, node_config.taints
, node_config.workload_metadata_config
have been removed from the GA provider
Use the google-beta
provider to set these fields.
Resource: google_container_node_pool
max_pods_per_node
, node_config.taints
, node_config.workload_metadata_config
have been removed from the GA provider
Use the google-beta
provider to set these fields.
name_prefix
has been removed
Use the name
field along with the random
provider instead.
Sample config:
variable "machine_type" {}
resource "google_container_cluster" "example" {
name = "example-cluster"
zone = "us-central1-a"
initial_node_count = 1
remove_default_node_pool = true
}
resource "random_id" "np" {
byte_length = 11
prefix = "example-np-"
keepers = {
machine_type = "${var.machine_type}"
}
}
resource "google_container_node_pool" "example" {
name = "${random_id.np.dec}"
zone = "us-central1-a"
cluster = "${google_container_cluster.example.name}"
node_count = 1
node_config {
machine_type = "${var.machine_type}"
}
lifecycle {
create_before_destroy = true
}
}
The keepers
parameter in random_id
takes a map of values that cause the random id to be regenerated.
By tying it to attributes that might change, it makes sure the random id changes too.
To make sure the node pool keeps its old name, figure out what the suffix was by running terraform show
:
google_container_node_pool.example:
...
name = example-np-20180329213336514500000001
Determine the base64 encoding of that value by running this script.
Then, import that suffix as the value of random_id
:
terraform import random_id.np example-np-,ELFZ1rbrAThoeQE
For more details, see terraform-provider-google#1054.
Resource: google_endpoints_service
protoc_output
has been removed
Use protoc_output_base64
instead.
Example previous configuration:
resource "google_endpoints_service" "grpc_service" {
service_name = "api-name.endpoints.project-id.cloud.goog"
grpc_config = "${file("service_spec.yml")}"
protoc_output = "${file("compiled_descriptor_file.pb")}"
Example updated configuration:
resource "google_endpoints_service" "grpc_service" {
service_name = "api-name.endpoints.project-id.cloud.goog"
grpc_config = "${file("service_spec.yml")}"
protoc_output_base64 = "${base64encode(file("compiled_descriptor_file.pb"))}"
}
Resource: google_dataproc_cluster
cluster_config.0.delete_autogen_bucket
has been removed
Autogenerated buckets are shared by all clusters in the same region, so deleting
this bucket could adversely harm other dataproc clusters. If you need a bucket
that can be deleted, please create a new one and set the staging_bucket
field.
cluster_config.0.gce_cluster_config.0.tags
is now a Set
The order of entries in tags
no longer matters. Any configurations that
interpolate based on an item at a specific index will need to be updated, as items
may have been reordered.
Resource: google_filestore_instance
filestore resources have been removed from the GA provider
Use the google-beta
provider to use these resources.
Resource: google_organization_custom_role
deleted
field is now an output-only attribute
Use terraform destroy
, or remove the resource from your config instead.
Resource: google_project
app_engine
has been removed
Use the
google_app_engine_application
resource instead.
To avoid errors trying to recreate the resource, import it into your state first by running:
terraform import google_app_engine_application.app your-project-id
Resource: google_project_custom_role
deleted
field is now an output-only attribute
Use terraform destroy
, or remove the resource from your config instead.
Resource: google_project_iam_policy
policy_data
is now authoritative
Terraform will remove values not explicitly set in this field. Any policy_data
values that were added outside of Terraform should be added to the config.
authoritative
, restore_policy
, and disable_project
have been removed
Remove these fields from your config. Ensure that policy_data
contains all
policy values that exist on the project.
This resource is very dangerous. Consider using google_project_iam_binding
or
google_project_iam_member
instead.
Resource: google_service_account
policy_data
has been removed
Use one of the other service account IAM resources instead.
Resource: google_sql_database_instance
settings
is now authoritative
Terraform will remove values not explicitly set in this field. Any settings values that were added outside of Terraform should be added to the config.
Resource: google_storage_default_object_acl
role_entity
is now authoritative
Terraform will remove values not explicitly set in this field. Any role_entity
values that were added outside of Terraform should be added to the config.
Resource: google_storage_object_acl
role_entity
is now authoritative
Terraform will remove values not explicitly set in this field. Any role_entity
values that were added outside of Terraform should be added to the config.
For fine-grained management, use google_storage_object_access_control
.
Resource: google_*_iam_binding
Create is now authoritative
Every iam_binding
resource will overwrite the existing member list for a given
role on Create. Running terraform plan
for the first time will not show members
that have been added via other tools. To ensure existing members
are preserved
use terraform import
instead of creating the resource.
Previous versions of google_*_iam_binding
resources would merge the existing
members of a role with the members defined in the terraform config. If there was
a difference between the members defined in the config and the existing members
defined for an existing role it would show a diff if terraform plan
was run
immediately after create had succeeded.
Affected resources:
google_billing_account_iam_binding
google_folder_iam_binding
google_kms_key_ring_iam_binding
google_kms_crypto_key_iam_binding
google_spanner_instance_iam_binding
google_spanner_database_iam_binding
google_organization_iam_binding
google_project_iam_binding
google_pubsub_topic_iam_binding
google_pubsub_subscription_iam_binding
google_service_account_iam_binding