BUG FIXES:

• storage: fixed a conversion crash in google_storage_bucket state migration #24186

Terraform Google Provider 7.0.0 Upgrade Guide

BREAKING RESOURCE REMOVALS:

• beyondcorp: removed google_beyondcorp_application, its associated IAM resources google_beyondcorp_application_iam_binding, google_beyondcorp_application_iam_member, and google_beyondcorp_application_iam_policy, and the google_beyondcorp_application_iam_policy datasource. Use google_beyondcorp_security_gateway_application instead. #23999
• notebooks: removed google_notebooks_location #23607
• tpu: removed google_tpu_node. Use google_tpu_v2_vm instead. #23964

BREAKING FIELD REMOVALS:

• cloudrunv2: removed template.containers.depends_on within resource google_cloud_run_v2_worker_pool #23815
• colab: removed post_startup_script_config field from from google_colab_runtime_template resource #24026
• compute: removed field enable_flow_logs from google_compute_subnetwork #23704
• gkehub: removed configmanagement.binauthz field in google_gke_hub_feature_membership #24076
• gkehub: removed description field in google_gke_hub_membership #23587
• memorystore: removed allow_fewer_zones_deployment field from google_memorystore_instance resource because it isn't user-configurable #24079
• redis: removed allow_fewer_zones_deployment field from google_redis_cluster resource because it isn't user-configurable #24079
• resourcemanager: removed non-functional project field from google_service_account_key datasource #24000
• vertexai: removed enable_secure_private_service_connect in google_vertex_ai_endpoint #23843

BREAKING INCREASED VALIDATION:

• cloudfunctions2: made event_type a required field for event_trigger in google_cloudfunctions2_function #23918
• networkservices: made load_balancing_scheme required in google_network_services_lb_traffic_extension #23748
• sql: made password_wo_version required when password_wo is set in google_sql_user #24083
• storage: added validation requiring the topic field to be in the form "projects//topics/" in google_storage_notification #24135
• storagetransfer: added path validation for GCS path source and sink in google_storage_transfer_job #23493
• vertexai: made metadata, and metadata.config required in google_vertex_ai_index. Resource creation would fail without these attributes already, so no change is necessary to existing configurations. #23971

OTHER BREAKING CHANGES:

• alloydb: added deletion_protection field with a default value of true to google_alloydb_cluster resource #24024
• apigee: changed certs_info field in google_apigee_keystores_aliases_key_cert_file to be output-only #24135
• apigee: migrated google_apigee_keystores_aliases_key_cert_file to the plugin framework #24135
• artifactregistry: removed the default values for public_repository fields in google_artifact_registry_repository. If your state is reliant on them, they will now need to be manually included in your configuration. #23970
• bigquery: removed the default value of view.use_legacy_sql in google_bigquery_table #24065
• bigtable: renamed instance to instance_name for bigtable_table_iam objects #23399
• billing: made budget_filter.credit types and budget_filter.subaccounts no longer optional+computed, only optional, in google_billing_budget resource #24078
• cloudfunctions2: changed service_config.service field in google_cloudfunctions2_function resource to be output-only #23790
• compute: subnetworks and instances fields in google_compute_packet_mirroring have been converted from arrays to sets #24021
• compute: advertised_ip_ranges field group in google_compute_router has been converted from a list to a set #24030
• compute: disk.type, disk.mode and disk.interface no longer use provider configured default values and instead will be set by the API in google_compute_instance_template and google_compute_region_instance_template resources #24055
• provider: fixed many import functions throughout the provider that erroneously matched a subset of the provided input, leading to unclear error messages when using terraform input with invalid resource IDs. #24010
• resourcemanager: changed disable_on_destroy default value to false in google_project_service #23951
• securesourcemanager: changed deletion_policy default value from DELETE to PREVENT #23963
• storage: retention_period field in google_storage_bucket has been converted from int to string data type #23535
• storage: migrated google_storage_notification to the plugin framework #24135

FEATURES:

• New Data Source: google_artifact_registry_npm_package (#24072)
• New Data Source: google_certificate_manager_dns_authorization (#24009)
• New Resource: google_iap_web_region_forwarding_rule_service_iam_binding (#24041)
• New Resource: google_iap_web_region_forwarding_rule_service_iam_member (#24041)
• New Resource: google_iap_web_region_forwarding_rule_service_iam_policy (#24041)
• New Resource: google_saas_runtime_saas (#24028)

IMPROVEMENTS:

• cloudbuild: added developer_connect_event_config field to google_cloudbuild_trigger resource (#24043)
• cloudtasks: added desired_state field to google_cloud_tasks_queue resource (#24053)
• cloudrunv2: added max_instance_count field to google_cloud_run_v2_service resource. (#24031)
• compute: added params.resourceManagerTags field to the google_compute_backend_service (#24062)
• compute: added params.resource_manager_tags field to google_compute_backend_bucket (#24068)
• compute: added short_name field to google_compute_organization_security_policy resource (#24059)
• container: added cluster_autoscaling.default_compute_class_enabled field to google_container_cluster resource (#24023)
• dialogflowcx: added enableMultiLanguageTraining, locked, answerFeedbackSettings, personalizationSettings, clientCertificateSettings, startPlaybook, satisfiesPzs, and satisfiesPzi to google_dialogflow_cx_agent resource. (#24007)
• lustre: increased google_lustre_instance resource create timeout to 120m from 20m (#24056)
• oracledatabase: enabled default_from_api flag for ODB Network related fields in google_oracle_database_cloud_vm_cluster resource (#24045)
• sql: added feature to restore google_sql_database_instance using backupdr_backup ([#24066](https://github.com/h...

BUG FIXES:

• container: fixed issue where a failed creation on google_container_node_pool would result in an unrecoverable tainted state (#10586)

BUG FIXES:

• secretmanager: fixed issue where upgrading to 6.49.0 would cause all google_secret_manager_secret_version resources to be recreated unless secret_data_wo_version was set
  (#24061)

DEPRECATIONS:

• beyondcorp: google_beyondcorp_application_iam_binding, google_beyondcorp_application_iam_member and google_beyondcorp_application_iam_policy IAM resources, and the google_beyondcorp_application_iam_policy datasource have been deprecated and will be removed in the upcoming major release (#23995)
• tpu: deprecated google_tpu_tensorflow_versions data source. Use google_tpu_v2_runtime_versions instead. (#23958)

BREAKING CHANGES:

• vertexai: made the metadata field required in google_vertex_ai_index (#23953)

FEATURES:

• New Data Source: google_artifact_registry_tag (#23994)
• New Data Source: google_artifact_registry_tags (#23969)
• New Resource: google_dialogflow_convesation_profile (#23996)

IMPROVEMENTS:

• apikeys: added service_account_email to google_apikeys_key (#24001)
• compute: added advanced_options_config field to google_compute_region_security_policy resource (#23914)
• container: added eviction_soft, eviction_soft_grace_period, eviction_minimum_reclaim, eviction_max_pod_grace_period_seconds, max_parallel_image_pulls, transparent_hugepage_enabled, transparent_hugepage_defrag and min_node_cpus fields to node_config block of google_container_node_pool and google_container_cluster resources (#23973)
• networkmanagement: added subnet and network fields to the google_network_management_vpc_flow_logs_config resource (beta) (#23945)
• networkmanagement: added output-only field target_resource_state to the google_network_management_vpc_flow_logs_config resource (#23945)
• resourcemanager: added management_project and configured_capabilities fields to the google_folder resource. (#23983)

BUG FIXES:

• cloud_tasks: set name field set to required in google_cloud_tasks_queue resource (#23997)
• clouddeploy: allowed sending weekly_windows.start_time as an empty object in order to use default values in thegoogle_clouddeploy_deploy_policy resource (#23993)
• kms: skip_initial_version_creation field is no longer immutable in google_kms_crypto_key, but is still only settable at-creation (#23984)
• netapp: fixed bug where google_netapp_volume.large_capacity was not properly marked as immutable, causing updates to fail (and making it impossible to change the field value after creation) (#24004)
• networkconnectivity: added update support for linked_vpc_network in google_network_connectivity_spoke (#23949)

FEATURES:

• New Data Source: google_artifact_registry_package (#23901)
• New Data Source: google_artifact_registry_repositories (#23906)
• New Data Source: google_artifact_registry_version (#23868)
• New Resource: google_dialogflow_cx_playbook (initial basic support, full features to follow in a later release) (#23895)
• New Resource: google_vertexai_rag_engine_config (#23889)

IMPROVEMENTS:

• backupdr: added log_retention_days field to google_backup_dr_backup_plan resource (#23846)
• compute: added advanced_options_config field to google_compute_region_security_policy resource (#23914)
• compute: added ha_policy field to google_compute_region_backend_service resource (#23905)
• compute: added the ability to use global target forwarding rule for target_service field in google_compute_service_attachment resource (#23892)
• container: added boot_disk to node_config in google_container_cluster and google_container_node_pool resources (#23840)
• container: added node_config.kubelet_config.single_process_oom_kill field to google_container_node_pool and google_container_cluster resources (#23844)
• container: added in-place update support for user_managed_keys_config field in google_container_cluster resource (#23883)
• dataproc: added cluster_config.cluster_tier field to google_dataproc_cluster resource (#23830)
• gkeonprem: added enable_advanced_cluster field to google_gkeonprem_vmware_admin_cluster resource (#23908)
• memorystore: added allow_fewer_zones_deployment field to google_memorystore_instance resource (#23845)
• sql: added field psa_write_endpoint flag to google_sql_database_instance resource (#23867)
• sql: added network_attachment_uri field to google_sql_database_instance resource (#23894)
• sql: added node_count field to sql_database_instance resource, and added new value READ_POOL_INSTANCE enum to the instance_type field of sql_database_instance resource (#23897)
• storagetransfer: added federated_identity_config field to google_storage_transfer_job resource (#23900)
• storagetransfer: added transfer_spec.aws_s3_data_source.cloudfront_domain field to google_storage_transfer_job resource (#23887)

BUG FIXES:

• accesscontextmanager: made scopes field as immutable for access_context_manager_access_policy resource. (#23886)
• bigquery: fixed handling of non-legacy roles for access block inside google_bigquery_dataset (#23898)
• container: fixed an issue causing errors during updates to node_config to be suppressed in google_container_cluster and google_container_node_pool (#23842)

DEPRECATIONS:

• compute: deprecated network_self_link field in google_compute_subnetworks data source. Use network_name instead. (#23753)
• resourcemanager: deprecated project field in google_service_account_key data source. The field is non functional and can safely be removed from your configuration. (#23813)

FEATURES:

• New Data Source: google_artifact_registry_docker_images (#23751)
• New Resource: google_apigee_security_action (#23721)
• New Resource: google_developer_connect_insights_config (#23789)
• New Resource: google_discovery_engine_cmek_config (#23745)
• New Resource: google_iam_workforce_pool_iam_binding (#23784)
• New Resource: google_iam_workforce_pool_iam_member (#23784)
• New Resource: google_iam_workforce_pool_iam_policy (#23784)

IMPROVEMENTS:

• backupdr: added backup_retention_inheritance field to google_backup_dr_backup_vault resource (#23817)
• bigqueryanalyticshub: added commercial_info and delete_commercial fields in google_bigquery_analytics_hub_listing resource (#23731)
• bigqueryanalyticshub: added discovery_type field to google_bigquery_analytics_hub_data_exchange resource (#23801)
• bigqueryanalyticshub: added state, discovery_type, and allow_only_metadata_sharing fields to google_bigquery_analytics_hub_listing resource (#23801)
• cloudfunction: added automatic_update_policy and on_deploy_update_policy to google_cloudfunctions_function resource (#23819)
• cloudrunv2: added gpu_zonal_redundancy_disabled field to google_cloud_run_v2_job resource. (#23811)
• compute: added labels field to google_compute_storage_pool resource (#23783)
• compute: added network_name field to google_compute_subnetworks data source (#23753)
• container: added ip_allocation_policy.additional_ip_ranges_config field to google_container_cluster resource (#23828)
• container: added network_config.additional_node_network_configs.subnetwork field to google_container_node_pool resource (#23828)
• container: added addons_config.lustre_csi_driver_config field to google_container_cluster resource (#23729)
• container: added support for rbac_binding_config in google_container_cluster (#23812)
• dataproc: added cluster_config.cluster_tier field to google_dataproc_cluster resource (#23830)
• looker: added LOOKER_CORE_TRIAL_STANDARD, LOOKER_CORE_TRIAL_ENTERPRISE, and LOOKER_CORE_TRIAL_EMBED editions to google_looker_instance resource. (#23785)
• managedkafka: added tls_config field to google_managed_kafka_cluster resource (#23749)
• memorystore: added allow_fewer_zones_deployment field to google_redis_cluster resource (#23800)
• storage: added deletion_policy field to google_storage_bucket_object resource (#23816)
• vertexai: added custom_delete field to google_vertex_ai_endpoint_with_model_garden_deployment resource (#23788)

BUG FIXES:

• bigquery: fixed a crash in google_bigquery_table when configured as an external table with parquet_options (#23808)
• cloudrunv2: fixed an issue where manual_instance_count was unable to set to 0 in google_cloud_run_v2_worker_pool. (#23798)
• composer: fixed updates failing for recovery_config with explicitly disabled scheduled snapshots (#23715)
• iap: fixed an issue where deleting google_iap_settings without setting GOOGLE_PROJECT incorrectly failed (#23724)
• storage: removed client-side GCS name validations for google_storage_bucket (#23719)

FEATURES:

• New Data Source: google_storage_insights_dataset_config (#23709)
• New Resource: google_apigee_api_product (#23648)
• New Resource: google_discovery_engine_recommendation_engine (#23692)
• New Resource: google_oracle_database_odb_network (#23675)
• New Resource: google_oracle_database_odb_subnet (#23694)
• New Resource: google_storage_insights_dataset_config (#23707)

IMPROVEMENTS:

• compute: added params.resourceManagerTags field to the google_compute_router (#23690)
• compute: added in-place update support for provisioned_iops, provisioned_throughput, and access_mode fields in google_compute_region_disk resource (#23697)
• dataproc: added authentication_config field to google_dataproc_batch and google_dataproc_session_template resource (#23644)
• dataproc: added idle_ttl field to google_dataproc_session_template resource (#23680)
• networkconnectivity: added field allocation_options to resource google_network_connectivity_internal_range (#23687)
• oracledatabase: added odb_network and odb_subnet fields, and made network and cidr fields optional in google_oracle_database_autonomous_database resource (#23686)
• oracledatabase: added odb_network, odb_subnet and backup_odb_subnet fields, and made network, cidr and backup_subnet_cidr fields optional in google_oracle_database_cloud_vm_cluster resource (#23688)
• secretmanager: added tags field to google_secret_manager_regional_secret to allow setting tags for regional_secrets at creation time (#23706)
• securesourcemanager: added deletion_policy field to google_secure_source_manager_repository resource (#23693)
• workbench: added enable_managed_euc field to google_workbench_instance resource. (#23682)
• workbench: added reservation_affinity field to google_workbench_instance resource. (#23676)

BUG FIXES:

• composer: fixed updates failing for google_composer_environment recovery_config with explicitly disabled scheduled snapshots (#23715)
• datastore: fixed a permadiff with google_datastream_connection_profile's create_without_validation field (#23711)
• memorystore: fixed bug to allow google_memorystore_instance to be used with no provider default region or with a location that doesn't match the provider default region. (#23666)
• networkconnectivity: fixed instances[].ip_address & instances[].virtual_machine fields in linked_router_appliance_instances block being incorrectly treated as immutable for google_network_connectivity_spoke resource (#23705)
• resourcemanager: updated service account creation to prevent failures due to eventual consistency in google_service_account resource (#23639)
• sql: fixed a provider crash when importing google_sql_database resource (#23643)

DEPRECATIONS:

• gemini: deprecated the disable_web_grounding field in the google_gemini_gemini_gcp_enablement_setting resource (#23581)

FEATURES:

• New Resource: google_bigtable_schema_bundle (#23585)
• New Resource: google_compute_preview_feature (#23631)
• New Resource: google_dialogflow_cx_generator (#23605)
• New Resource: google_model_armor_floorsetting (#23621)
• New Resource: google_vertex_ai_endpoint_with_model_garden_deployment (#23632)

IMPROVEMENTS:

• accesscontextmanager: added name to google_access_context_manager_gcp_user_access_binding resource (#23638)
• apigee: marked the field access_logging_config immutable in google_apigee_instance resource (#23571)
• bigquery: added ignore_auto_generated_schema virtual field to google_bigquery_table resource to ignore server-added columns in the schema field (#23633)
• cloudrunv2: added field node_selector in google_cloud_run_v2_job (#23586)
• compute: added params.resourceManagerTags field to the google_compute_subnetwork (#23618)
• compute: added rule.match.src_secure_tags, rule.target_secure_tags, predefined_rules.match.src_secure_tags and predefined_rules.target_secure_tags fields to google_compute_firewall_policy_with_rules resource (#23635)
• dataproc: added cluster_config.security_config.identity_config field to google_dataproc_cluster resource (#23613)
• dataproc: updated cluster_config.gce_cluster_config.metadata field to be computed in google_dataproc_cluster resource (#23613)
• dialogflowcx: added flexible support to google_dialogflow_cx_webhook resource. (#23582)
• gemini: added web_grounding_type field to google_gemini_gemini_gcp_enablement_setting resource (#23581)
• netapp: added in-place update support for allow_auto_tiering field in google_netapp_storage_pool resource (#23614)
• secretmanager: added tags field to google_secret_manager_secret to allow setting tags for secrets at creation time (#23625)
• securesourcemanager: added deletion_policy field to google_secure_source_manager_instance resource (#23606)
• sql: added network_attachment_uri field to google_sql_database_instance (#23615)
• vmwareengine: added GOOGLE_CLOUD_NETAPP_VOLUMES peering type to resource google_vmwareengine_network_peering (#23628)

BUG FIXES:

• modelarmor: fixed conflicting field validation for filter_config.sdp_settings on google_model_armor_template (#23626)
• resourcemanager: updated service account creation to prevent failures due to eventual consistency in google_service_account resource (#23639)

FEATURES:

• New Data Source: google_compute_network_attachment (#23570)
• New Data Source: google_firestore_document (#23553)
• New Resource: google_backup_dr_service_config (#23552)
• New Resource: google_bigquery_analytics_hub_data_exchange_subscription (#23560)
• New Resource: google_gkeonprem_vmware_admin_cluster (#23554)
• New Resource: google_network_security_backend_authentication_config (#23555)

IMPROVEMENTS:

• alloydb: added machine_config.machine_type field to google_alloydb_instance resource (#23562)
• apigee: added access_logging_config field to google_apigee_instance resource (#23522)
• apigee: marked access_logging_config field immutable in google_apigee_instance resource (#23571)
• backupdr: added in-place update support for google_backup_dr_backup_plan resource (#23537)
• compute: added params.resource_manager_tags field to google_compute_firewall resource (#23524)
• compute: added application_aware_interconnect and aai_enabled fields to google_compute_interconnect resource (#23567)
• compute: added load_balancing_scheme field to google_compute_backend_bucket resource (#23499)
• compute: added provisioned_iops and provisioned_throughput fields to google_compute_region_disk resource (#23551)
• compute: added specific_reservation.source_instance_template, delete_at_time, delete_after_duration.seconds, delete_after_duration.nanos and reservation_sharing_policy.service_share_type fields to google_compute_reservation resource (#23561)
• firestore: added tags field to google_firestore_database resource (#23569)
• securesourcemanager: added in-place update support for description field in google_secure_source_manager_repository resource (#23557)
• storage: added force_empty_content_type field to google_storage_bucket_object resource (#23568)

BUG FIXES:

• artifactregistry: fixed an issue where changes to cleanup_policies were not being applied correctly in google_artifact_registry_repository resource (#23556)
• iambeta: fixed perma-diff for jwks_json field when GCP normalizes JSON formatting in google_iam_workload_identity_pool_provider resource (#23526)