feat: per module requirements

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25.4
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -80,7 +80,7 @@ docker_generate_docs:
 		-e ENABLE_BPMETADATA \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
 
 # Alias for backwards compatibility
 .PHONY: generate_docs

metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -75,26 +75,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/cloudscheduler.admin
           - roles/cloudsql.admin
-          - roles/compute.admin
-          - roles/compute.networkAdmin
           - roles/iam.serviceAccountAdmin
           - roles/iam.serviceAccountUser
-          - roles/monitoring.editor
           - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/workflows.admin
+          - roles/serviceusage.serviceUsageAdmin
     services:
-      - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - cloudscheduler.googleapis.com
-      - compute.googleapis.com
       - iam.googleapis.com
-      - monitoring.googleapis.com
-      - servicenetworking.googleapis.com
       - serviceusage.googleapis.com
       - sqladmin.googleapis.com
-      - workflows.googleapis.com

modules/backup/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -61,10 +61,21 @@ spec:
         location: examples/private_service_access
   interfaces:
     variables:
-      - name: backup_monitoring_frequency
-        description: Timeframe in which there should be at least one successfull backup
+      - name: region
+        description: The region where to run the workflow
         varType: string
-        defaultValue: 1d
+        defaultValue: us-central1
+      - name: service_account
+        description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that
+        varType: string
+      - name: project_id
+        description: The project ID
+        varType: string
+        required: true
+      - name: sql_instance
+        description: The name of the SQL instance to backup
+        varType: string
+        required: true
       - name: backup_retention_time
         description: The number of days backups should be kept
         varType: number
@@ -73,69 +84,88 @@ spec:
         description: The max amount of backups to list when fetching internal backup runs for the instance. This number must be larger then the amount of backups you wish to keep. E.g. for a daily backup schedule and a backup_retention_time of 30 days, you'd need to set this to at least 31 for old backups to get deleted.
         varType: number
         defaultValue: 31
+      - name: scheduler_timezone
+        description: The Timezone in which the Scheduler Jobs are triggered
+        varType: string
+        defaultValue: Etc/GMT
       - name: backup_schedule
         description: The cron schedule to execute the internal backup
         varType: string
         defaultValue: 45 2 * * *
+      - name: export_schedule
+        description: The cron schedule to execute the export to GCS
+        varType: string
+        defaultValue: 15 3 * * *
+      - name: enable_internal_backup
+        description: Wether to create internal backups with this module
+        varType: bool
+        defaultValue: true
+      - name: enable_export_backup
+        description: Weather to create exports to GCS Buckets with this module
+        varType: bool
+        defaultValue: true
+      - name: export_databases
+        description: The list of databases that should be exported - if is an empty set all databases will be exported
+        varType: set(string)
+        defaultValue: []
+      - name: export_uri
+        description: The bucket and path uri for exporting to GCS
+        varType: string
+        required: true
       - name: compress_export
         description: Whether or not to compress the export when storing in the bucket; Only valid for MySQL and PostgreSQL
         varType: bool
         defaultValue: true
+      - name: enable_connector_params
+        description: Whether to enable connector-specific parameters for Google Workflow SQL Export.
+        varType: bool
+        defaultValue: false
       - name: connector_params_timeout
         description: The end-to-end duration the connector call is allowed to run for before throwing a timeout exception. The default value is 1800 and this should be the maximum for connector methods that are not long-running operations. Otherwise, for long-running operations, the maximum timeout for a connector call is 31536000 seconds (one year).
         varType: number
         defaultValue: 1800
-      - name: create_notification_channel
-        description: If set to true it will create email notification channel
+      - name: unique_suffix
+        description: Unique suffix to add to scheduler jobs and workflows names.
+        varType: string
+        defaultValue: ""
+      - name: log_db_name_to_export
+        description: Whether or not to log database name in the export workflow
         varType: bool
         defaultValue: false
-      - name: deletion_protection
-        description: Whether Terraform will be prevented from destroying the workflow.
-        varType: bool
-        defaultValue: true
-      - name: enable_backup_monitoring
-        description: Whether to monitor backup workflows or not
+      - name: use_sql_instance_replica_in_exporter
+        description: Whether or not to use replica instance on exporter workflow.
         varType: bool
         defaultValue: false
-      - name: enable_connector_params
-        description: Whether to enable connector-specific parameters for Google Workflow SQL Export.
+      - name: sql_instance_replica
+        description: The name of the SQL instance replica to export
+        varType: string
+      - name: use_serverless_export
+        description: Whether to use serverless export for DB export
         varType: bool
         defaultValue: false
-      - name: enable_export_backup
-        description: Weather to create exports to GCS Buckets with this module
+      - name: monitoring_email
+        description: Email address to send alerts
+        varType: string
+      - name: enable_backup_monitoring
+        description: Whether to monitor backup workflows or not
         varType: bool
-        defaultValue: true
+        defaultValue: false
+      - name: backup_monitoring_frequency
+        description: Timeframe in which there should be at least one successfull backup
+        varType: string
+        defaultValue: 1d
       - name: enable_export_monitoring
         description: Whether to monitor export workflows or not
         varType: bool
         defaultValue: false
-      - name: enable_internal_backup
-        description: Wether to create internal backups with this module
-        varType: bool
-        defaultValue: true
-      - name: export_databases
-        description: The list of databases that should be exported - if is an empty set all databases will be exported
-        varType: set(string)
-        defaultValue: []
       - name: export_monitoring_frequency
         description: Timeframe in which there should be at least one successfull export
         varType: string
         defaultValue: 1d
-      - name: export_schedule
-        description: The cron schedule to execute the export to GCS
-        varType: string
-        defaultValue: 15 3 * * *
-      - name: export_uri
-        description: The bucket and path uri for exporting to GCS
-        varType: string
-        required: true
-      - name: log_db_name_to_export
-        description: Whether or not to log database name in the export workflow
+      - name: create_notification_channel
+        description: If set to true it will create email notification channel
         varType: bool
         defaultValue: false
-      - name: monitoring_email
-        description: Email address to send alerts
-        varType: string
       - name: notification_channel_name
         description: Name of the email notification channel to be created. Only needed when create_notification_channel is set to true.
         varType: string
@@ -144,40 +174,10 @@ spec:
         description: List of existing notification channels to send alerts to
         varType: list(string)
         defaultValue: []
-      - name: project_id
-        description: The project ID
-        varType: string
-        required: true
-      - name: region
-        description: The region where to run the workflow
-        varType: string
-        defaultValue: us-central1
-      - name: scheduler_timezone
-        description: The Timezone in which the Scheduler Jobs are triggered
-        varType: string
-        defaultValue: Etc/GMT
-      - name: service_account
-        description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that
-        varType: string
-      - name: sql_instance
-        description: The name of the SQL instance to backup
-        varType: string
-        required: true
-      - name: sql_instance_replica
-        description: The name of the SQL instance replica to export
-        varType: string
-      - name: unique_suffix
-        description: Unique suffix to add to scheduler jobs and workflows names.
-        varType: string
-        defaultValue: ""
-      - name: use_serverless_export
-        description: Whether to use serverless export for DB export
-        varType: bool
-        defaultValue: false
-      - name: use_sql_instance_replica_in_exporter
-        description: Whether or not to use replica instance on exporter workflow.
+      - name: deletion_protection
+        description: Whether Terraform will be prevented from destroying the workflow.
         varType: bool
-        defaultValue: false
+        defaultValue: true
     outputs:
       - name: backup_workflow_name
         description: The name for internal backup workflow
@@ -191,26 +191,12 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/cloudscheduler.admin
           - roles/cloudsql.admin
-          - roles/compute.admin
-          - roles/compute.networkAdmin
-          - roles/iam.serviceAccountAdmin
           - roles/iam.serviceAccountUser
-          - roles/monitoring.editor
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/workflows.admin
+          - roles/logging.logWriter
     services:
-      - cloudkms.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - cloudscheduler.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - monitoring.googleapis.com
-      - servicenetworking.googleapis.com
       - serviceusage.googleapis.com
       - sqladmin.googleapis.com
-      - workflows.googleapis.com
+    providerVersions:
+      - source: hashicorp/google
+        version: ">= 6.11.0, < 7"

modules/mssql/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -81,6 +81,9 @@ spec:
         description: Sets random suffix at the end of the Cloud SQL resource name
         varType: bool
         defaultValue: false
+      - name: maintenance_version
+        description: The current software version on the instance. This attribute can not be set during creation. Refer to available_maintenance_versions attribute to see what maintenance_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance_version value that is older than the current one on the instance will be ignored
+        varType: string
       - name: database_version
         description: "The database version to use: SQLSERVER_2017_STANDARD, SQLSERVER_2017_ENTERPRISE, SQLSERVER_2017_EXPRESS, or SQLSERVER_2017_WEB"
         varType: string
@@ -298,6 +301,19 @@ spec:
         description: Enable or disable the creation of the default user
         varType: bool
         defaultValue: true
+      - name: enable_dataplex_integration
+        description: Enable database Dataplex integration
+        varType: bool
+        defaultValue: false
+      - name: insights_config
+        description: The insights_config settings for the database.
+        varType: |-
+          object({
+              query_plans_per_minute  = optional(number, 5)
+              query_string_length     = optional(number, 1024)
+              record_application_tags = optional(bool, false)
+              record_client_address   = optional(bool, false)
+            })
     outputs:
       - name: additional_users
         description: List of maps of additional users and passwords
@@ -547,29 +563,17 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.admin
-          - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/cloudscheduler.admin
           - roles/cloudsql.admin
-          - roles/compute.admin
-          - roles/compute.networkAdmin
-          - roles/iam.serviceAccountAdmin
           - roles/iam.serviceAccountUser
-          - roles/monitoring.editor
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/workflows.admin
+          - roles/logging.logWriter
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - cloudscheduler.googleapis.com
       - compute.googleapis.com
       - iam.googleapis.com
       - monitoring.googleapis.com
-      - servicenetworking.googleapis.com
       - serviceusage.googleapis.com
       - sqladmin.googleapis.com
-      - workflows.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 5.12, < 7"

modules/mysql/metadata.yaml

@@ -279,6 +279,10 @@ spec:
               retention_unit                 = optional(string)
             })
         defaultValue: {}
+      - name: retain_backups_on_delete
+        description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting.
+        varType: bool
+        defaultValue: false
       - name: insights_config
         description: The insights_config settings for the database.
         varType: |-
@@ -914,35 +918,26 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.admin
-          - roles/cloudkms.autokeyAdmin
+          - roles/iam.serviceAccountUser
+          - roles/compute.networkAdmin
           - roles/cloudkms.cryptoKeyEncrypterDecrypter
-          - roles/cloudscheduler.admin
+          - roles/logging.logWriter
           - roles/cloudsql.admin
-          - roles/compute.admin
-          - roles/compute.networkAdmin
-          - roles/iam.serviceAccountAdmin
-          - roles/iam.serviceAccountUser
-          - roles/monitoring.editor
           - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/workflows.admin
     services:
       - cloudkms.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - cloudscheduler.googleapis.com
       - compute.googleapis.com
       - iam.googleapis.com
       - monitoring.googleapis.com
       - servicenetworking.googleapis.com
       - serviceusage.googleapis.com
       - sqladmin.googleapis.com
-      - workflows.googleapis.com
     providerVersions:
       - source: hashicorp/google
-        version: ">= 6.1, < 7"
+        version: ">= 6.31, < 7"
       - source: hashicorp/google-beta
-        version: ">= 6.1, < 7"
+        version: ">= 6.31, < 7"
       - source: hashicorp/null
         version: ~> 3.1
       - source: hashicorp/random