fix: remove unused vars, add upgrade guide (#596)

BREAKING CHANGE: Some unused variables were removed. See the upgrade guide for details.
BREAKING CHANGE: Buckets now enable uniform bucket-level access by default. See the upgrade guide for details.

Author: bharathkkb

README.md

@@ -126,7 +126,6 @@ determining that location is as follows:
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
 | consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |
@@ -136,7 +135,6 @@ determining that location is as follows:
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | group\_name | A group to control the project by being assigned group\_role (defaults to project editor) | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
-| impersonate\_service\_account | An optional service account to impersonate. This cannot be used with credentials\_path. If this service account is not specified and credentials\_path is absent, the module will use Application Default Credentials. | `string` | `""` | no |
 | labels | Map of labels for project | `map(string)` | `{}` | no |
 | lien | Add a lien on the project to prevent accidental deletion | `bool` | `false` | no |
 | name | The name for the project | `string` | n/a | yes |

docs/upgrading_to_project_factory_v11.0.md

@@ -0,0 +1,32 @@
+# Upgrading to Project Factory v11.0
+
+The v11.0 release of Project Factory is a backwards incompatible release.
+
+## Migration Instructions
+
+### Unused variables have been removed
+
+Variables `credentials_path` and `impersonate_service_account` have been removed as we have removed the need for gcloud and local-execs in [v10.0](https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/docs/upgrading_to_project_factory_v10.0.md). This change should be no-op.
+
+```diff
+ module "project-factory" {
+   source  = "terraform-google-modules/project-factory/google"
+-  version = "~> 10.0"
++  version = "~> 11.0"
+
+   name                            = "pf-test-1"
+   random_project_id               = "true"
+   org_id                          = "1234567890"
+   usage_bucket_name               = "pf-test-1-usage-report-bucket"
+   usage_bucket_prefix             = "pf/test/1/integration"
+   billing_account                 = "ABCDEF-ABCDEF-ABCDEF"
+-  credentials_path                = "..."
+-  impersonate_service_account     = "..."
+ }
+```
+
+### Uniform Bucket Level Access is enabled by default
+
+Uniform Bucket Level Access is enabled by default and controlled by the `bucket_ula` variable.
+
+If you want to keep Uniform Bucket Level Access disabled, this variable should be set to false.

examples/gke_shared_vpc/README.md

@@ -29,7 +29,6 @@ More information about GKE with Shared VPC can be found here: https://cloud.goog
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_account | billing account | `any` | n/a | yes |
-| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | `any` | n/a | yes |
 | org\_id | organization id | `any` | n/a | yes |
 | shared\_vpc | The ID of the host project which hosts the shared VPC | `any` | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$PROJECT\_ID/regions/$REGION/subnetworks/$SUBNET\_ID) | `list(string)` | `[]` | no |

examples/gke_shared_vpc/main.tf

@@ -14,18 +14,12 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_path
-}
-
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "null" {
@@ -44,6 +38,5 @@ module "project-factory" {
   billing_account      = var.billing_account
   svpc_host_project_id = var.shared_vpc
   activate_apis        = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com"]
-  credentials_path     = local.credentials_file_path
   shared_vpc_subnets   = var.shared_vpc_subnets
 }

examples/gke_shared_vpc/variables.tf

@@ -14,10 +14,6 @@
  * limitations under the License.
  */
 
-variable "credentials_path" {
-  description = "Path to a Service Account credentials file with permissions documented in the readme"
-}
-
 variable "org_id" {
   description = "organization id"
 }

examples/group_project/README.md

@@ -22,7 +22,6 @@ Expected variables:
 | admin\_email | Admin user email on Gsuite. This should be a user account, not a service account. | `any` | n/a | yes |
 | api\_sa\_group | An existing G Suite group email to place the Google APIs Service Account for the project in | `any` | n/a | yes |
 | billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
-| credentials\_file\_path | Service account json auth path | `any` | n/a | yes |
 | organization\_id | The organization id for the associated services | `any` | n/a | yes |
 | project\_group\_name | The name of a G Suite group to create for controlling the project | `any` | n/a | yes |
 

examples/group_project/main.tf

@@ -14,25 +14,18 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_file_path
-}
-
 /******************************************
   Provider configuration
  *****************************************/
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "gsuite" {
-  credentials             = file(local.credentials_file_path)
   impersonated_user_email = var.admin_email
 
   oauth_scopes = [
@@ -57,7 +50,6 @@ module "project-factory" {
   name              = "group-sample-project"
   org_id            = var.organization_id
   billing_account   = var.billing_account
-  credentials_path  = local.credentials_file_path
   create_group      = true
   group_name        = var.project_group_name
   api_sa_group      = var.api_sa_group

examples/group_project/variables.tf

@@ -18,10 +18,6 @@ variable "admin_email" {
   description = "Admin user email on Gsuite. This should be a user account, not a service account."
 }
 
-variable "credentials_file_path" {
-  description = "Service account json auth path"
-}
-
 variable "organization_id" {
   description = "The organization id for the associated services"
 }

examples/project-hierarchy/README.md

@@ -27,7 +27,6 @@ Expected variables:
 |------|-------------|------|---------|:--------:|
 | admin\_email | Admin user email on Gsuite | `any` | n/a | yes |
 | billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
-| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | organization\_id | The organization id for the associated services | `any` | n/a | yes |
 
 ## Outputs

examples/project-hierarchy/main.tf

@@ -14,25 +14,18 @@
  * limitations under the License.
  */
 
-locals {
-  credentials_file_path = var.credentials_path
-}
-
 /******************************************
   Provider configuration
  *****************************************/
 provider "google" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "google-beta" {
-  credentials = file(local.credentials_file_path)
-  version     = "~> 3.30"
+  version = "~> 3.30"
 }
 
 provider "gsuite" {
-  credentials             = file(local.credentials_file_path)
   impersonated_user_email = var.admin_email
 
   oauth_scopes = [
@@ -63,7 +56,6 @@ module "project-prod-gke" {
   org_id            = var.organization_id
   billing_account   = var.billing_account
   folder_id         = google_folder.prod.id
-  credentials_path  = local.credentials_file_path
 }
 
 module "project-factory" {
@@ -73,5 +65,4 @@ module "project-factory" {
   org_id            = var.organization_id
   billing_account   = var.billing_account
   folder_id         = google_folder.prod.id
-  credentials_path  = local.credentials_file_path
 }