Merge branch 'main' into MemorystoreInstanceReplication

Author: NA2047

.ci/infra/terraform/main.tf

@@ -410,6 +410,14 @@ resource "google_project_service_identity" "progressiverollout_sa" {
   service = "progressiverollout.googleapis.com"
 }
 
+resource "google_project_service_identity" "parametermanager_sa" {
+  provider = google-beta
+  depends_on = [module.project-services]
+
+  project = google_project.proj.project_id
+  service = "parametermanager.googleapis.com"
+}
+
 # TestAccComposerEnvironment_fixPyPiPackages
 # TestAccComposerEnvironmentComposer2_private
 # TestAccComposerEnvironment_withEncryptionConfigComposer1

.ci/magician/github/membership_data.go

@@ -96,7 +96,12 @@ var (
 			vacations: []Vacation{},
 		},
 		"shuyama1": {
-			vacations: []Vacation{},
+			vacations: []Vacation{
+				{
+					startDate: newDate(2025, 3, 26),
+					endDate:   newDate(2025, 4, 1),
+				},
+			},
 		},
 		"SirGitsalot": {
 			vacations: []Vacation{

mmv1/products/bigqueryreservation/ReservationAssignment.yaml

@@ -84,7 +84,7 @@ properties:
   - name: 'jobType'
     type: String
     description: |
-      Types of job, which could be specified when using the reservation. Possible values: JOB_TYPE_UNSPECIFIED, PIPELINE, QUERY
+      Types of job, which could be specified when using the reservation. Possible values: JOB_TYPE_UNSPECIFIED, PIPELINE, QUERY, CONTINUOUS
     required: true
   - name: 'state'
     type: String

mmv1/products/cloudfunctions2/Function.yaml

@@ -653,6 +653,10 @@ properties:
                     description: |
                       Relative path of the file under the mount path where the secret value for this version will be fetched and made available. For example, setting the mountPath as '/etc/secrets' and path as secret_foo would mount the secret value file at /etc/secrets/secret_foo.
                     required: true
+      - name: 'binaryAuthorizationPolicy'
+        type: String
+        description: |
+          The binary authorization policy to be checked when deploying the Cloud Run service.
   - name: 'eventTrigger'
     type: NestedObject
     description: |

mmv1/products/cloudrun/Service.yaml

@@ -76,7 +76,6 @@ examples:
   - name: 'cloud_run_service_gpu'
     primary_resource_id: 'default'
     primary_resource_name: 'fmt.Sprintf("tf-test-cloudrun-srv%s", context["random_suffix"])'
-    min_version: 'beta'
     vars:
       cloud_run_service_name: 'cloudrun-srv'
     test_env_vars:
@@ -322,10 +321,14 @@ properties:
                     for connections to the Revision.
                   - `run.googleapis.com/startup-cpu-boost` sets whether to allocate extra CPU to containers on startup.
                     See https://cloud.google.com/sdk/gcloud/reference/run/deploy#--[no-]cpu-boost.
+                  - `run.googleapis.com/network-interfaces` sets [Direct VPC egress](https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#yaml)
+                    for the Revision.
                   - `run.googleapis.com/vpc-access-connector` sets a [VPC connector](https://cloud.google.com/run/docs/configuring/connecting-vpc#terraform_1)
                     for the Revision.
                   - `run.googleapis.com/vpc-access-egress` sets the outbound traffic to send through the VPC connector for this resource.
                     See https://cloud.google.com/sdk/gcloud/reference/run/deploy#--vpc-egress.
+                  - `run.googleapis.com/gpu-zonal-redundancy-disabled` sets
+                    [GPU zonal redundancy](https://cloud.google.com/run/docs/configuring/services/gpu-zonal-redundancy) for the Revision.
                 default_from_api: true
                 diff_suppress_func: 'cloudrunTemplateAnnotationDiffSuppress'
               - name: 'name'
@@ -762,7 +765,6 @@ properties:
                   Node Selector describes the hardware requirements of the resources.
                   Use the following node selector keys to configure features on a Revision:
                     - `run.googleapis.com/accelerator` sets the [type of GPU](https://cloud.google.com/run/docs/configuring/services/gpu) required by the Revision to run.
-                min_version: 'beta'
               - name: 'containerConcurrency'
                 type: Integer
                 description: |-

mmv1/products/cloudrunv2/Service.yaml

@@ -98,7 +98,6 @@ examples:
   - name: 'cloudrunv2_service_gpu'
     primary_resource_id: 'default'
     primary_resource_name: 'fmt.Sprintf("tf-test-cloudrun-srv%s", context["random_suffix"])'
-    min_version: 'beta'
     vars:
       cloud_run_service_name: 'cloudrun-service'
     ignore_read_extra:
@@ -960,13 +959,15 @@ properties:
       - name: 'nodeSelector'
         type: NestedObject
         description: Node Selector describes the hardware requirements of the resources.
-        min_version: 'beta'
         properties:
           - name: 'accelerator'
             type: String
             description:
               The GPU to attach to an instance. See https://cloud.google.com/run/docs/configuring/services/gpu for configuring GPU.
             required: true
+      - name: 'gpuZonalRedundancyDisabled'
+        type: Boolean
+        description: True if GPU zonal redundancy is disabled on this revision.
   - name: 'traffic'
     type: Array
     description: |-

mmv1/products/compute/BackendService.yaml

@@ -127,6 +127,13 @@ examples:
       default_neg_name: 'network-endpoint'
       health_check_name: 'health-check'
       network_name: 'network'
+  - name: 'backend_service_tls_settings'
+    primary_resource_id: 'default'
+    min_version: 'beta'
+    vars:
+      backend_service_name: 'backend-service'
+      health_check_name: 'health-check'
+      authentication_name: 'authentication'
 parameters:
 properties:
   - name: 'affinityCookieTtlSec'
@@ -1466,3 +1473,45 @@ properties:
     description: |
       URL to networkservices.ServiceLbPolicy resource.
       Can only be set if load balancing scheme is EXTERNAL, EXTERNAL_MANAGED, INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global.
+  - name: 'tlsSettings'
+    type: NestedObject
+    description: |
+      Configuration for Backend Authenticated TLS and mTLS. May only be specified when the backend protocol is SSL, HTTPS or HTTP2.
+    min_version: beta
+    properties:
+      - name: 'sni'
+        type: String
+        description: |
+          Server Name Indication - see RFC3546 section 3.1. If set, the load balancer sends this string as the SNI hostname in the
+          TLS connection to the backend, and requires that this string match a Subject Alternative Name (SAN) in the backend's
+          server certificate. With a Regional Internet NEG backend, if the SNI is specified here, the load balancer uses it
+          regardless of whether the Regional Internet NEG is specified with FQDN or IP address and port.
+      - name: 'subjectAltNames'
+        type: Array
+        description: |
+          A list of Subject Alternative Names (SANs) that the Load Balancer verifies during a TLS handshake with the backend.
+          When the server presents its X.509 certificate to the Load Balancer, the Load Balancer inspects the certificate's SAN field,
+          and requires that at least one SAN match one of the subjectAltNames in the list. This field is limited to 5 entries.
+          When both sni and subjectAltNames are specified, the load balancer matches the backend certificate's SAN only to
+          subjectAltNames.
+        item_type:
+          type: NestedObject
+          properties:
+            - name: 'dnsName'
+              type: String
+              description: The SAN specified as a DNS Name.
+              exactly_one_of:
+                - tlsSettings.0.uniform_resource_identifier
+                - tlsSettings.0.dns_name
+            - name: 'uniformResourceIdentifier'
+              type: String
+              description: The SAN specified as a URI.
+              exactly_one_of:
+                - tlsSettings.0.uniform_resource_identifier
+                - tlsSettings.0.dns_name
+      - name: 'authenticationConfig'
+        type: String
+        description: |
+          Reference to the BackendAuthenticationConfig resource from the networksecurity.googleapis.com namespace.
+          Can be used in authenticating TLS connections to the backend, as specified by the authenticationMode field.
+          Can only be specified if authenticationMode is not NONE.

mmv1/products/compute/PublicDelegatedPrefix.yaml

@@ -39,6 +39,7 @@ sweeper:
   url_substitutions:
     - region: "us-central1"
     - region: "us-west1"
+    - region: "us-east1"
 examples:
   - name: 'public_delegated_prefixes_basic'
     primary_resource_id: 'prefixes'
@@ -59,6 +60,16 @@ examples:
     # PAPs have very low quota limits and a shared testing range so serialized tests exist in:
     # resource_compute_public_advertised_prefix_test.go
     exclude_test: true
+  - name: 'public_delegated_prefix_ipv6_subnet_mode'
+    vars:
+      pap_name: "ipv6-pap"
+      root_pdp_name: "ipv6-root-pdp"
+      sub_pdp_name: "ipv6-sub-pdp"
+    test_env_vars:
+      desc: 'PAP_DESCRIPTION'
+    # PAPs have very low quota limits and a shared testing range so serialized tests exist in:
+    # resource_compute_public_advertised_prefix_test.go
+    exclude_test: true
 parameters:
 properties:
   - name: 'region'
@@ -93,12 +104,14 @@ properties:
     type: Enum
     description: |
       Specifies the mode of this IPv6 PDP. MODE must be one of: DELEGATION,
-      EXTERNAL_IPV6_FORWARDING_RULE_CREATION.
+      EXTERNAL_IPV6_FORWARDING_RULE_CREATION and EXTERNAL_IPV6_SUBNETWORK_CREATION.
     enum_values:
       - 'DELEGATION'
       - 'EXTERNAL_IPV6_FORWARDING_RULE_CREATION'
+      - 'EXTERNAL_IPV6_SUBNETWORK_CREATION'
   - name: 'allocatablePrefixLength'
     type: Integer
+    default_from_api: true
     description:
       The allocatable prefix length supported by this public delegated prefix.
       This field is optional and cannot be set for prefixes in DELEGATION mode.

mmv1/products/compute/RegionNetworkEndpointGroup.yaml

@@ -19,9 +19,13 @@ description: |
   A regional NEG that can support Serverless Products, proxying traffic to
   external backends and providing traffic to the PSC port mapping endpoints.
 
-  Recreating a region network endpoint group that's in use by another resource will give a
-  `resourceInUseByAnotherResource` error. Use `lifecycle.create_before_destroy`
-  to avoid this type of error.
+  When in use by a resource that can be updated, recreating a RegionNetworkEndpointGroup
+  will give a `resourceInUseByAnotherResource` error because Terraform will attempt to
+  delete the  RegionNetworkEndpointGroup first, but an in-use RegionNetworkEndpointGroup
+  can't be deleted in the API. Use `lifecycle.create_before_destroy` to reorder the plan
+  and create the new resource first, allowing the deletion to go through successfully.
+  This is only recommended when strictly necessary, as the `create_before_destroy`
+  directive can be passed onto further dependencies, creating unexpected plans.
 references:
   guides:
     'Serverless NEGs Official Documentation': 'https://cloud.google.com/load-balancing/docs/negs/serverless-neg-concepts'

mmv1/products/compute/Router.yaml

@@ -45,6 +45,8 @@ custom_code:
 custom_diff:
   - 'resourceComputeRouterCustomDiff'
 sweeper:
+  prefixes:
+    - "swg-autogen-router" # Secure Web Proxy(SWP) auto-generated router prefix.
   url_substitutions:
     - region: "us-central1"
     - region: "us-east1"

mmv1/products/compute/UrlMap.yaml

@@ -1729,6 +1729,60 @@ properties:
                       prior to redirecting the request. If set to false, the query portion of the
                       original URL is retained. Defaults to false.
                     default_value: false
+              - name: 'customErrorResponsePolicy'
+                type: NestedObject
+                description: |
+                  customErrorResponsePolicy specifies how the Load Balancer returns error responses when BackendService or BackendBucket responds with an error.
+                min_version: 'beta'
+                properties:
+                  - name: 'errorResponseRule'
+                    type: Array
+                    description: |
+                      Specifies rules for returning error responses.
+                      In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority.
+                      For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX).
+                      If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect.
+                    api_name: errorResponseRules
+                    item_type:
+                      type: NestedObject
+                      properties:
+                        - name: 'matchResponseCodes'
+                          type: Array
+                          description: |
+                            Valid values include:
+
+                            - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value.
+                            - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599.
+                            - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499.
+
+                            Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy.
+                          item_type:
+                            type: String
+                        - name: 'path'
+                          type: String
+                          description: |
+                            The full path to a file within backendBucket . For example: /errors/defaultError.html
+                            path must start with a leading slash. path cannot have trailing slashes.
+                            If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client.
+                            The value must be from 1 to 1024 characters
+                        - name: 'overrideResponseCode'
+                          type: Integer
+                          description: |
+                            The HTTP status code returned with the response containing the custom error content.
+                            If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client.
+                  - name: 'errorService'
+                    type: ResourceRef
+                    description: |
+                      The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are:
+
+                      https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket
+                      compute/v1/projects/project/global/backendBuckets/myBackendBucket
+                      global/backendBuckets/myBackendBucket
+
+                      If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService.
+                      If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured).
+                    resource: 'BackendBucket'
+                    imports: 'selfLink'
         - name: 'defaultUrlRedirect'
           type: NestedObject
           # TODO: (mbang) won't work for array path matchers yet, uncomment here once they are supported.

mmv1/products/datastream/ConnectionProfile.yaml

@@ -102,6 +102,10 @@ examples:
     vars:
       source_connection_profile_id: 'source-profile'
     exclude_test: true
+  - name: 'datastream_connection_profile_postgres_secret_manager'
+    primary_resource_id: 'default'
+    vars:
+      source_connection_profile_id: 'source-profile'
 parameters:
   - name: 'connectionProfileId'
     type: String
@@ -169,9 +173,12 @@ properties:
         type: String
         description: |
           Password for the Oracle connection.
-        required: true
         sensitive: true
         custom_flatten: 'templates/terraform/custom_flatten/datastream_connection_profile_oracle_profile_password.go.tmpl'
+      - name: 'secretManagerStoredPassword'
+        type: String
+        description: |
+          A reference to a Secret Manager resource name storing the user's password.
       - name: 'databaseService'
         type: String
         description: |
@@ -234,9 +241,12 @@ properties:
         type: String
         description: |
           Password for the MySQL connection.
-        required: true
         sensitive: true
         custom_flatten: 'templates/terraform/custom_flatten/datastream_connection_profile_mysql_profile_password.go.tmpl'
+      - name: 'secretManagerStoredPassword'
+        type: String
+        description: |
+          A reference to a Secret Manager resource name storing the user's password.
       - name: 'sslConfig'
         type: NestedObject
         description: |
@@ -332,9 +342,12 @@ properties:
         type: String
         description: |
           Password for the PostgreSQL connection.
-        required: true
         sensitive: true
         custom_flatten: 'templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_password.go.tmpl'
+      - name: 'secretManagerStoredPassword'
+        type: String
+        description: |
+          A reference to a Secret Manager resource name storing the user's password.
       - name: 'database'
         type: String
         description: |
@@ -439,9 +452,12 @@ properties:
         type: String
         description: |
           Password for the SQL Server connection.
-        required: true
         sensitive: true
         custom_flatten: 'templates/terraform/custom_flatten/datastream_connection_profile_sql_server_profile_password.go.tmpl'
+      - name: 'secretManagerStoredPassword'
+        type: String
+        description: |
+          A reference to a Secret Manager resource name storing the user's password.
       - name: 'database'
         type: String
         description: |