FEATURES:

• New Resource: google_apigee_environment_addons_config (#20851)
• New Resource: google_beyondcorp_security_gateway (#20844)
• New Resource: google_chronicle_reference_list (beta) (#20895)
• New Resource: google_chronicle_rule_deployment (#20888)
• New Resource: google_chronicle_rule (#20868)
• New Resource: google_colab_runtime_template (#20898)
• New Resource: google_edgenetwork_interconnect_attachment (#20856)
• New Resource: google_parameter_manager_parameter (#20886)
• New Resource: google_parameter_manager_regional_parameter_version (#20914)
• New Resource: google_parameter_manager_regional_parameter (#20858)

IMPROVEMENTS:

• accesscontextmanager: added etag to google_access_context_manager_service_perimeter_resource to prevent overriding list of resources (#20910)
• compute: added BPS_100G enum value to bandwidth field of google_compute_interconnect_attachment. (#20884)
• compute: added support for IPV6_ONLY stack_type to google_compute_subnetwork, google_compute_instance, google_compute_instance_template and google_compute_region_instance_template. (#20850)
• compute: promoted bgp_best_path_selection_mode ,bgp_bps_always_compare_med and bgp_bps_inter_region_cost fields in google_compute_network from Beta to Ga (#20865)
• compute: promoted next_hop_origin ,next_hop_med and next_hop_inter_region_cost output fields in google_compute_route form Beta to GA (#20865)
• discoveryengine: added advanced_site_search_config field to google_discovery_engine_data_store resource (#20912)
• gemini: added force_destroy field to resource google_code_repository_index, enabling deletion of the resource even when it has dependent RepositoryGroups (#20881)
• networkservices: added in-place update support for ports field on google_network_services_gateway resource (#20908)
• sql: sql_source_representation_instance now uses string representation of databaseVersion (#20859)
• sql: added replication_cluster field to google_sql_database_instance resource (#20889)
• sql: added support of switchover for MySQL and PostgreSQL in google_sql_database_instance resource (#20889)
• workbench: changed container_image field of google_workbench_instance resource to modifiable. (#20894)

BUG FIXES:

• apigee: fixed error 404 for organization update requests. (#20854)
• artifactregistry: fixed artifact_registry_repository not accepting durations with 'm', 'h' or 'd' (#20902)
• networkservices: fixed bug where google_network_services_gateway could not be updated in place (#20908)
• storagetransfer: fixed a permadiff with transfer_spec.aws_s3_data_source.aws_access_key in google_storage_transfer_job (#20849)

FEATURES:

• New Resource: google_beyondcorp_security_gateway (#20844)
• New Resource: google_developer_connect_connection (#20823)
• New Resource: google_developer_connect_git_repository_link (#20823)

IMPROVEMENTS:

• compute: promoted standby_policy, target_suspended_size, and target_stopped_size fields in google_compute_region_instance_group_manager and google_compute_instance_group_manager resource from beta to ga (#20821)
• dns: added health_check and external_endpoints fields to google_dns_record_set resource (#20843)
• sql: added server_ca_pool field to google_sql_database_instance resource (#20834)
• vmwareengine: allowed import of non-STANDARD private clouds in google_vmwareengine_private_cloud (#20832)

BUG FIXES:

• dataproc: fixed boolean fields in shielded_instance_config in the google_dataproc_cluster resource (#20828)
• gkeonprem: fixed permadiff on vcenter field in google_gkeonprem_vmware_cluster resource (#20837)
• networkservices: fixed google_network_services_gateway resource so that it correctly waits for the router to be deleted on terraform destroy (#20817)
• provider: fixed issue where GOOGLE_CLOUD_QUOTA_PROJECT env var would override explicit billing_project (#20839)

NOTES:

• compute: google_compute_firewall_policy_association now uses MMv1 engine instead of DCL. (#20744)

DEPRECATIONS:

• compute: deprecated numeric_id (string) field in google_compute_network resource. Use the new network_id (integer) field instead (#20698)

FEATURES:

• New Data Source: google_gke_hub_feature (#20721)
• New Resource: google_storage_folder (#20767)

IMPROVEMENTS:

• artifactregistry: added vulnerability_scanning_config field to google_artifact_registry_repository resource (#20726)
• backupdr: promoted datasource google_backup_dr_backup to ga (#20677)
• backupdr: promoted datasource google_backup_dr_data_source to ga (#20677)
• bigquery: added condition field to google_bigquery_dataset_access resource (#20707)
• bigquery: added condition field to google_bigquery_dataset resource (#20707)
• composer: added airflow_metadata_retention_config field to google_composer_environment (#20769)
• compute: added back the validation for target_service field on the google_compute_service_attachment resource to validade a ForwardingRule or Gateway URL (#20711)
• compute: added availability_domain field to google_compute_instance, google_compute_instance_template and google_compute_region_instance_template resources (#20694)
• compute: added network_id (integer) field to google_compute_network resource and data source (#20698)
• compute: added preset_topology field to google_network_connectivity_hub resource (#20720)
• compute: added subnetwork_id field to google_compute_subnetwork data source (#20666)
• compute: made setting resource policies for google_compute_instance outside of terraform or using google_compute_disk_resource_policy_attachment no longer affect the boot_disk.initialize_params.resource_policies field (#20764)
• container: changed google_container_cluster to apply maintenance policy updates after upgrades during cluster update (#20708)
• container: made nodepool concurrent operations scale better for google_container_cluster and google_container_node_pool resources (#20738)
• datastream: added gtid and binary_log_position fields to google_datastream_stream resource (#20777)
• developerconnect: added support for setting up a google_developer_connect_connection resource without specifying the authorizer_credentials field (#20756)
• filestore: added tags field to google_filestore_backup to allow setting tags for backups at creation time (#20718)
• networkconnectivity: added group field to google_network_connectivity_spoke resource (#20689)
• networkmanagement: promoted google_network_management_vpc_flow_logs_config resource to ga (#20701)
• parallelstore: added deployment_type field to google_parallelstore_instance resource (#20785)
• storagetransfer: added replication_spec field to google_storage_transfer_job resource (#20788)
• workbench: made gcs-data-bucket metadata key modifiable in google_workbench_instance resource (#20728)

BUG FIXES:

• accesscontextmanager: fixed permadiff due to reordering on google_access_context_manager_service_perimeter_dry_run_egress_policy egress_from.identities (#20794)
• accesscontextmanager: fixed permadiff due to reordering on google_access_context_manager_service_perimeter_dry_run_ingress_policy ingress_from.identities (#20794)
• accesscontextmanager: fixed permadiff due to reordering on google_access_context_manager_service_perimeter_egress_policy egress_from.identities (#20794)
• accesscontextmanager: fixed permadiff due to reordering on google_access_context_manager_service_perimeter_ingress_policy ingress_from.identities (#20794)
• apigee: fixed 404 error when updating google_apigee_environment (#20745)
• bigquery: fixed DROP COLUMN error with bigquery flexible column names in google_bigquery_table (#20797)
• compute: allowed Service Attachment with Project Number to be used as google_compute_forwarding_rule.target (#20790)
• compute: fixed an issue where terraform plan -refresh=false with google_compute_ha_vpn_gateway.gateway_ip_version would plan a resource replacement if a full refresh had not been run yet. Terraform now assumes that the value is the default value, IPV4, until a refresh is completed. (#20682)
• compute: fixed panic when zonal resize request fails on google_compute_resize_request (#20734)
• compute: fixed perma-destroy for psc_data in google_compute_region_network_endpoint_group resource (#20783)
• compute: fixed google_compute_instance_guest_attributes to return an empty list when queried values don't exist instead of throwing an error (#20760)
• integrationconnectors: allowed AUTH_TYPE_UNSPECIFIED option in google_integration_connectors_connection resource to support non-standard auth types (#20782)
• logging: fixed bug in google_logging_project_bucket_config when providing project in the format of <project-id-only> (#20709)
• networkconnectivity: made include_export_ranges and exclude_export_ranges fields mutable in google_network_connectivity_spoke to avoid recreation of resources (#20742)
• sql: fixed permadiff when settings.data_cache_config is set to false for google_sql_database_instance resource (#20656)
• storage: made resource_google_storage_bucket_object generate diff for md5hash, generation, crc32c if content changes (#20687)
• vertexai: made contents_delta_uri an optional field in google_vertex_ai_index (#20780)
• workbench: fixed an issue where a server-added metadata tag of "resource-url" would not be ignored on google_workbench_instance (#20717)

BUG FIXES:

• compute: fixed an issue where google_compute_firewall_policy_rule was incorrectly removed from the Terraform state (#20733)

FEATURES:

• New Resource: google_network_security_intercept_deployment_group (#20615)
• New Resource: google_network_security_intercept_deployment (#20634)
• New Resource: google_network_security_authz_policy (#20595)
• New Resource: google_network_services_authz_extension (#20595)

IMPROVEMENTS:

• compute: google_compute_instance is no longer recreated when changing boot_disk.auto_delete (#20580)
• compute: added CA_ENTERPRISE_ANNUAL option for field cloud_armor_tier in google_compute_project_cloud_armor_tier resource (#20596)
• compute: added network_tier field to google_compute_global_forwarding_rule resource (#20582)
• compute: added rule.rate_limit_options.enforce_on_key_configs field to google_compute_security_policy resource (#20597)
• compute: made metadata_startup_script able to be updated via graceful switch in google_compute_instance (#20655)
• container: added field enable_fqdn_network_policy to resource google_container_cluster (#20609)
• firebasehosting: added headers field in google_firebase_hosting_version resource (beta) (#20654)
• identityplatform: marked quota.0.sign_up_quota_config subfields conditionally required in google_identity_platform_config to move errors from apply time up to plan time, and clarified the rule in documentation (#20627)
• networkconnectivity: added support for updating linked_vpn_tunnels.include_import_ranges, linked_interconnect_attachments.include_import_ranges, linked_router_appliance_instances. instances and linked_router_appliance_instances.include_import_ranges in google_network_connectivity_spoke (#20650)
• orgpolicy: added parameters fields to google_org_policy_policy resource (beta) (#20647)
• storage: added hdfs_data_source field to google_storage_transfer_job resource (#20583)
• tpuv2: added network_configs and network_config.queue_count fields to google_tpu_v2_vm resource (#20621)

BUG FIXES:

• accesscontextmanager: fixed an update bug in google_access_context_manager_perimeter by removing the broken output-only etag field in google_access_context_manager_perimeter and google_access_context_manager_perimeters (#20691)
• compute: fixed permadiff on the recaptcha_options field for google_compute_security_policy resource (#20617)
• compute: fixed issue where updating labels on resource_google_compute_resource_policy would fail because of a patch error with guest_flush (#20632)
• networkconnectivity: fixed linked_router_appliance_instances.instances.virtual_machine and linked_router_appliance_instances.instances.ip_address attributes in google_network_connectivity_spoke to be correctly marked as required. Otherwise the request to create the resource will fail. (#20650)
• privateca: fixed an issue which causes error when updating labels for activated sub-CA (#20630)
• sql: fixed permadiff when 'settings.data_cache_config' is set to false for 'google_sql_database_instance' resource (#20656)

NOTES:

• New ephemeral resources google_service_account_access_token, google_service_account_id_token, google_service_account_jwt, google_service_account_key now support ephemeral values.
• iam3: promoted resources google_iam_principal_access_boundary_policy, google_iam_organizations_policy_binding, google_iam_folders_policy_binding and google_iam_projects_policy_binding to GA (#20475)
  DEPRECATIONS:
• gkehub: deprecated configmanagement.config_sync.metrics_gcp_service_account_email in google_gke_hub_feature_membership resource (#20561)

FEATURES:

• New Ephemeral Resource: google_service_account_access_token (#20542)
• New Ephemeral Resource: google_service_account_id_token (#20542)
• New Ephemeral Resource: google_service_account_jwt (#20542)
• New Ephemeral Resource: google_service_account_key (#20542)
• New Data Source: google_backup_dr_backup_vault (#20468)
• New Data Source: google_composer_user_workloads_config_map (GA) (#20478)
• New Data Source: google_composer_user_workloads_secret (GA) (#20478)
• New Resource: google_composer_user_workloads_config_map (GA) (#20478)
• New Resource: google_composer_user_workloads_secret (GA) (#20478)
• New Resource: google_gemini_code_repository_index (#20474)
• New Resource: google_network_security_mirroring_deployment (#20489)
• New Resource: google_network_security_mirroring_deployment_group (#20489)
• New Resource: google_network_security_mirroring_endpoint_group_association (#20489)
• New Resource: google_network_security_mirroring_endpoint_group (#20489)

IMPROVEMENTS:

• accesscontextmanager: added etag to google_access_context_manager_service_perimeter and google_access_context_manager_service_perimeters (#20455)
• alloydb: increased default timeout on google_alloydb_cluster to 120m from 30m (#20547)
• bigtable: added row_affinity field to google_bigtable_app_profile resource (#20435)
• cloudbuild: added private_service_connect field to google_cloudbuild_worker_pool resource (#20561)
• clouddeploy: added associated_entities field to google_clouddeploy_target resource (#20561)
• clouddeploy: added serial_pipeline.strategy.canary.runtime_config.kubernetes.gateway_service_mesh.route_destinations field to google_clouddeploy_delivery_pipeline resource (#20561)
• composer: added multiple composer 3 related fields to google_composer_environment (GA) (#20478)
• compute: google_compute_instance, google_compute_instance_template, google_compute_region_instance_template now supports advanced_machine_features.enable_uefi_networking field (#20531)
• compute: added support for specifying storage pool with name or partial url (#20502)
• compute: added numeric_id to the google_compute_network data source (#20548)
• compute: added threshold_configs field to google_compute_security_policy resource (#20545)
• compute: added server generated id as forwarding_rule_id to google_compute_global_forwarding_rule (#20404)
• compute: added server generated id as health_check_id to google_region_health_check (#20404)
• compute: added server generated id as instance_group_manager_id to google_instance_group_manager (#20404)
• compute: added server generated id as instance_group_manager_id to google_region_instance_group_manager (#20404)
• compute: added server generated id as network_endpoint_id to google_region_network_endpoint (#20404)
• compute: added server generated id as subnetwork_id to google_subnetwork (#20404)
• compute: added the psc_data field to the google_compute_region_network_endpoint_group resource (#20454)
• container: added enterprise_config field to google_container_cluster resource (#20534)
• container: added node_pool_autoconfig.linux_node_config.cgroup_mode field to google_container_cluster resource (#20460)
• dataproc: added autotuning_config and cohort fields to google_dataproc_batch (#20410)
• dataproc: added cluster_config.preemptible_worker_config.instance_flexibility_policy.provisioning_model_mix field to google_dataproc_cluster resource (#20396)
• dataproc: added confidential_instance_config field to google_dataproc_cluster resource (#20488)
• discoveryengine: added HEALTHCARE_FHIR to industry_vertical field in google_discovery_engine_search_engine (#20471)
• gkehub: added configmanagement.config_sync.stop_syncing field to google_gke_hub_feature_membership resource (#20561)
• monitoring: added disable_metric_validation field to google_monitoring_alert_policy resource (#20544)
• oracledatabase: added deletion_protection field to google_oracle_database_autonomous_database (#20484)
• oracledatabase: added deletion_protection field to google_oracle_database_cloud_exadata_infrastructure (#20485)
• oracledatabase: added deletion_protection field to google_oracle_database_cloud_vm_cluster (#20392)
• parallelstore: added deployment_type to google_parallelstore_instance (#20457)
• resourcemanager: made google_service_account email and member fields available during plan (#20510)

BUG FIXES:

• apigee: made google_apigee_organization wait for deletion operation to complete. (#20504)
• cloudfunctions: fixed issue when updating vpc_connector_egress_settings field for google_cloudfunctions_function resource. (#20437)
• dataproc: ensured oneOf condition is honored when expanding the job configuration for Hive, Pig, Spark-sql, and Presto in google_dataproc_job. (#20453)
• gkehub: fixed allowable value INSTALLATION_UNSPECIFIED in template_library.installation (#20567)
• sql: fixed edition downgrade failure for an ENTERPRISE_PLUS instance with data cache enabled. (#20393)

FEATURES:

• New Data Source: google_access_context_manager_access_policy (#20295)
• New Resource: google_dataproc_gdc_spark_application (#20242)
• New Resource: google_managed_kafka_cluster and google_managed_kafka_topic (#20237)

IMPROVEMENTS:

• artifactregistry: added common_repository field to google_artifact_registry_repository resource (#20305)
• cloudrunv2: added urls output field to google_cloud_run_v2_service resource (#20313)
• compute: added IDPF as a possible value for the network_interface.nic_type field in google_compute_instance resource (#20250)
• compute: added IDPF as a possible value for the guest_os_features.type field in google_compute_image resource (#20250)
• compute: added replica_names field to sql_database_instance resource (#20202)
• filestore: added performance_config field to google_filestore_instance (#20218)
• redis: added persistence_config to google_redis_cluster. (#20212)
• securesourcemanager: added workforce_identity_federation_config field to google_secure_source_manager_instance resource (#20290)
• spanner: added default_backup_schedule_type field to google_spanner_instance (#20213)
• sql: added psc_auto_connections fields to google_sql_database_instance resource (#20307)

BUG FIXES:

• accesscontextmanager: fixed permadiff in perimeter google_access_context_manager_service_perimeter_ingress_policy and google_access_context_manager_service_perimeter_egress_policy resources when there are duplicate resources in the rules (#20294)
• • accesscontextmanager: fixed comparison of identity_type in ingress_from and egress_from when the IDENTITY_TYPE_UNSPECIFIED is set (#20221)
• compute: fixed permadiff on attempted type field updates in google_computer_security_policy, updating this field will now force recreation of the resource (#20316)
• identityplatform: fixed perma-diff originating from the sign_in.anonymous.enabled field in google_identity_platform_config (#20244)

BUG FIXES:

• vertexai: fixed issue with google_vertex_ai_endpoint where upgrading to 6.11.0 would delete all traffic splits that were set outside Terraform (which was previously a required step for all meaningful use of this resource). (#20350)

BUG FIXES:

• container: fixed diff on google_container_cluster.user_managed_keys_config field for resources that had not set it. (#20314)
• container: marked google_container_cluster.user_managed_keys_config as immutable because it can't be updated in place. (#20314)

NOTES:

• compute: migrated google_compute_firewall_policy_rule from DCL engine to MMv1 engine. (#20160)

BREAKING CHANGES:

• looker: made oauth_config a required field in google_looker_instance, as creating this resource without that field always triggers an API error (#20196)

FEATURES:

• New Data Source: google_spanner_database (#20114)
• New Resource: google_apigee_api (#20113)
• New Resource: google_dataproc_gdc_application_environment (#20165)
• New Resource: google_dataproc_gdc_service_instance (#20147)
• New Resource: google_memorystore_instance (#20108)

IMPROVEMENTS:

• apigee: added in-place update support for google_apigee_env_references (#20182)
• apigee: added in-place update support for google_apigee_environment resource (#20189)
• cloudrun: added empty_dir field to google_cloud_run_service (#20185)
• cloudrunv2: added empty_dir field to google_cloud_run_v2_service and google_cloud_run_v2_job (#20185)
• compute: added disks field to google_compute_node_template resource (#20180)
• compute: added preconfigured_waf_config field to google_compute_security_policy resource (#20183)
• compute: added replica_names field to sql_database_instance resource (#20202)
• compute: added instance_flexibility_policy field to google_compute_region_instance_group_manager resource (#20132)
• compute: increased google_compute_security_policy timeouts from 20 minutes to 30 minutes (#20145)
• container: added control_plane_endpoints_config field to google_container_cluster resource. (#20193)
• container: added parallelstore_csi_driver_config field to google_container_cluster resource. (#20163)
• container: added user_managed_keys_config field to google_container_cluster resource. (#20105)
• firestore: allowed single field indexes to support __name__ DESC indexes in google_firestore_index resources (#20124)
• privateca: added support for sub-CA to be activated into STAGED state (#20103)
• spanner: added default_backup_schedule_type field to google_spanner_instance (#20213)
• vertexai: added traffic_split, private_service_connect_config, predict_request_response_logging_config, dedicated_endpoint_enabled, and dedicated_endpoint_dns fields to google_vertex_ai_endpoint resource (#20179)
• workflows: added deletion_protection field to google_workflows_workflow resource (#20106)

BUG FIXES:

• compute: fixed a diff based on server-side reordering of match.src_address_groups and match.dest_address_groups in google_compute_network_firewall_policy_rule (#20148)
• compute: fixed permadiff on the preconfigured_waf_config field for google_compute_security_policy resource (#20183)
• container: fixed in-place updates for node_config.containerd_config in google_container_cluster and google_container_node_pool (#20112)