Merge branch 'master' into 1849-implement-cloud-run-module-version-2

2023-12-20 18:17:15 +01:00 · 2023-12-20 18:17:15 +01:00 · a04f59852f
parent 88b91cdaee c9a8d777ba
commit a04f59852f
157 changed files with 1300 additions and 406 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,13 @@ All notable changes to this project will be documented in this file.
 ### BLUEPRINTS
 - [[#1936](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1936)] Move squid to __need_fixing ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-19 14:27:37+00:00 -->
 - [[#1931](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1931)] Quota monitor blueprint: don't fail quota fetch on deleted project ([ludoo](https://github.com/ludoo)) <!-- 2023-12-15 19:20:49+00:00 -->
 - [[#1930](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1930)] Allow granting network user role on host project from project module and factory ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2023-12-15 13:39:21+00:00 -->
 - [[#1924](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1924)] Update quota monitor blueprint to support project discovery ([maunope](https://github.com/maunope)) <!-- 2023-12-12 18:17:01+00:00 -->
 - [[#1912](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1912)] **incompatible change:** Custom role factories for organization and project modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-11 14:16:39+00:00 -->
 - [[#1916](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1916)] Add triggerer configuration for Composer ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-11 11:54:49+00:00 -->
 - [[#1907](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1907)] Add support for subnet-level service network user grants to project module, improve docs ([ludoo](https://github.com/ludoo)) <!-- 2023-12-07 09:07:48+00:00 -->
 - [[#1871](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1871)] Added workstation-cluster module ([apichick](https://github.com/apichick)) <!-- 2023-11-30 06:15:37+00:00 -->
 - [[#1886](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1886)] Fixes to F5 blueprint docs ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-11-24 18:45:38+00:00 -->
 - [[#1874](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1874)] Added PSC support to CloudSQL Module ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2023-11-24 14:47:45+00:00 -->
@ -15,16 +22,38 @@ All notable changes to this project will be documented in this file.
 ### DOCUMENTATION
 - [[#1936](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1936)] Move squid to __need_fixing ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-19 14:27:37+00:00 -->
 - [[#1890](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1890)] Use TFTEST_E2E_ instead of TF_VAR variables ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-30 19:03:59+00:00 -->
 - [[#1871](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1871)] Added workstation-cluster module ([apichick](https://github.com/apichick)) <!-- 2023-11-30 06:15:37+00:00 -->
 - [[#1883](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1883)] F5 deployment blueprint ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-11-24 13:02:34+00:00 -->
 ### FAST
 - [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 16:09:22+00:00 -->
 - [[#1912](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1912)] **incompatible change:** Custom role factories for organization and project modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-11 14:16:39+00:00 -->
 - [[#1900](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1900)] Patch Github actions ci google-github-actions/auth@v0 --> v2 ([ibrahimparvez2](https://github.com/ibrahimparvez2)) <!-- 2023-12-04 12:16:02+00:00 -->
 ### MODULES
 - [[#1936](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1936)] Move squid to __need_fixing ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-19 14:27:37+00:00 -->
 - [[#1935](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1935)] E2E tests fixes ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-19 10:01:03+00:00 -->
 - [[#1933](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1933)] Add project-scoped secure tags ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 17:24:06+00:00 -->
 - [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 16:09:22+00:00 -->
 - [[#1930](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1930)] Allow granting network user role on host project from project module and factory ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2023-12-15 13:39:21+00:00 -->
 - [[#1928](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1928)] **incompatible change:** Fix health check autocreation and id output in passthrough LB modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-13 23:39:55+00:00 -->
 - [[#1926](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1926)] Add support for policy based routes to net-vpc ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-13 15:19:41+00:00 -->
 - [[#1905](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1905)] gke-cluster-standard : Support upgrade_settings for node auto provisioner ([noony](https://github.com/noony)) <!-- 2023-12-12 19:17:52+00:00 -->
 - [[#1923](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1923)] Removed deprecated variable and added labels ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2023-12-12 18:32:48+00:00 -->
 - [[#1922](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1922)] can_ip_forward in simple-nva examples ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-12 13:09:59+00:00 -->
 - [[#1921](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1921)] Sync tf version to version used by tests ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-12 08:43:09+00:00 -->
 - [[#1920](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1920)] Bump tf version ([ludoo](https://github.com/ludoo)) <!-- 2023-12-12 08:19:47+00:00 -->
 - [[#1918](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1918)] Added missing parameters in kubelet and linux node configuration ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2023-12-11 19:05:24+00:00 -->
 - [[#1917](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1917)] Added the possibility to configure maintenance window and deny maintenance period in Cloud SQL module module ([francesco-pavan-huware](https://github.com/francesco-pavan-huware)) <!-- 2023-12-11 16:59:00+00:00 -->
 - [[#1912](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1912)] **incompatible change:** Custom role factories for organization and project modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-11 14:16:39+00:00 -->
 - [[#1909](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1909)] net_lb_ext module e2e and example testing changes ([dibaskar-google](https://github.com/dibaskar-google)) <!-- 2023-12-08 09:04:07+00:00 -->
 - [[#1908](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1908)] README fixes for #1907 ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-07 10:05:27+00:00 -->
 - [[#1906](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1906)] gke-cluster-standard : Set optional shielded_instance_config block in cluster_autoscaling.auto_provisioning_defaults ([noony](https://github.com/noony)) <!-- 2023-12-07 09:37:13+00:00 -->
 - [[#1907](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1907)] Add support for subnet-level service network user grants to project module, improve docs ([ludoo](https://github.com/ludoo)) <!-- 2023-12-07 09:07:48+00:00 -->
 - [[#1904](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1904)] gke-cluster-standard : Add possibility to enable image streaming feature at cluster level ([noony](https://github.com/noony)) <!-- 2023-12-07 05:36:22+00:00 -->
 - [[#1903](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1903)] Enable sole tenancy (`node_affinities`) on compute_vm ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-12-05 17:05:23+00:00 -->
 - [[#1901](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1901)] Add IPv6 to HA VPN module + test inventories ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-12-04 22:38:42+00:00 -->
@ -41,6 +70,7 @@ All notable changes to this project will be documented in this file.
 ### TOOLS
 - [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 16:09:22+00:00 -->
 - [[#1890](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1890)] Use TFTEST_E2E_ instead of TF_VAR variables ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-30 19:03:59+00:00 -->
 ## [28.0.0] - 2023-11-24
--- a/blueprints/README.md
+++ b/blueprints/README.md
@ -9,7 +9,7 @@ Currently available blueprints:
 - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml)
 - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
 - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot)
- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), On-prem DNS and Google Private Access,  [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
+- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access,  [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
 - **serverless** - [Cloud Run series](./serverless/cloud-run-explore)
 - **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun)
--- a/blueprints/cloud-operations/quota-monitoring/README.md
+++ b/blueprints/cloud-operations/quota-monitoring/README.md
@ -38,9 +38,10 @@ The region, location of the bundle used to deploy the function, and scheduling f
 The `quota_config` variable mirrors the arguments accepted by the Python program, and allows configuring several different aspects of its behaviour:
 - `quota_config.discover_root` organization or folder to be used to discover all underlying projects to track quotas for, in `organizations/nnnnn` or `folders/nnnnn` format
 - `quota_config.exclude` do not generate metrics for quotas matching prefixes listed here
 - `quota_config.include` only generate metrics for quotas matching prefixes listed here
- `quota_config.projects` projects to track quotas for, defaults to the project where metrics are stored
+- `quota_config.projects` projects to track quotas for, defaults to the project where metrics are stored, if projects are automatically discovered, those in this list are appended. 
 - `quota_config.regions` regions to track quotas for, defaults to the `global` region for project-level quotas
 - `dry_run` do not write actual metrics
 - `verbose` increase logging verbosity
@ -54,7 +55,6 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
 - `terraform init`
 - `terraform apply -var project_id=my-project-id`
 <!-- BEGIN TFDOC -->
 ## Variables
 | name | description | type | required | default |
@ -64,10 +64,9 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
 | [bundle_path](variables.tf#L33) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> |  | <code>&#34;.&#47;bundle.zip&#34;</code> |
 | [name](variables.tf#L39) | Arbitrary string used to name created resources. | <code>string</code> |  | <code>&#34;quota-monitor&#34;</code> |
 | [project_create_config](variables.tf#L45) | Create project instead of using an existing one. | <code title="object&#40;&#123;&#10;  billing_account &#61; string&#10;  parent          &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [quota_config](variables.tf#L59) | Cloud function configuration. | <code title="object&#40;&#123;&#10;  exclude &#61; optional&#40;list&#40;string&#41;, &#91;&#10;    &#34;a2&#34;, &#34;c2&#34;, &#34;c2d&#34;, &#34;committed&#34;, &#34;g2&#34;, &#34;interconnect&#34;, &#34;m1&#34;, &#34;m2&#34;, &#34;m3&#34;,&#10;    &#34;nvidia&#34;, &#34;preemptible&#34;&#10;  &#93;&#41;&#10;  include  &#61; optional&#40;list&#40;string&#41;&#41;&#10;  projects &#61; optional&#40;list&#40;string&#41;&#41;&#10;  regions  &#61; optional&#40;list&#40;string&#41;&#41;&#10;  dry_run  &#61; optional&#40;bool, false&#41;&#10;  verbose  &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [quota_config](variables.tf#L59) | Cloud function configuration. | <code title="object&#40;&#123;&#10;  exclude &#61; optional&#40;list&#40;string&#41;, &#91;&#10;    &#34;a2&#34;, &#34;c2&#34;, &#34;c2d&#34;, &#34;committed&#34;, &#34;g2&#34;, &#34;interconnect&#34;, &#34;m1&#34;, &#34;m2&#34;, &#34;m3&#34;,&#10;    &#34;nvidia&#34;, &#34;preemptible&#34;&#10;  &#93;&#41;&#10;  discovery_root &#61; optional&#40;string, &#34;&#34;&#41;&#10;  dry_run        &#61; optional&#40;bool, false&#41;&#10;  include        &#61; optional&#40;list&#40;string&#41;&#41;&#10;  projects       &#61; optional&#40;list&#40;string&#41;&#41;&#10;  regions        &#61; optional&#40;list&#40;string&#41;&#41;&#10;  verbose        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [region](variables.tf#L76) | Compute region used in the example. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
+| [region](variables.tf#L85) | Compute region used in the example. | <code>string</code> |  | <code>&#34;europe-west1&#34;</code> |
-| [schedule_config](variables.tf#L82) | Schedule timer configuration in crontab format. | <code>string</code> |  | <code>&#34;0 &#42; &#42; &#42; &#42;&#34;</code> |
+| [schedule_config](variables.tf#L91) | Schedule timer configuration in crontab format. | <code>string</code> |  | <code>&#34;0 &#42; &#42; &#42; &#42;&#34;</code> |
 <!-- END TFDOC -->
 ## Test
@ -80,5 +79,5 @@ module "test" {
    billing_account = "12345-ABCDE-12345"
  }
 }
-# tftest modules=4 resources=14
+# tftest modules=4 resources=19
 ```
--- a/blueprints/cloud-operations/quota-monitoring/main.tf
+++ b/blueprints/cloud-operations/quota-monitoring/main.tf
@ -20,6 +20,8 @@ locals {
    ? [var.project_id]
    : var.quota_config.projects
  )
  discovery_root_type = split("/", coalesce(var.quota_config["discovery_root"], "/"))[0]
  discovery_root_id   = split("/", coalesce(var.quota_config["discovery_root"], "/"))[1]
 }
 module "project" {
@ -29,8 +31,11 @@ module "project" {
  parent          = try(var.project_create_config.parent, null)
  project_create  = var.project_create_config != null
  services = [
-    "compute.googleapis.com",
+    "cloudasset.googleapis.com",
-    "cloudfunctions.googleapis.com"
+    "cloudbuild.googleapis.com",
    "cloudfunctions.googleapis.com",
    "cloudscheduler.googleapis.com",
    "compute.googleapis.com"
  ]
 }
@ -81,6 +86,55 @@ resource "google_cloud_scheduler_job" "default" {
  }
 }
 resource "google_organization_iam_member" "org_asset_viewer" {
  count  = local.discovery_root_type == "organizations" ? 1 : 0
  org_id = local.discovery_root_id
  role   = "roles/cloudasset.viewer"
  member = module.cf.service_account_iam_email
 }
 # role with the least privilege including compute.projects.get permission
 resource "google_organization_iam_member" "org_network_viewer" {
  count  = local.discovery_root_type == "organizations" ? 1 : 0
  org_id = local.discovery_root_id
  role   = "roles/compute.networkViewer"
  member = module.cf.service_account_iam_email
 }
 resource "google_organization_iam_member" "org_quota_viewer" {
  count  = local.discovery_root_type == "organizations" ? 1 : 0
  org_id = local.discovery_root_id
  role   = "roles/servicemanagement.quotaViewer"
  member = module.cf.service_account_iam_email
 }
 resource "google_folder_iam_member" "folder_asset_viewer" {
  count  = local.discovery_root_type == "folders" ? 1 : 0
  folder = local.discovery_root_id
  role   = "roles/cloudasset.viewer"
  member = module.cf.service_account_iam_email
 }
 # role with the least privilege including compute.projects.get permission
 resource "google_folder_iam_member" "folder_network_viewer" {
  count  = local.discovery_root_type == "folders" ? 1 : 0
  folder = local.discovery_root_id
  role   = "roles/compute.networkViewer"
  member = module.cf.service_account_iam_email
 }
 resource "google_folder_iam_member" "folder_quota_viewer" {
  count  = local.discovery_root_type == "folders" ? 1 : 0
  folder = local.discovery_root_id
  role   = "roles/servicemanagement.quotaViewer"
  member = module.cf.service_account_iam_email
 }
 resource "google_project_iam_member" "metric_writer" {
  project = module.project.project_id
  role    = "roles/monitoring.metricWriter"
--- a/blueprints/cloud-operations/quota-monitoring/src/main.py
+++ b/blueprints/cloud-operations/quota-monitoring/src/main.py
@ -39,6 +39,9 @@ HTTP_HEADERS = {'content-type': 'application/json; charset=UTF-8'}
 URL_PROJECT = 'https://compute.googleapis.com/compute/v1/projects/{}'
 URL_REGION = 'https://compute.googleapis.com/compute/v1/projects/{}/regions/{}'
 URL_TS = 'https://monitoring.googleapis.com/v3/projects/{}/timeSeries'
 URL_DISCOVERY = ('https://cloudasset.googleapis.com/v1/{}/assets?'
                 'assetTypes=cloudresourcemanager.googleapis.com%2FProject&'
                 'contentType=RESOURCE&pageSize=100&pageToken={}')
 _Quota = collections.namedtuple('_Quota',
                                'project region tstamp metric limit usage')
@ -48,6 +51,10 @@ HTTPRequest = collections.namedtuple(
    }])
 class NotFound(Exception):
  pass
 class Quota(_Quota):
  'Compute quota.'
@ -80,8 +87,8 @@ class Quota(_Quota):
    else:
      d['valueType'] = 'INT64'
      d['points'][0]['value'] = {'int64Value': value}
-    # remove this label if cardinality gets too high
+    # re-enable the following line if cardinality is not a problem
-    d['metric']['labels']['quota'] = f'{self.usage}/{self.limit}'
+    # d['metric']['labels']['quota'] = f'{self.usage}/{self.limit}'
    return d
  @property
@ -92,7 +99,7 @@ class Quota(_Quota):
      ratio = 0
    yield self._api_format('ratio', ratio)
    yield self._api_format('usage', self.usage)
-    # yield self._api_format('limit', self.limit)
+    yield self._api_format('limit', self.limit)
 def batched(iterable, n):
@ -112,6 +119,23 @@ def configure_logging(verbose=True):
  warnings.filterwarnings('ignore', r'.*end user credentials.*', UserWarning)
 def discover_projects(discovery_root):
  'Discovers projects under a folder or organization.'
  if discovery_root.partition('/')[0] not in ('folders', 'organizations'):
    raise SystemExit(f'Invalid discovery root {discovery_root}.')
  next_page_token = ''
  while True:
    list_assets_results = fetch(
        HTTPRequest(URL_DISCOVERY.format(discovery_root, next_page_token)))
    if 'assets' in list_assets_results:
      for asset in list_assets_results['assets']:
        if (asset['resource']['data']['lifecycleState'] == 'ACTIVE'):
          yield asset['resource']['data']['projectId']
    next_page_token = list_assets_results.get('nextPageToken')
    if not next_page_token:
      break
 def fetch(request, delete=False):
  'Minimal HTTP client interface for API calls.'
  logging.debug(f'fetch {"POST" if request.data else "GET"} {request.url}')
@ -132,6 +156,9 @@ def fetch(request, delete=False):
  except json.JSONDecodeError as e:
    logging.critical(e)
    raise SystemExit(f'Error decoding response: {response.content}')
  if response.status_code == 404:
    raise NotFound(
        f'Resource not found. Error: {rdata.get("error")} URL: {request.url}')
  if response.status_code != 200:
    logging.critical(rdata)
    error = rdata.get('error', {})
@ -155,17 +182,25 @@ def get_quotas(project, region='global'):
    request = HTTPRequest(URL_PROJECT.format(project))
  else:
    request = HTTPRequest(URL_REGION.format(project, region))
-  resp = fetch(request)
+  try:
-  ts = datetime.datetime.utcnow()
+    resp = fetch(request)
-  for quota in resp.get('quotas'):
+  except NotFound as e:
-    yield Quota(project, region, ts, **quota)
+    logging.warn(e.args[0])
  else:
    ts = datetime.datetime.utcnow()
    for quota in resp.get('quotas'):
      yield Quota(project, region, ts, **quota)
@click.command()
@click.argument('project-id', required=True)
@click.option(
    '--discovery-root', '-dr', required=False, help=
    'Root node used to dynamically fetch projects, in organizations/nnn or folders/nnn format.'
 )
@click.option(
    '--project-ids', multiple=True, help=
-    'Project ids to monitor (multiple). Defaults to monitoring project if not set.'
+    'Project ids to monitor (multiple). Defaults to monitoring project if not set, values are appended to those found under discovery-root'
 )
@click.option('--regions', multiple=True,
              help='Regions (multiple). Defaults to "global" if not set.')
@ -175,11 +210,13 @@ def get_quotas(project, region='global'):
              help='Exclude quotas starting with keyword (multiple).')
@click.option('--dry-run', is_flag=True, help='Do not write metrics.')
@click.option('--verbose', is_flag=True, help='Verbose output.')
-def main_cli(project_id=None, project_ids=None, regions=None, include=None,
+def main_cli(project_id=None, discovery_root=None, project_ids=None,
-             exclude=None, dry_run=False, verbose=False):
+             regions=None, include=None, exclude=None, dry_run=False,
             verbose=False):
  'Fetch GCE quotas and writes them as custom metrics to Stackdriver.'
  try:
-    _main(project_id, project_ids, regions, include, exclude, dry_run, verbose)
+    _main(project_id, discovery_root, project_ids, regions, include, exclude,
          dry_run, verbose)
  except RuntimeError as e:
    logging.exception(f'exception raised: {e.args[0]}')
@ -193,14 +230,18 @@ def main(event, context):
    raise
-def _main(monitoring_project, projects=None, regions=None, include=None,
+def _main(monitoring_project, discovery_root=None, projects=None, regions=None,
-          exclude=None, dry_run=False, verbose=False):
+          include=None, exclude=None, dry_run=False, verbose=False):
  """Module entry point used by cli and cloud function wrappers."""
  configure_logging(verbose=verbose)
-  projects = projects or [monitoring_project]
+
  # default to monitoring scope project if projects parameter is not passed, then merge the list with discovered projects, if any
  regions = regions or ['global']
  include = set(include or [])
  exclude = set(exclude or [])
  projects = projects or [monitoring_project]
  if (discovery_root):
    projects = set(list(projects) + list(discover_projects(discovery_root)))
  for k in ('monitoring_project', 'projects', 'regions', 'include', 'exclude'):
    logging.debug(f'{k} {locals().get(k)}')
  timeseries = []
--- a/blueprints/cloud-operations/quota-monitoring/variables.tf
+++ b/blueprints/cloud-operations/quota-monitoring/variables.tf
@ -63,14 +63,23 @@ variable "quota_config" {
      "a2", "c2", "c2d", "committed", "g2", "interconnect", "m1", "m2", "m3",
      "nvidia", "preemptible"
    ])
-    include  = optional(list(string))
+    discovery_root = optional(string, "")
-    projects = optional(list(string))
+    dry_run        = optional(bool, false)
-    regions  = optional(list(string))
+    include        = optional(list(string))
-    dry_run  = optional(bool, false)
+    projects       = optional(list(string))
-    verbose  = optional(bool, false)
+    regions        = optional(list(string))
    verbose        = optional(bool, false)
  })
  nullable = false
  default  = {}
  validation {
    condition = (
      var.quota_config.discovery_root == "" ||
      startswith(var.quota_config.discovery_root, "folders/") ||
      startswith(var.quota_config.discovery_root, "organizations/")
    )
    error_message = "non-null discovery root needs to start with folders/ or organizations/"
  }
 }
 variable "region" {
--- a/blueprints/factories/project-factory/README.md
+++ b/blueprints/factories/project-factory/README.md
@ -57,7 +57,7 @@ module "project-factory" {
  # location where the yaml files are read from
  factory_data_path = "data"
 }
-# tftest modules=7 resources=31 files=prj-app-1,prj-app-2,prj-app-3 inventory=example.yaml
+# tftest modules=7 resources=33 files=prj-app-1,prj-app-2,prj-app-3 inventory=example.yaml
 ```
 ```yaml
@ -85,9 +85,15 @@ service_accounts:
 ```yaml
 labels:
- app: app-2
+  app: app-2
- team: foo
+  team: foo
 parent: folders/12345678
 org_policies:
  "compute.restrictSharedVpcSubnetworks":
    rules:
    - allow:
        values:
        - projects/foo-host/regions/europe-west1/subnetworks/prod-default-ew1
 service_accounts:
  app-2-be: {}
 services:
@ -98,13 +104,17 @@ services:
 shared_vpc_service_config:
  host_project: foo-host
  service_identity_iam:
    "roles/compute.networkUser":
      - cloudservices
      - container-engine
    "roles/vpcaccess.user":
-      - cloudrun
+    - cloudrun
    "roles/container.hostServiceAgentUser":
-      - container-engine
+    - container-engine
  service_identity_subnet_iam:
    europe-west1/prod-default-ew1:
    - cloudservices
    - container-engine
  network_subnet_users:
    europe-west1/prod-default-ew1:
    - group:team-1@example.com
 # tftest-file id=prj-app-2 path=data/prj-app-2.yaml
 ```
@ -117,15 +127,16 @@ services:
 # tftest-file id=prj-app-3 path=data/prj-app-3.yaml
 ```
 <!-- BEGIN TFDOC -->
 ## Variables
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [factory_data_path](variables.tf#L89) | Path to folder with YAML project description data files. | <code>string</code> | ✓ |  |
+| [factory_data_path](variables.tf#L91) | Path to folder with YAML project description data files. | <code>string</code> | ✓ |  |
-| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | <code title="object&#40;&#123;&#10;  billing_account            &#61; optional&#40;string&#41;&#10;  contacts                   &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  labels                     &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  metric_scopes              &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  parent                     &#61; optional&#40;string&#41;&#10;  prefix                     &#61; optional&#40;string&#41;&#10;  service_encryption_key_ids &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_perimeter_bridges  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  service_perimeter_standard &#61; optional&#40;string&#41;&#10;  services                   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10;    host_project                &#61; string&#10;    service_identity_iam        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_identity_subnet_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_iam_grants          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123; host_project &#61; null &#125;&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  service_accounts &#61; optional&#40;map&#40;object&#40;&#123;&#10;    display_name      &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;    iam_project_roles &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | <code title="object&#40;&#123;&#10;  billing_account            &#61; optional&#40;string&#41;&#10;  contacts                   &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  labels                     &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  metric_scopes              &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  parent                     &#61; optional&#40;string&#41;&#10;  prefix                     &#61; optional&#40;string&#41;&#10;  service_encryption_key_ids &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_perimeter_bridges  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  service_perimeter_standard &#61; optional&#40;string&#41;&#10;  services                   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10;    host_project                &#61; string&#10;    network_users               &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    service_identity_iam        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_identity_subnet_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_iam_grants          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    network_subnet_users        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123; host_project &#61; null &#125;&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  service_accounts &#61; optional&#40;map&#40;object&#40;&#123;&#10;    display_name      &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;    iam_project_roles &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [data_merges](variables.tf#L47) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | <code title="object&#40;&#123;&#10;  contacts                   &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  labels                     &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  metric_scopes              &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  service_encryption_key_ids &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_perimeter_bridges  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  services                   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  tag_bindings               &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  service_accounts &#61; optional&#40;map&#40;object&#40;&#123;&#10;    display_name      &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;    iam_project_roles &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [data_merges](variables.tf#L49) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | <code title="object&#40;&#123;&#10;  contacts                   &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  labels                     &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  metric_scopes              &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  service_encryption_key_ids &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_perimeter_bridges  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  services                   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  tag_bindings               &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  service_accounts &#61; optional&#40;map&#40;object&#40;&#123;&#10;    display_name      &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;    iam_project_roles &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [data_overrides](variables.tf#L67) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code title="object&#40;&#123;&#10;  billing_account            &#61; optional&#40;string&#41;&#10;  contacts                   &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;  parent                     &#61; optional&#40;string&#41;&#10;  prefix                     &#61; optional&#40;string&#41;&#10;  service_encryption_key_ids &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;  service_perimeter_bridges  &#61; optional&#40;list&#40;string&#41;&#41;&#10;  service_perimeter_standard &#61; optional&#40;string&#41;&#10;  tag_bindings               &#61; optional&#40;map&#40;string&#41;&#41;&#10;  services                   &#61; optional&#40;list&#40;string&#41;&#41;&#10;  service_accounts &#61; optional&#40;map&#40;object&#40;&#123;&#10;    display_name      &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;    iam_project_roles &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [data_overrides](variables.tf#L69) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code title="object&#40;&#123;&#10;  billing_account            &#61; optional&#40;string&#41;&#10;  contacts                   &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;  parent                     &#61; optional&#40;string&#41;&#10;  prefix                     &#61; optional&#40;string&#41;&#10;  service_encryption_key_ids &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;  service_perimeter_bridges  &#61; optional&#40;list&#40;string&#41;&#41;&#10;  service_perimeter_standard &#61; optional&#40;string&#41;&#10;  tag_bindings               &#61; optional&#40;map&#40;string&#41;&#41;&#10;  services                   &#61; optional&#40;list&#40;string&#41;&#41;&#10;  service_accounts &#61; optional&#40;map&#40;object&#40;&#123;&#10;    display_name      &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;    iam_project_roles &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 ## Outputs
@ -134,6 +145,7 @@ services:
 | [projects](outputs.tf#L17) | Project module outputs. |  |
 | [service_accounts](outputs.tf#L22) | Service account emails. |  |
 <!-- END TFDOC -->
 ## Tests
 These tests validate fixes to the project factory.
--- a/blueprints/factories/project-factory/factory.tf
+++ b/blueprints/factories/project-factory/factory.tf
@ -79,9 +79,11 @@ locals {
        try(v.shared_vpc_service_config, null) != null
        ? merge(
          {
            network_users               = []
            service_identity_iam        = {}
            service_identity_subnet_iam = {}
            service_iam_grants          = []
            network_subnet_users        = {}
          },
          v.shared_vpc_service_config
        )
--- a/blueprints/factories/project-factory/variables.tf
+++ b/blueprints/factories/project-factory/variables.tf
@ -29,9 +29,11 @@ variable "data_defaults" {
    services                   = optional(list(string), [])
    shared_vpc_service_config = optional(object({
      host_project                = string
      network_users               = optional(list(string), [])
      service_identity_iam        = optional(map(list(string)), {})
      service_identity_subnet_iam = optional(map(list(string)), {})
      service_iam_grants          = optional(list(string), [])
      network_subnet_users        = optional(map(list(string)), {})
    }), { host_project = null })
    tag_bindings = optional(map(string), {})
    # non-project resources
--- a/blueprints/networking/README.md
+++ b/blueprints/networking/README.md
@ -73,14 +73,14 @@ The emulated on-premises environment can be used to test access to different ser
 <br clear="left">
 -->
 ### Network filtering with Squid
 <a href="./filtering-proxy/" title="Network filtering with Squid"><img src="./filtering-proxy/squid.png" align="left" width="280px"></a> This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling.
 <br clear="left">
 -->
 ### Shared VPC with GKE and per-subnet support
 <a href="./shared-vpc-gke/" title="Shared VPC with GKE"><img src="./shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.
--- a/blueprints/networking/__need_fixing/README.md
+++ b/blueprints/networking/__need_fixing/README.md
@ -3,3 +3,4 @@
 The blueprints in this folder are either deprecated or need work on them.
 - nginx reverse proxy cluster needs tests and resolving a cycle
 - filtering-proxy needs upstream `cloud-config-container/__need_fixing/squid` to be fixed
--- a/blueprints/networking/__need_fixing/filtering-proxy-psc/README.md
+++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/README.md
@ -29,10 +29,9 @@ To simplify the usage of the proxy, a Cloud DNS private zone is created in each
 ## Test
 ```hcl
 module "test" {
-  source = "./fabric/blueprints/networking/filtering-proxy-psc"
+  source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy-psc"
  prefix = "fabric"
  project_create = {
    billing_account = "123456-ABCDEF-123456"
--- a/blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf
+++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/consumer.tf
@ -19,7 +19,7 @@
 ###############################################################################
 module "vpc-consumer" {
-  source     = "../../../modules/net-vpc"
+  source     = "../../../../modules/net-vpc"
  project_id = module.project.project_id
  name       = "${var.prefix}-app"
  subnets = [
@ -36,7 +36,7 @@ module "vpc-consumer" {
 ###############################################################################
 module "test-vm-consumer" {
-  source        = "../../../modules/compute-vm"
+  source        = "../../../../modules/compute-vm"
  project_id    = module.project.project_id
  zone          = "${var.region}-b"
  name          = "${var.prefix}-test-vm"
@ -83,7 +83,7 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
 ###############################################################################
 module "private-dns" {
-  source     = "../../../modules/dns"
+  source     = "../../../../modules/dns"
  project_id = module.project.project_id
  name       = "${var.prefix}-internal"
  zone_config = {
@ -99,7 +99,7 @@ module "private-dns" {
 }
 module "firewall-consumer" {
-  source     = "../../../modules/net-vpc-firewall"
+  source     = "../../../../modules/net-vpc-firewall"
  project_id = module.project.project_id
  network    = module.vpc-consumer.name
 }
--- a/blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf
+++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/main.tf
@ -19,7 +19,7 @@
 ###############################################################################
 module "project" {
-  source          = "../../../modules/project"
+  source          = "../../../../modules/project"
  project_create  = var.project_create != null
  billing_account = try(var.project_create.billing_account, null)
  parent          = try(var.project_create.parent, null)
@ -33,7 +33,7 @@ module "project" {
 }
 module "vpc" {
-  source     = "../../../modules/net-vpc"
+  source     = "../../../../modules/net-vpc"
  project_id = module.project.project_id
  name       = "${var.prefix}-vpc"
  subnets = [
@ -53,7 +53,7 @@ module "vpc" {
 }
 module "firewall" {
-  source     = "../../../modules/net-vpc-firewall"
+  source     = "../../../../modules/net-vpc-firewall"
  project_id = module.project.project_id
  network    = module.vpc.name
  ingress_rules = {
@ -73,7 +73,7 @@ module "firewall" {
 }
 module "nat" {
-  source                = "../../../modules/net-cloudnat"
+  source                = "../../../../modules/net-cloudnat"
  project_id            = module.project.project_id
  region                = var.region
  name                  = "default"
@ -118,7 +118,7 @@ resource "google_compute_service_attachment" "service_attachment" {
 ###############################################################################
 module "service-account-squid" {
-  source     = "../../../modules/iam-service-account"
+  source     = "../../../../modules/iam-service-account"
  project_id = module.project.project_id
  name       = "svc-squid"
  iam_project_roles = {
@ -130,7 +130,7 @@ module "service-account-squid" {
 }
 module "cos-squid" {
-  source       = "../../../modules/cloud-config-container/squid"
+  source       = "../../../../modules/cloud-config-container/__need_fixing/squid"
  allow        = var.allowed_domains
  clients      = [var.cidrs.app]
  squid_config = "${path.module}/squid.conf"
@ -140,7 +140,7 @@ module "cos-squid" {
 }
 module "squid-vm" {
-  source          = "../../../modules/compute-vm"
+  source          = "../../../../modules/compute-vm"
  project_id      = module.project.project_id
  zone            = "${var.region}-b"
  name            = "squid-vm"
@ -165,7 +165,7 @@ module "squid-vm" {
 }
 module "squid-mig" {
-  source            = "../../../modules/compute-mig"
+  source            = "../../../../modules/compute-mig"
  project_id        = module.project.project_id
  location          = "${var.region}-b"
  name              = "squid-mig"
@ -202,7 +202,7 @@ module "squid-mig" {
 }
 module "squid-ilb" {
-  source        = "../../../modules/net-lb-int"
+  source        = "../../../../modules/net-lb-int"
  project_id    = module.project.project_id
  region        = var.region
  name          = "squid-ilb"
--- a/blueprints/networking/__need_fixing/filtering-proxy-psc/squid.conf
+++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/squid.conf
--- a/blueprints/networking/__need_fixing/filtering-proxy-psc/startup.sh
+++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/startup.sh
--- a/blueprints/networking/__need_fixing/filtering-proxy-psc/variables.tf
+++ b/blueprints/networking/__need_fixing/filtering-proxy-psc/variables.tf
--- a/blueprints/networking/__need_fixing/filtering-proxy/README.md
+++ b/blueprints/networking/__need_fixing/filtering-proxy/README.md
@ -41,7 +41,7 @@ You can optionally deploy the Squid server as [Managed Instance Group](https://c
 ```hcl
 module "test1" {
-  source          = "./fabric/blueprints/networking/filtering-proxy"
+  source          = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
  billing_account = "123456-123456-123456"
  mig             = true
  prefix          = "fabric"
@ -52,7 +52,7 @@ module "test1" {
 ```hcl
 module "test2" {
-  source          = "./fabric/blueprints/networking/filtering-proxy"
+  source          = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
  billing_account = "123456-123456-123456"
  mig             = false
  prefix          = "fabric"
--- a/blueprints/networking/__need_fixing/filtering-proxy/main.tf
+++ b/blueprints/networking/__need_fixing/filtering-proxy/main.tf
@ -27,7 +27,7 @@ locals {
 ###############################################################################
 module "folder-netops" {
-  source = "../../../modules/folder"
+  source = "../../../../modules/folder"
  parent = var.root_node
  name   = "netops"
 }
@ -37,7 +37,7 @@ module "folder-netops" {
 ###############################################################################
 module "project-host" {
-  source          = "../../../modules/project"
+  source          = "../../../../modules/project"
  billing_account = var.billing_account
  name            = "host"
  parent          = module.folder-netops.id
@ -53,7 +53,7 @@ module "project-host" {
 }
 module "vpc" {
-  source     = "../../../modules/net-vpc"
+  source     = "../../../../modules/net-vpc"
  project_id = module.project-host.project_id
  name       = "vpc"
  subnets = [
@ -71,7 +71,7 @@ module "vpc" {
 }
 module "firewall" {
-  source     = "../../../modules/net-vpc-firewall"
+  source     = "../../../../modules/net-vpc-firewall"
  project_id = module.project-host.project_id
  network    = module.vpc.name
  ingress_rules = {
@ -91,7 +91,7 @@ module "firewall" {
 }
 module "nat" {
-  source                = "../../../modules/net-cloudnat"
+  source                = "../../../../modules/net-cloudnat"
  project_id            = module.project-host.project_id
  region                = var.region
  name                  = "default"
@ -114,7 +114,7 @@ module "nat" {
 }
 module "private-dns" {
-  source     = "../../../modules/dns"
+  source     = "../../../../modules/dns"
  project_id = module.project-host.project_id
  name       = "internal"
  zone_config = {
@ -134,7 +134,7 @@ module "private-dns" {
 ###############################################################################
 module "service-account-squid" {
-  source     = "../../../modules/iam-service-account"
+  source     = "../../../../modules/iam-service-account"
  project_id = module.project-host.project_id
  name       = "svc-squid"
  iam_project_roles = {
@ -146,13 +146,13 @@ module "service-account-squid" {
 }
 module "cos-squid" {
-  source  = "../../../modules/cloud-config-container/squid"
+  source  = "../../../../modules/cloud-config-container/__need_fixing/squid"
  allow   = var.allowed_domains
  clients = [var.cidrs.apps]
 }
 module "squid-vm" {
-  source          = "../../../modules/compute-vm"
+  source          = "../../../../modules/compute-vm"
  project_id      = module.project-host.project_id
  zone            = "${var.region}-b"
  name            = "squid-vm"
@ -177,7 +177,7 @@ module "squid-vm" {
 module "squid-mig" {
  count             = var.mig ? 1 : 0
-  source            = "../../../modules/compute-mig"
+  source            = "../../../../modules/compute-mig"
  project_id        = module.project-host.project_id
  location          = "${var.region}-b"
  name              = "squid-mig"
@ -206,7 +206,7 @@ module "squid-mig" {
 module "squid-ilb" {
  count         = var.mig ? 1 : 0
-  source        = "../../../modules/net-lb-int"
+  source        = "../../../../modules/net-lb-int"
  project_id    = module.project-host.project_id
  region        = var.region
  name          = "squid-ilb"
@ -236,7 +236,7 @@ module "squid-ilb" {
 ###############################################################################
 module "folder-apps" {
-  source = "../../../modules/folder"
+  source = "../../../../modules/folder"
  parent = var.root_node
  name   = "apps"
  org_policies = {
@ -248,7 +248,7 @@ module "folder-apps" {
 }
 module "project-app" {
-  source          = "../../../modules/project"
+  source          = "../../../../modules/project"
  billing_account = var.billing_account
  name            = "app1"
  parent          = module.folder-apps.id
@ -263,7 +263,7 @@ module "project-app" {
 }
 module "test-vm" {
-  source        = "../../../modules/compute-vm"
+  source        = "../../../../modules/compute-vm"
  project_id    = module.project-app.project_id
  zone          = "${var.region}-b"
  name          = "test-vm"
--- a/blueprints/networking/__need_fixing/filtering-proxy/outputs.tf
+++ b/blueprints/networking/__need_fixing/filtering-proxy/outputs.tf
--- a/blueprints/networking/__need_fixing/filtering-proxy/squid.png
+++ b/blueprints/networking/__need_fixing/filtering-proxy/squid.png
--- a/blueprints/networking/__need_fixing/filtering-proxy/variables.tf
+++ b/blueprints/networking/__need_fixing/filtering-proxy/variables.tf
--- a/default-versions.tf
+++ b/default-versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/fast/stages/0-bootstrap/templates/workflow-github.yaml
+++ b/fast/stages/0-bootstrap/templates/workflow-github.yaml
@ -47,6 +47,19 @@ jobs:
        name: Checkout repository
        uses: actions/checkout@v3
 #      # Print JWT token payload, useful for debugging
 #      - id: jwt-debug
 #        name: Print GITHUB_TOKEN payload
 #        shell: python -u {0}
 #        run: |
 #          import base64
 #          import json
 #
 #          token = '${{ secrets.GITHUB_TOKEN }}'
 #          payload_text = token.split('.')[1]
 #          payload = json.loads(base64.urlsafe_b64decode(payload_text + '=' * (4-len(payload_text) %4)))
 #          print(json.dumps(payload, indent=2))
      # set up SSH key authentication to the modules repository
      - id: ssh-config
        name: Configure SSH authentication
--- a/fast/stages/1-resman/organization.tf
+++ b/fast/stages/1-resman/organization.tf
@ -48,21 +48,21 @@ module "organization" {
      description = "Resource management context."
      iam         = {}
      values = {
-        data       = null
+        data       = {}
-        gke        = null
+        gke        = {}
-        networking = null
+        networking = {}
-        sandbox    = null
+        sandbox    = {}
-        security   = null
+        security   = {}
-        teams      = null
+        teams      = {}
-        tenant     = null
+        tenant     = {}
      }
    }
    (var.tag_names.environment) = {
      description = "Environment definition."
      iam         = {}
      values = {
-        development = null
+        development = {}
-        production  = null
+        production  = {}
      }
    }
    (var.tag_names.tenant) = {
--- a/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml
@ -81,6 +81,12 @@ googleapis-restricted:
 gstatic-all:
  dns_name: "*.gstatic.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu:
  dns_name: "kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu-all:
  dns_name: "*.kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 notebooks-all:
  dns_name: "*.notebooks.cloud.google.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
--- a/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml
@ -81,6 +81,12 @@ googleapis-restricted:
 gstatic-all:
  dns_name: "*.gstatic.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu:
  dns_name: "kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu-all:
  dns_name: "*.kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 notebooks-all:
  dns_name: "*.notebooks.cloud.google.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
--- a/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml
@ -81,6 +81,12 @@ googleapis-restricted:
 gstatic-all:
  dns_name: "*.gstatic.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu:
  dns_name: "kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu-all:
  dns_name: "*.kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 notebooks-all:
  dns_name: "*.notebooks.cloud.google.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
--- a/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml
@ -81,6 +81,12 @@ googleapis-restricted:
 gstatic-all:
  dns_name: "*.gstatic.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu:
  dns_name: "kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu-all:
  dns_name: "*.kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 notebooks-all:
  dns_name: "*.notebooks.cloud.google.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
--- a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml
@ -81,6 +81,12 @@ googleapis-restricted:
 gstatic-all:
  dns_name: "*.gstatic.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu:
  dns_name: "kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 kernels-gu-all:
  dns_name: "*.kernels.googleusercontent.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
 notebooks-all:
  dns_name: "*.notebooks.cloud.google.com."
  local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
--- a/modules/__experimental/alloydb-instance/versions.tf
+++ b/modules/__experimental/alloydb-instance/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/__experimental/net-neg/versions.tf
+++ b/modules/__experimental/net-neg/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/__experimental/project-iam-magic/versions.tf
+++ b/modules/__experimental/project-iam-magic/versions.tf
@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -13,15 +13,15 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = ">= 4.71.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
    }
    google-beta = {
      source  = "hashicorp/google-beta"
-      version = ">= 4.71.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
    }
  }
 }
--- a/modules/api-gateway/versions.tf
+++ b/modules/api-gateway/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/apigee/versions.tf
+++ b/modules/apigee/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/artifact-registry/versions.tf
+++ b/modules/artifact-registry/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/bigquery-dataset/versions.tf
+++ b/modules/bigquery-dataset/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/bigtable-instance/README.md
+++ b/modules/bigtable-instance/README.md
@ -237,7 +237,7 @@ module "bigtable-instance" {
 | [deletion_protection](variables.tf#L56) | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the instance will fail. | <code>bool</code> |  | <code>true</code> |
 | [display_name](variables.tf#L63) | The human-readable display name of the Bigtable instance. | <code>string</code> |  | <code>null</code> |
 | [iam](variables.tf#L69) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [instance_type](variables.tf#L75) | (deprecated) The instance type to create. One of 'DEVELOPMENT' or 'PRODUCTION'. | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L75) | Labels to be attached to the instance. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [tables](variables.tf#L91) | Tables to be created in the BigTable instance. | <code title="map&#40;object&#40;&#123;&#10;  split_keys &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  column_families &#61; optional&#40;map&#40;object&#40;&#10;    &#123;&#10;      gc_policy &#61; optional&#40;object&#40;&#123;&#10;        deletion_policy &#61; optional&#40;string&#41;&#10;        gc_rules        &#61; optional&#40;string&#41;&#10;        mode            &#61; optional&#40;string&#41;&#10;        max_age         &#61; optional&#40;string&#41;&#10;        max_version     &#61; optional&#40;string&#41;&#10;      &#125;&#41;, null&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 ## Outputs
--- a/modules/bigtable-instance/main.tf
+++ b/modules/bigtable-instance/main.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -36,12 +36,11 @@ locals {
 }
 resource "google_bigtable_instance" "default" {
-  project = var.project_id
+  project             = var.project_id
-  name    = var.name
+  name                = var.name
-
+  display_name        = coalesce(var.display_name, var.name)
  instance_type       = var.instance_type
  display_name        = var.display_name == null ? var.display_name : var.name
  deletion_protection = var.deletion_protection
  labels              = var.labels
  dynamic "cluster" {
    for_each = local.clusters_autoscaling
--- a/modules/bigtable-instance/outputs.tf
+++ b/modules/bigtable-instance/outputs.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/modules/bigtable-instance/variables.tf
+++ b/modules/bigtable-instance/variables.tf
@ -72,10 +72,10 @@ variable "iam" {
  default     = {}
 }
-variable "instance_type" {
+variable "labels" {
-  description = "(deprecated) The instance type to create. One of 'DEVELOPMENT' or 'PRODUCTION'."
+  description = "Labels to be attached to the instance."
-  type        = string
+  type        = map(string)
-  default     = null
+  default     = {}
 }
 variable "name" {
--- a/modules/bigtable-instance/versions.tf
+++ b/modules/bigtable-instance/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/billing-account/versions.tf
+++ b/modules/billing-account/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
@ -25,3 +25,5 @@ terraform {
    }
  }
 }
--- a/modules/binauthz/versions.tf
+++ b/modules/binauthz/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/README.md
+++ b/modules/cloud-config-container/README.md
@ -14,7 +14,6 @@ These modules are designed for several use cases:
 - [CoreDNS](./coredns)
 - [MySQL](./mysql)
 - [Nginx](./nginx)
 - [Squid forward proxy](./squid)
 - On-prem in Docker (*needs fixing*)
 ## Using the modules
--- a/modules/cloud-config-container/__need_fixing/onprem/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/__need_fixing/squid/README.md
+++ b/modules/cloud-config-container/__need_fixing/squid/README.md
@ -14,7 +14,7 @@ Logging and monitoring are enabled via the [Google Cloud Logging agent](https://
 The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
-For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../README.md) for more details on the included instance.
+For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../../README.md) for more details on the included instance.
 ## Examples
@ -24,7 +24,7 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0
 ```hcl
 module "cos-squid" {
-  source  = "./fabric/modules/cloud-config-container/squid"
+  source  = "./fabric/modules/cloud-config-container/__need_fixing/squid"
  allow   = [".github.com"]
  clients = ["10.0.0.0/8"]
 }
@ -43,9 +43,11 @@ module "vm" {
    google-logging-enabled = true
  }
  boot_disk = {
-    image = "projects/cos-cloud/global/images/family/cos-stable"
+    initialize_params = {
-    type  = "pd-ssd"
+      image = "projects/cos-cloud/global/images/family/cos-stable"
-    size  = 10
+      type  = "pd-ssd"
      size  = 10
    }
  }
  tags = ["http-server", "ssh"]
 }
--- a/modules/cloud-config-container/__need_fixing/squid/cloud-config.yaml
+++ b/modules/cloud-config-container/__need_fixing/squid/cloud-config.yaml
--- a/modules/cloud-config-container/__need_fixing/squid/docker/Dockerfile
+++ b/modules/cloud-config-container/__need_fixing/squid/docker/Dockerfile
--- a/modules/cloud-config-container/__need_fixing/squid/docker/cloudbuild.yaml
+++ b/modules/cloud-config-container/__need_fixing/squid/docker/cloudbuild.yaml
--- a/modules/cloud-config-container/__need_fixing/squid/docker/entrypoint.sh
+++ b/modules/cloud-config-container/__need_fixing/squid/docker/entrypoint.sh
--- a/modules/cloud-config-container/__need_fixing/squid/main.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/main.tf
--- a/modules/cloud-config-container/__need_fixing/squid/outputs.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/outputs.tf
--- a/modules/cloud-config-container/__need_fixing/squid/squid.conf
+++ b/modules/cloud-config-container/__need_fixing/squid/squid.conf
--- a/modules/cloud-config-container/__need_fixing/squid/variables.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/variables.tf
--- a/modules/cloud-config-container/__need_fixing/squid/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/coredns/versions.tf
+++ b/modules/cloud-config-container/coredns/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/cos-generic-metadata/versions.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
@ -26,3 +26,4 @@ terraform {
  }
 }
--- a/modules/cloud-config-container/envoy-traffic-director/versions.tf
+++ b/modules/cloud-config-container/envoy-traffic-director/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/mysql/versions.tf
+++ b/modules/cloud-config-container/mysql/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/nginx-tls/versions.tf
+++ b/modules/cloud-config-container/nginx-tls/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/nginx/versions.tf
+++ b/modules/cloud-config-container/nginx/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-config-container/simple-nva/README.md
+++ b/modules/cloud-config-container/simple-nva/README.md
@ -7,6 +7,7 @@ This NVAs can be used to interconnect up to 8 VPCs.
 The NVAs run [Container-Optimized OS (COS)](https://cloud.google.com/container-optimized-os/docs). COS is a Linux-based OS designed for running containers. By default, it only allows SSH ingress connections. To see the exact host firewall configuration, run `sudo iptables -L -v`. More info available in the [official](https://cloud.google.com/container-optimized-os/docs/how-to/firewall) documentation.
 To configure the firewall, you can either
 - use the [open_ports](variables.tf#L84) variable
 - for a thiner grain control, pass a custom bash script at startup with iptables commands
@ -55,6 +56,7 @@ module "vm" {
  zone               = "europe-west8-b"
  name               = "cos-nva"
  network_interfaces = local.network_interfaces
  can_ip_forward     = true
  metadata = {
    user-data              = module.cos-nva.cloud_config
    google-logging-enabled = true
@ -75,9 +77,9 @@ module "vm" {
 The sample code brings up [FRRouting](https://frrouting.org/) container.
-```
+```conf
 # tftest-file id=frr_conf path=./frr.conf
-# Example frr.conmf file
+# Example frr.conf file
 log syslog informational
 no ipv6 forwarding
@ -86,7 +88,7 @@ router bgp 65001
 line vty
 ```
-Following code assumes a file in the same folder named frr.conf exists. 
+Following code assumes a file in the same folder named frr.conf exists.
 ```hcl
 locals {
@ -126,6 +128,7 @@ module "vm" {
  zone               = "europe-west8-b"
  name               = "cos-nva"
  network_interfaces = local.network_interfaces
  can_ip_forward     = true
  metadata = {
    user-data              = module.cos-nva.cloud_config
    google-logging-enabled = true
--- a/modules/cloud-config-container/simple-nva/versions.tf
+++ b/modules/cloud-config-container/simple-nva/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-function-v1/versions.tf
+++ b/modules/cloud-function-v1/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-function-v2/versions.tf
+++ b/modules/cloud-function-v2/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-identity-group/versions.tf
+++ b/modules/cloud-identity-group/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloud-run/versions.tf
+++ b/modules/cloud-run/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/cloudsql-instance/versions.tf
+++ b/modules/cloudsql-instance/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/compute-mig/versions.tf
+++ b/modules/compute-mig/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/compute-vm/versions.tf
+++ b/modules/compute-vm/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/container-registry/versions.tf
+++ b/modules/container-registry/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/data-catalog-policy-tag/versions.tf
+++ b/modules/data-catalog-policy-tag/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/datafusion/versions.tf
+++ b/modules/datafusion/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/dataplex-datascan/versions.tf
+++ b/modules/dataplex-datascan/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/dataplex/versions.tf
+++ b/modules/dataplex/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/dataproc/versions.tf
+++ b/modules/dataproc/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/dns-response-policy/versions.tf
+++ b/modules/dns-response-policy/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/dns/versions.tf
+++ b/modules/dns/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/endpoints/versions.tf
+++ b/modules/endpoints/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@ -303,10 +303,9 @@ module "org" {
  tags = {
    environment = {
      description = "Environment specification."
      iam         = null
      values = {
-        dev  = null
+        dev  = {}
-        prod = null
+        prod = {}
      }
    }
  }
--- a/modules/folder/versions.tf
+++ b/modules/folder/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/gcs/versions.tf
+++ b/modules/gcs/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/gcve-private-cloud/versions.tf
+++ b/modules/gcve-private-cloud/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/gke-cluster-autopilot/versions.tf
+++ b/modules/gke-cluster-autopilot/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@ -310,27 +310,27 @@ module "cluster-1" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L179) | Cluster zone or region. | <code>string</code> | ✓ |  |
+| [location](variables.tf#L211) | Cluster zone or region. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L290) | Cluster name. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L322) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L326) | Cluster project id. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L358) | Cluster project id. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L337) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [vpc_config](variables.tf#L369) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [deletion_protection](variables.tf#L83) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [deletion_protection](variables.tf#L115) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L90) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [description](variables.tf#L122) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L96) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [enable_addons](variables.tf#L128) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_features](variables.tf#L120) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  binary_authorization &#61; optional&#40;bool, false&#41;&#10;  cost_management      &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  shielded_nodes &#61; optional&#40;bool, false&#41;&#10;  tpu            &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [enable_features](variables.tf#L152) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  binary_authorization &#61; optional&#40;bool, false&#41;&#10;  cost_management      &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  shielded_nodes &#61; optional&#40;bool, false&#41;&#10;  tpu            &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [issue_client_certificate](variables.tf#L167) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [issue_client_certificate](variables.tf#L199) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L173) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [labels](variables.tf#L205) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L184) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_config](variables.tf#L216) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L205) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [maintenance_config](variables.tf#L237) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [max_pods_per_node](variables.tf#L228) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
+| [max_pods_per_node](variables.tf#L260) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
-| [min_master_version](variables.tf#L234) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [min_master_version](variables.tf#L266) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L240) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [monitoring_config](variables.tf#L272) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L295) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L327) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L305) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [node_locations](variables.tf#L337) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L312) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [private_cluster_config](variables.tf#L344) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L331) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L363) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
 ## Outputs
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@ -13,6 +13,13 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 locals {
  cas        = var.cluster_autoscaling
  cas_apd    = try(local.cas.auto_provisioning_defaults, null)
  cas_apd_us = try(local.cas_apd.upgrade_settings, null)
 }
 resource "google_container_cluster" "cluster" {
  provider    = google-beta
  project     = var.project_id
@ -40,7 +47,6 @@ resource "google_container_cluster" "cluster" {
    ? "ADVANCED_DATAPATH"
    : "DATAPATH_PROVIDER_UNSPECIFIED"
  )
  # the default node pool is deleted here, use the gke-nodepool module instead.
  # shielded nodes are controlled by the cluster-level enable_features variable
  node_config {
@ -55,7 +61,6 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  # gcfs_config deactivation need the block to be defined so it can't be dynamic
  node_pool_defaults {
    node_config_defaults {
@ -64,7 +69,6 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  addons_config {
    dns_cache_config {
      enabled = var.enable_addons.dns_cache
@ -106,81 +110,115 @@ resource "google_container_cluster" "cluster" {
      enabled = var.backup_configs.enable_backup_agent
    }
  }
  dynamic "authenticator_groups_config" {
    for_each = var.enable_features.groups_for_rbac != null ? [""] : []
    content {
      security_group = var.enable_features.groups_for_rbac
    }
  }
  dynamic "binary_authorization" {
    for_each = var.enable_features.binary_authorization ? [""] : []
    content {
      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
    }
  }
  dynamic "cost_management_config" {
    for_each = var.enable_features.cost_management == true ? [""] : []
    content {
      enabled = true
    }
  }
  dynamic "cluster_autoscaling" {
-    for_each = var.cluster_autoscaling == null ? [] : [""]
+    for_each = local.cas == null ? [] : [""]
    content {
-      enabled = true
+      enabled             = true
      autoscaling_profile = var.cluster_autoscaling.autoscaling_profile
      dynamic "auto_provisioning_defaults" {
-        for_each = var.cluster_autoscaling.auto_provisioning_defaults != null ? [""] : []
+        for_each = local.cas_apd != null ? [""] : []
        content {
-          boot_disk_kms_key = var.cluster_autoscaling.auto_provisioning_defaults.boot_disk_kms_key
+          boot_disk_kms_key = local.cas_apd.boot_disk_kms_key
-          disk_size         = var.cluster_autoscaling.auto_provisioning_defaults.disk_size
+          disk_size         = local.cas_apd.disk_size
-          disk_type         = var.cluster_autoscaling.auto_provisioning_defaults.disk_type
+          disk_type         = local.cas_apd.disk_type
-          image_type        = var.cluster_autoscaling.auto_provisioning_defaults.image_type
+          image_type        = local.cas_apd.image_type
-          oauth_scopes      = var.cluster_autoscaling.auto_provisioning_defaults.oauth_scopes
+          oauth_scopes      = local.cas_apd.oauth_scopes
-          service_account   = var.cluster_autoscaling.auto_provisioning_defaults.service_account
+          service_account   = local.cas_apd.service_account
          dynamic "management" {
-            for_each = var.cluster_autoscaling.auto_provisioning_defaults.management != null ? [""] : []
+            for_each = local.cas_apd.management != null ? [""] : []
            content {
-              auto_repair  = var.cluster_autoscaling.auto_provisioning_defaults.management.auto_repair
+              auto_repair  = local.cas_apd.management.auto_repair
-              auto_upgrade = var.cluster_autoscaling.auto_provisioning_defaults.management.auto_upgrade
+              auto_upgrade = local.cas_apd.management.auto_upgrade
            }
          }
          dynamic "shielded_instance_config" {
-            for_each = var.cluster_autoscaling.auto_provisioning_defaults.shielded_instance_config != null ? [""] : []
+            for_each = local.cas_apd.shielded_instance_config != null ? [""] : []
            content {
-              enable_integrity_monitoring = var.cluster_autoscaling.auto_provisioning_defaults.shielded_instance_config.integrity_monitoring
+              enable_integrity_monitoring = (
-              enable_secure_boot          = var.cluster_autoscaling.auto_provisioning_defaults.shielded_instance_config.secure_boot
+                local.cas_apd.shielded_instance_config.integrity_monitoring
              )
              enable_secure_boot = (
                local.cas_apd.shielded_instance_config.secure_boot
              )
            }
          }
          dynamic "upgrade_settings" {
            for_each = local.cas_apd_us != null ? [""] : []
            content {
              strategy = (
                local.cas_apd_us.blue_green != null ? "BLUE_GREEN" : "SURGE"
              )
              max_surge       = try(local.cas_apd_us.surge.max, null)
              max_unavailable = try(local.cas_apd_us.surge.unavailable, null)
              dynamic "blue_green_settings" {
                for_each = local.cas_apd_us.blue_green != null ? [""] : []
                content {
                  node_pool_soak_duration = (
                    local.cas_apd_us.blue_green.node_pool_soak_duration
                  )
                  dynamic "standard_rollout_policy" {
                    for_each = (
                      local.cas_apd_us.blue_green.standard_rollout_policy != null
                      ? [""]
                      : []
                    )
                    content {
                      batch_node_count = (
                        local.cas_apd_us.blue_green.standard_rollout_policy.batch_node_count
                      )
                      batch_percentage = (
                        local.cas_apd_us.blue_green.standard_rollout_policy.batch_percentage
                      )
                      batch_soak_duration = (
                        local.cas_apd_us.blue_green.standard_rollout_policy.batch_soak_duration
                      )
                    }
                  }
                }
              }
            }
          }
        }
      }
      dynamic "resource_limits" {
-        for_each = var.cluster_autoscaling.cpu_limits != null ? [""] : []
+        for_each = local.cas.cpu_limits != null ? [""] : []
        content {
          resource_type = "cpu"
-          minimum       = var.cluster_autoscaling.cpu_limits.min
+          minimum       = local.cas.cpu_limits.min
-          maximum       = var.cluster_autoscaling.cpu_limits.max
+          maximum       = local.cas.cpu_limits.max
        }
      }
      dynamic "resource_limits" {
-        for_each = var.cluster_autoscaling.mem_limits != null ? [""] : []
+        for_each = local.cas.mem_limits != null ? [""] : []
        content {
          resource_type = "memory"
-          minimum       = var.cluster_autoscaling.mem_limits.min
+          minimum       = local.cas.mem_limits.min
-          maximum       = var.cluster_autoscaling.mem_limits.max
+          maximum       = local.cas.mem_limits.max
        }
      }
      dynamic "resource_limits" {
        for_each = (
-          try(var.cluster_autoscaling.gpu_resources, null) == null
+          try(local.cas.gpu_resources, null) == null
          ? []
-          : var.cluster_autoscaling.gpu_resources
+          : local.cas.gpu_resources
        )
        iterator = gpu_resources
        content {
@ -191,7 +229,6 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  dynamic "database_encryption" {
    for_each = var.enable_features.database_encryption != null ? [""] : []
    content {
@ -199,7 +236,6 @@ resource "google_container_cluster" "cluster" {
      key_name = var.enable_features.database_encryption.key_name
    }
  }
  dynamic "dns_config" {
    for_each = var.enable_features.dns != null ? [""] : []
    content {
@ -208,31 +244,36 @@ resource "google_container_cluster" "cluster" {
      cluster_dns_domain = var.enable_features.dns.domain
    }
  }
  dynamic "gateway_api_config" {
    for_each = var.enable_features.gateway_api ? [""] : []
    content {
      channel = "CHANNEL_STANDARD"
    }
  }
  dynamic "ip_allocation_policy" {
    for_each = var.vpc_config.secondary_range_blocks != null ? [""] : []
    content {
-      cluster_ipv4_cidr_block  = var.vpc_config.secondary_range_blocks.pods
+      cluster_ipv4_cidr_block = (
-      services_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.services
+        var.vpc_config.secondary_range_blocks.pods
-      stack_type               = var.vpc_config.stack_type
+      )
      services_ipv4_cidr_block = (
        var.vpc_config.secondary_range_blocks.services
      )
      stack_type = var.vpc_config.stack_type
    }
  }
  dynamic "ip_allocation_policy" {
    for_each = var.vpc_config.secondary_range_names != null ? [""] : []
    content {
-      cluster_secondary_range_name  = var.vpc_config.secondary_range_names.pods
+      cluster_secondary_range_name = (
-      services_secondary_range_name = var.vpc_config.secondary_range_names.services
+        var.vpc_config.secondary_range_names.pods
-      stack_type                    = var.vpc_config.stack_type
+      )
      services_secondary_range_name = (
        var.vpc_config.secondary_range_names.services
      )
      stack_type = var.vpc_config.stack_type
    }
  }
  # Send GKE cluster logs from chosen sources to Cloud Logging.
  # System logs must be enabled if any other source is enabled.
  # This is validated by input variable validation rules.
@ -256,7 +297,6 @@ resource "google_container_cluster" "cluster" {
      enable_components = []
    }
  }
  maintenance_policy {
    dynamic "daily_maintenance_window" {
      for_each = (
@ -294,13 +334,11 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  master_auth {
    client_certificate_config {
      issue_client_certificate = var.issue_client_certificate
    }
  }
  dynamic "master_authorized_networks_config" {
    for_each = var.vpc_config.master_authorized_ranges != null ? [""] : []
    content {
@ -314,14 +352,12 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  dynamic "mesh_certificates" {
    for_each = var.enable_features.mesh_certificates != null ? [""] : []
    content {
      enable_certificates = var.enable_features.mesh_certificates
    }
  }
  monitoring_config {
    enable_components = toset(compact([
      # System metrics is the minimum requirement if any other metrics are enabled. This is checked by input var validation.
@ -342,7 +378,6 @@ resource "google_container_cluster" "cluster" {
      enabled = var.monitoring_config.enable_managed_prometheus
    }
  }
  # Dataplane V2 has built-in network policies
  dynamic "network_policy" {
    for_each = (
@ -355,7 +390,6 @@ resource "google_container_cluster" "cluster" {
      provider = "CALICO"
    }
  }
  dynamic "notification_config" {
    for_each = var.enable_features.upgrade_notifications != null ? [""] : []
    content {
@ -369,7 +403,6 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  dynamic "private_cluster_config" {
    for_each = (
      var.private_cluster_config != null ? [""] : []
@ -383,21 +416,18 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  dynamic "pod_security_policy_config" {
    for_each = var.enable_features.pod_security_policy ? [""] : []
    content {
      enabled = var.enable_features.pod_security_policy
    }
  }
  dynamic "release_channel" {
    for_each = var.release_channel != null ? [""] : []
    content {
      channel = var.release_channel
    }
  }
  dynamic "resource_usage_export_config" {
    for_each = (
      try(var.enable_features.resource_usage_export.dataset, null) != null
@ -416,14 +446,12 @@ resource "google_container_cluster" "cluster" {
      }
    }
  }
  dynamic "vertical_pod_autoscaling" {
    for_each = var.enable_features.vertical_pod_autoscaling ? [""] : []
    content {
      enabled = var.enable_features.vertical_pod_autoscaling
    }
  }
  dynamic "workload_identity_config" {
    for_each = var.enable_features.workload_identity ? [""] : []
    content {
@ -436,7 +464,11 @@ resource "google_container_cluster" "cluster" {
 }
 resource "google_gke_backup_backup_plan" "backup_plan" {
-  for_each = var.backup_configs.enable_backup_agent ? var.backup_configs.backup_plans : {}
+  for_each = (
    var.backup_configs.enable_backup_agent
    ? var.backup_configs.backup_plans
    : {}
  )
  name     = each.key
  cluster  = google_container_cluster.cluster.id
  location = each.value.region
@ -449,19 +481,20 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
  backup_schedule {
    cron_schedule = each.value.schedule
  }
  backup_config {
    include_volume_data = each.value.include_volume_data
    include_secrets     = each.value.include_secrets
    dynamic "encryption_key" {
      for_each = each.value.encryption_key != null ? [""] : []
      content {
        gcp_kms_encryption_key = each.value.encryption_key
      }
    }
-
+    all_namespaces = (
-    all_namespaces = lookup(each.value, "namespaces", null) != null || lookup(each.value, "applications", null) != null ? null : true
+      lookup(each.value, "namespaces", null) != null
      ||
      lookup(each.value, "applications", null) != null ? null : true
    )
    dynamic "selected_namespaces" {
      for_each = each.value.namespaces != null ? [""] : []
      content {
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@ -54,6 +54,21 @@ variable "cluster_autoscaling" {
        integrity_monitoring = optional(bool, true)
        secure_boot          = optional(bool, false)
      }))
      upgrade_settings = optional(object({
        blue_green = optional(object({
          node_pool_soak_duration = optional(string)
          standard_rollout_policy = optional(object({
            batch_percentage    = optional(number)
            batch_node_count    = optional(number)
            batch_soak_duration = optional(string)
          }))
        }))
        surge = optional(object({
          max         = optional(number)
          unavailable = optional(number)
        }))
      }))
      # add validation rule to ensure only one is present if upgrade settings is defined
    }))
    cpu_limits = optional(object({
      min = number
@ -71,13 +86,30 @@ variable "cluster_autoscaling" {
  })
  default = null
  validation {
-    condition     = (var.cluster_autoscaling == null ? true : contains(["BALANCED", "OPTIMIZE_UTILIZATION"], var.cluster_autoscaling.autoscaling_profile))
+    condition = (var.cluster_autoscaling == null ? true : contains(
      ["BALANCED", "OPTIMIZE_UTILIZATION"],
      var.cluster_autoscaling.autoscaling_profile
    ))
    error_message = "Invalid autoscaling_profile."
  }
  validation {
-    condition     = (var.cluster_autoscaling == null ? true : contains(["pd-standard", "pd-ssd", "pd-balanced"], var.cluster_autoscaling.auto_provisioning_defaults.disk_type))
+    condition = (
      var.cluster_autoscaling == null ? true : contains(
        ["pd-standard", "pd-ssd", "pd-balanced"],
      var.cluster_autoscaling.auto_provisioning_defaults.disk_type)
    )
    error_message = "Invalid disk_type."
  }
  validation {
    condition = (
      try(var.cluster_autoscaling.upgrade_settings, null) == null || (
        try(var.cluster_autoscaling.upgrade_settings.blue_green, null) == null ? 0 : 1
        +
        try(var.cluster_autoscaling.upgrade_settings.surge, null) == null ? 0 : 1
      ) == 1
    )
    error_message = "Upgrade settings can only use blue/green or surge."
  }
 }
 variable "deletion_protection" {
--- a/modules/gke-cluster-standard/versions.tf
+++ b/modules/gke-cluster-standard/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/gke-hub/versions.tf
+++ b/modules/gke-hub/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/gke-nodepool/versions.tf
+++ b/modules/gke-nodepool/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/iam-service-account/versions.tf
+++ b/modules/iam-service-account/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/kms/versions.tf
+++ b/modules/kms/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/logging-bucket/versions.tf
+++ b/modules/logging-bucket/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/ncc-spoke-ra/versions.tf
+++ b/modules/ncc-spoke-ra/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/net-address/versions.tf
+++ b/modules/net-address/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/net-cloudnat/versions.tf
+++ b/modules/net-cloudnat/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/net-firewall-policy/versions.tf
+++ b/modules/net-firewall-policy/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/modules/net-ipsec-over-interconnect/versions.tf
+++ b/modules/net-ipsec-over-interconnect/versions.tf
@ -13,7 +13,7 @@
 # limitations under the License.
 terraform {
-  required_version = ">= 1.4.4"
+  required_version = ">= 1.5.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
--- a/Show More
+++ b/Show More