feat: (IAC-1312) Update Dependencies to Resolve Security Warnings (#203)

Dockerfile

@@ -1,8 +1,8 @@
 # Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-ARG TERRAFORM_VERSION=1.4.5
-ARG GCP_CLI_VERSION=440.0.0
+ARG TERRAFORM_VERSION=1.7.0
+ARG GCP_CLI_VERSION=460.0.0
 
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 FROM google/cloud-sdk:$GCP_CLI_VERSION-alpine

README.md

@@ -31,10 +31,10 @@ Operational knowledge of
 
 - Terraform or Docker
   - #### Terraform
-    - [Terraform](https://www.terraform.io/downloads.html) - v1.4.5
+    - [Terraform](https://www.terraform.io/downloads.html) - v1.7.0
     - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.27.8
     - [jq](https://stedolan.github.io/jq/) - v1.6
-    - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v440.0.0
+    - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v460.0.0
     - [gke-gcloud-auth-plugin](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_plugin) - (optional - only for provider based Kubernetes configuration files) - >= v1.26
   - #### Docker
     - [Docker](https://docs.docker.com/get-docker/)

main.tf

@@ -91,7 +91,7 @@ data "google_container_engine_versions" "gke-version" {
 
 module "gke" {
   source                        = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
-  version                       = "25.0.0"
+  version                       = "~> 29.0.0"
   project_id                    = var.project
   name                          = "${var.prefix}-gke"
   region                        = local.region
@@ -126,6 +126,9 @@ module "gke" {
 
   monitoring_enable_managed_prometheus = var.enable_managed_prometheus
 
+  # allows the cluster to be deleted by TF
+  deletion_protection = false
+
   cluster_autoscaling = var.enable_cluster_autoscaling ? {
     enabled : true,
     max_cpu_cores : var.cluster_autoscaling_max_cpu_cores,
@@ -236,7 +239,7 @@ resource "local_file" "kubeconfig" {
 # Module Registry - https://registry.terraform.io/modules/GoogleCloudPlatform/sql-db/google/12.0.0/submodules/postgresql
 module "postgresql" {
   source     = "GoogleCloudPlatform/sql-db/google//modules/postgresql"
-  version    = "15.0.0"
+  version    = "~> 18.2.0"
   project_id = var.project
 
   for_each = local.postgres_servers != null ? length(local.postgres_servers) != 0 ? local.postgres_servers : {} : {}
@@ -288,7 +291,7 @@ module "postgresql" {
 
 module "sql_proxy_sa" {
   source        = "terraform-google-modules/service-accounts/google"
-  version       = "4.2.1"
+  version       = "~> 4.2.2"
   count         = var.postgres_servers != null ? length(var.postgres_servers) != 0 ? 1 : 0 : 0
   project_id    = var.project
   prefix        = var.prefix

modules/google_vm/main.tf

@@ -3,7 +3,7 @@
 
 module "address" {
   source       = "terraform-google-modules/address/google"
-  version      = "3.1.2"
+  version      = "~> 3.2.0"
   project_id   = var.project
   region       = var.region
   address_type = "EXTERNAL"

network.tf

@@ -11,7 +11,7 @@ data "google_compute_address" "nat_address" {
 module "nat_address" {
   count        = length(var.nat_address_name) == 0 ? 1 : 0
   source       = "terraform-google-modules/address/google"
-  version      = "3.1.2"
+  version      = "~> 3.2.0"
   project_id   = var.project
   region       = local.region
   address_type = "EXTERNAL"
@@ -23,14 +23,16 @@ module "nat_address" {
 module "cloud_nat" {
   count         = length(var.nat_address_name) == 0 ? 1 : 0
   source        = "terraform-google-modules/cloud-nat/google"
-  version       = "3.0.0"
+  version       = "~> 5.0.0"
   project_id    = var.project
   name          = "${var.prefix}-cloud-nat"
   region        = local.region
   create_router = true
   router        = "${var.prefix}-router"
   network       = module.vpc.network_self_link
   nat_ips       = module.nat_address[0].self_links
+  # this was disabled by default in v5.0.0, setting to true to retain previous behavior
+  enable_endpoint_independent_mapping = true
 }
 
 module "vpc" {
@@ -66,6 +68,11 @@ resource "google_service_networking_connection" "private_vpc_connection" {
   network                 = module.vpc.network_name
   service                 = "servicenetworking.googleapis.com"
   reserved_peering_ranges = [google_compute_global_address.private_ip_address[0].name]
+
+  # required as of hashicorp/google v5.12.0 when using google_service_networking_connection in
+  # conjunction with CloudSQL instances in order to cleanly delete resources
+  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_networking_connection
+  deletion_policy         = "ABANDON"
 }
 
 resource "google_compute_firewall" "nfs_vm_cluster_firewall" {

variables.tf

@@ -242,7 +242,7 @@ variable "default_nodepool_locations" {
 
 variable "node_pools" {
   description = "Node pool definitions"
-  type        = map(object({
+  type = map(object({
     vm_type           = string
     os_disk_size      = number
     min_nodes         = string
@@ -260,7 +260,7 @@ variable "node_pools" {
       "min_nodes"    = 1
       "max_nodes"    = 5
       "node_taints"  = ["workload.sas.com/class=cas:NoSchedule"]
-      "node_labels"  = {
+      "node_labels" = {
         "workload.sas.com/class" = "cas"
       }
       "local_ssd_count"   = 0
@@ -273,7 +273,7 @@ variable "node_pools" {
       "min_nodes"    = 1
       "max_nodes"    = 5
       "node_taints"  = ["workload.sas.com/class=compute:NoSchedule"]
-      "node_labels"  = {
+      "node_labels" = {
         "workload.sas.com/class"        = "compute"
         "launcher.sas.com/prepullImage" = "sas-programming-environment"
       }
@@ -287,7 +287,7 @@ variable "node_pools" {
       "min_nodes"    = 1
       "max_nodes"    = 5
       "node_taints"  = ["workload.sas.com/class=stateless:NoSchedule"]
-      "node_labels"  = {
+      "node_labels" = {
         "workload.sas.com/class" = "stateless"
       }
       "local_ssd_count"   = 0
@@ -300,7 +300,7 @@ variable "node_pools" {
       "min_nodes"    = 1
       "max_nodes"    = 3
       "node_taints"  = ["workload.sas.com/class=stateful:NoSchedule"]
-      "node_labels"  = {
+      "node_labels" = {
         "workload.sas.com/class" = "stateful"
       }
       "local_ssd_count"   = 0
@@ -350,7 +350,7 @@ variable "cluster_autoscaling_max_memory_gb" {
 variable "postgres_server_defaults" {
   description = "default values for a postgres server"
   type        = any
-  default     = {
+  default = {
     machine_type                           = "db-custom-8-30720"
     storage_gb                             = 10
     backups_enabled                        = true

versions.tf

@@ -7,35 +7,35 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.63.1"
+      version = "5.12.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "4.63.1"
+      version = "5.12.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.20.0" # Constrained by Google
+      version = "~> 2.25" # Constrained by Google
     }
     local = {
       source  = "hashicorp/local"
-      version = "2.4.0"
+      version = "~> 2.4"
     }
     random = {
       source  = "hashicorp/random"
-      version = "3.5.1" # Constrained by Google
+      version = "~> 3.6" # Constrained by Google
     }
     null = {
       source  = "hashicorp/null"
-      version = "3.2.1" # Constrained by Google
+      version = "~> 3.2" # Constrained by Google
     }
     external = {
       source  = "hashicorp/external"
-      version = "2.3.1" # Constrained by Google
+      version = "~> 2.3" # Constrained by Google
     }
     time = {
       source  = "hashicorp/time"
-      version = "0.9.1"
+      version = "~> 0.10"
     }
   }
 }