Skip to content

cloudsecuritycompliace: replace organization with parent to support PLE#1342

Merged
modular-magician merged 1 commit into
terraform-google-modules:masterfrom
modular-magician:downstream-pr-fbe417ab7d4cc96c24d79137c2b492289a2f6f06
Jun 10, 2026
Merged

cloudsecuritycompliace: replace organization with parent to support PLE#1342
modular-magician merged 1 commit into
terraform-google-modules:masterfrom
modular-magician:downstream-pr-fbe417ab7d4cc96c24d79137c2b492289a2f6f06

Conversation

@modular-magician

@modular-magician modular-magician commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Description

This PR introduces Project Level Enablement (PLE) support for Cloud Security Compliance resources. Previously, these resources were strictly bound to the organization level. This change allows users to create and manage controls, frameworks, and deployments at the project level as well.

Key Changes:

  • Introduced parent: Replaced the hardcoded organization parameter with a flexible parent parameter across CloudControl, Framework, and FrameworkDeployment.
  • Backward Compatibility: The organization field is now marked as deprecated, but old configurations remain fully supported.
    • Added exactly_one_of: [parent, organization] with both fields marked as optional: true to allow seamless migration.
    • Added a pre_create custom code hook (cloudsecuritycompliance_set_parent.go.tmpl) to automatically construct the parent string for users who only provide organization.
    • Preserved the Terraform Identity Schema by keeping the legacy organizations/{{%organization}}/... format as the first entry in import_format, ensuring no state corruption for existing users.
  • Perpetual Diff Fix: Added diff_suppress_func: 'tpgresource.CompareResourceNames' to targetResourceConfig.existingTargetResource in FrameworkDeployment.yaml to prevent state drift when the API normalizes between project IDs and project numbers.
  • Expanded Testing: Added comprehensive Terraform acceptance tests demonstrating project-level configurations, folder-level deployments, and targeting specific applications like App Hub.

Release Note Template for Downstream PRs

See Write release notes for guidance.

cloudsecuritycompliance: added support for project parent to `google_cloud_security_compliance_cloud_control`, `google_cloud_security_compliance_framework`, and `google_cloud_security_compliance_framework_deployment` via the new `parent` field. The `organization` field has been deprecated.

cloudsecuritycompliance: deprecated the `organization` field  on `google_cloud_security_compliance_cloud_control`, `google_cloud_security_compliance_framework`, and `google_cloud_security_compliance_framework_deployment`. Use `parent` instead

Derived from GoogleCloudPlatform/magic-modules#17644

@modular-magician
cloudsecuritycompliace: replace organization with parent to support P…
ecf180d 
…LE (#17644)

[upstream:fbe417ab7d4cc96c24d79137c2b492289a2f6f06]

Signed-off-by: Modular Magician <magic-modules@google.com>
@modular-magician modular-magician merged commit c240667 into terraform-google-modules:master Jun 10, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@modular-magician