Standard changes for release 5.2.0 (#552)

* Update release version and branch references for 5.2.0. Tested sample deployment.

* Add GCB config for release testing. Update helm chart to 2.2.0. Remove forseti_version from test fixtures, this will be provided by GCB config.

* Update all test fixtures to use master branch by default. Previously test fixtures had to specify the forseti version or would deploy using the last release. Regular PRs should run tests against Forseti master, and release PRs should run against the targeted Forseti release version.

* Increase build time to 3 hours :(

CHANGELOG.md

@@ -6,7 +6,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
-## [Unreleased] - TBD
+## [v5.2.0] - 2020-03-18
 
 ### Added
 - Configure firewall rules in support of private Client and Server [#391]
@@ -24,6 +24,20 @@ Extending the adopted spec, each change should have a link to its corresponding
 - Update version in README [#426]
 - Removed simple_example [#444]
 - Create CONTRIBUTORS file [#454]
+- Expose Cloud SQL instance IP [#483]
+- CAI - Add k8s.io/Service resource [#485]
+- Ability to configure shielded instance config [#488]
+- Create Governance file [#535]
+- Update stale bot [#534]
+- Support Bring-Your-Own Service Accounts [#546]
+- Automated roles and APIs needed for Forseti on-GKE deployment [#498]
+- Bump google provider version to 3.7 [#502]
+- Update Cloud shell tutorial and other links to point to modulerelease512 [#503]
+- Ability to exclude client VM [#504]
+- Added functionality to enable/disable role scanner [#526]
+- Input for the Policy Library check of the CV scanner [#529]
+- Update stale.yml [#534]
+- Create GOVERNANCE.md [#535]
 
 ### Fixed
 - Fix space in Location Rules template [#392]
@@ -36,14 +50,34 @@ Extending the adopted spec, each change should have a link to its corresponding
 - Fix validate error [#449]
 - Increased open files limit to fix OSError: [Errno 24] Too many open files [#450]
 - Sync policy library with gsutil rsync [#463]
+- Fix security reviewer role name [#466]
+- Fix cloudsql password [#472]
+- Add service usage service resource [#473]
+- Use internal DNS for client -> server communication [#482]
+- Pin helm provider version to 0.10.* for Helm 2 [#495]
+- Fix GKE example [#508]
+- manage_rules_enabled=false should not prevent Forseti service from starting [#512]
+- Corrected description for blacklist scanner [#525]
+
+## [v5.1.3] - 2020-02-25
+
+### Added
+
+- Support for Forseti v2.24.2 [#524]
+
+## [v5.1.2] - 2020-02-07
+
+### Added
+
+- Support for Forseti v2.24.1 [#499]
 
 ## [v5.1.1] - 2020-01-14
 
 ### Fixed
 - Update the Bigquery api to the new name
 
 
-## [5.1.0] - 2019-11-15
+## [v5.1.0] - 2019-11-15
 
 ### Added
 - Support for Forseti v2.24.0 [#386]
@@ -68,7 +102,19 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### Removed
 - Issue templates [#365]
 
-## [5.0.0] - 2019-10-17
+## [v5.0.2] - 2020-02-24
+
+### Added
+
+- Support for Forseti v2.23.2 [#518]
+
+## [v5.0.1] - 2020-01-31
+
+### Added
+
+- Support for Forseti v2.23.1 [#476]
+
+## [v5.0.0] - 2019-10-17
 Version 5.0.0 is a backwards-incompatible release. Please see the [upgrade instructions](./docs/upgrading_to_v5.0.md) for details.
 
 ### Added
@@ -326,7 +372,7 @@ Version 4.0.0 is a backwards-incompatible release. Please see the [upgrade instr
 ### ADDED
 - This is the initial release of the Forseti module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.1...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.2.0...HEAD
 [v0.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/releases/tag/v0.1.0
 [v1.0.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v0.1.0...v1.0.0
 [v1.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v1.0.0...v1.1.0
@@ -350,9 +396,35 @@ Version 4.0.0 is a backwards-incompatible release. Please see the [upgrade instr
 [v4.2.1]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v4.1.0...v4.2.1
 [v4.3.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v4.2.1...v4.3.0
 [v5.0.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v4.3.0...v5.0.0
-[v5.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.0.0...v5.1.0
+[v5.0.1]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.0.0...v5.0.1
+[v5.0.2]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.0.1...v5.0.2
+[v5.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.0.2...v5.1.0
 [v5.1.1]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.0...v5.1.1
-
+[v5.1.2]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.1...v5.1.2
+[v5.1.3]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.2...v5.1.3
+[v5.2.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.3...v5.2.0
+
+[#546]: https://github.com/forseti-security/terraform-google-forseti/pull/546
+[#535]: https://github.com/forseti-security/terraform-google-forseti/pull/535
+[#534]: https://github.com/forseti-security/terraform-google-forseti/pull/534
+[#529]: https://github.com/forseti-security/terraform-google-forseti/pull/529
+[#526]: https://github.com/forseti-security/terraform-google-forseti/pull/526
+[#525]: https://github.com/forseti-security/terraform-google-forseti/pull/525
+[#518]: https://github.com/forseti-security/terraform-google-forseti/pull/518
+[#512]: https://github.com/forseti-security/terraform-google-forseti/pull/512
+[#508]: https://github.com/forseti-security/terraform-google-forseti/pull/508
+[#508]: https://github.com/forseti-security/terraform-google-forseti/pull/504
+[#508]: https://github.com/forseti-security/terraform-google-forseti/pull/503
+[#502]: https://github.com/forseti-security/terraform-google-forseti/pull/502
+[#498]: https://github.com/forseti-security/terraform-google-forseti/pull/498
+[#495]: https://github.com/forseti-security/terraform-google-forseti/pull/495
+[#488]: https://github.com/forseti-security/terraform-google-forseti/pull/488
+[#485]: https://github.com/forseti-security/terraform-google-forseti/pull/485
+[#483]: https://github.com/forseti-security/terraform-google-forseti/pull/483
+[#482]: https://github.com/forseti-security/terraform-google-forseti/pull/482
+[#476]: https://github.com/forseti-security/terraform-google-forseti/pull/476
+[#472]: https://github.com/forseti-security/terraform-google-forseti/pull/472
+[#466]: https://github.com/forseti-security/terraform-google-forseti/pull/466
 [#463]: https://github.com/forseti-security/terraform-google-forseti/pull/463
 [#454]: https://github.com/forseti-security/terraform-google-forseti/pull/454
 [#450]: https://github.com/forseti-security/terraform-google-forseti/pull/450

README.md

@@ -7,7 +7,7 @@ A Google Cloud Shell Walkthrough has been setup to make it easy for users who ar
 
 If you are familiar with Terraform and would like to run Terraform from a different machine, you can skip this walkthrough and move onto the [How to Deploy](#how-to-deploy) section.
 
-[![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease512&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
+[![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease520&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
 
 ## How to Deploy
 In order to run this module you will need to be authenticated as a user that has access to the project and can create/authorize service accounts at both the organization and project levels. To login to GCP from a shell:
@@ -20,7 +20,7 @@ gcloud auth login
 The repository has several helper scripts that can be used with the deployment process.
 
 ```bash
-git clone --branch modulerelease512 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
+git clone --branch modulerelease520 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
 ```
 
 ### Install Terraform
@@ -244,7 +244,7 @@ For this module to work, you need the following APIs enabled on the Forseti proj
 | forseti\_home | Forseti installation directory | string | `"$USER_HOME/forseti-security"` | no |
 | forseti\_repo\_url | Git repo for the Forseti installation | string | `"https://github.com/forseti-security/forseti-security"` | no |
 | forseti\_run\_frequency | Schedule of running the Forseti scans | string | `"null"` | no |
-| forseti\_version | The version of Forseti to install | string | `"v2.24.0"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.0"` | no |
 | forwarding\_rule\_enabled | Forwarding rule scanner enabled. | bool | `"false"` | no |
 | forwarding\_rule\_violations\_should\_notify | Notify for forwarding rule violations | bool | `"true"` | no |
 | group\_enabled | Group scanner enabled. | bool | `"true"` | no |

build/int-release.cloudbuild.yaml

@@ -0,0 +1,44 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+timeout: 7200s
+steps:
+- id: prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment']
+  env:
+  - 'TF_VAR_org_id=$_ORG_ID'
+  - 'TF_VAR_folder_id=$_FOLDER_ID'
+  - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
+- id: create
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+- id: converge
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
+  env:
+  - 'TF_VAR_forseti_version=$_FORSETI_VERSION'
+- id: verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify']
+- id: destroy
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+tags:
+- 'ci'
+- 'integration'
+substitutions:
+  _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'
+  _FORSETI_VERSION: 'v2.25.0'

build/int.cloudbuild.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-timeout: 7200s
+timeout: 10800s
 steps:
 - id: prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'

examples/install_simple/README.md

@@ -2,7 +2,7 @@
 
 This configuration is used to simply install Forseti. It includes a full Cloud Shell [tutorial](./tutorial.md).
 
-[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease512&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
+[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease520&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
@@ -12,7 +12,7 @@ This configuration is used to simply install Forseti. It includes a full Cloud S
 | domain | The domain associated with the GCP Organization ID | string | n/a | yes |
 | forseti\_email\_recipient | Forseti email recipient. | string | `""` | no |
 | forseti\_email\_sender | Forseti email sender. | string | `""` | no |
-| forseti\_version | The version of Forseti to install | string | `"v2.24.0"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.0"` | no |
 | gsuite\_admin\_email | The email of a GSuite super admin, used for pulling user directory information *and* sending notifications. | string | n/a | yes |
 | instance\_metadata | Metadata key/value pairs to make available from within the client and server instances. | map(string) | `<map>` | no |
 | instance\_tags | Tags to assign the client and server instances. | list(string) | `<list>` | no |

examples/install_simple/variables.tf

@@ -65,7 +65,7 @@ variable "forseti_email_recipient" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.24.0"
+  default     = "v2.25.0"
 }
 
 variable "region" {

examples/migrate_forseti/tutorial.md

@@ -160,7 +160,7 @@ to match the region where the CAI GCS bucket is deployed.
 Starting with Forseti Security 2.23, Terraform will manage your server
  configuration file for you.  Configuration options will now be input
  variables that are defined in the Terraform module. Available variables
- and their default values can be found [here](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease512/variables.tf).
+ and their default values can be found [here](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease520/variables.tf).
  Default values will be used if values are not explicitly added.
  This will ensure upgrading Forseti will be as easy as possible going forward.
 
@@ -202,10 +202,10 @@ to your <walkthrough-editor-select-regex
   regex="Add any Forseti Server Configuration Variables Here">main.tf</walkthrough-editor-select-regex>.
 
 ## Obtain and Run the Import Script
-This [import script](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease512/helpers/import.sh) will import the Forseti GCP resources into a local state file.
+This [import script](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease520/helpers/import.sh) will import the Forseti GCP resources into a local state file.
 
 ```sh
-curl --location --remote-name https://raw.githubusercontent.com/forseti-security/terraform-google-forseti/modulerelease512/helpers/import.sh
+curl --location --remote-name https://raw.githubusercontent.com/forseti-security/terraform-google-forseti/modulerelease520/helpers/import.sh
 chmod +x import.sh
 ./import.sh -h
 ```

examples/on_gke_end_to_end/README.md

@@ -76,8 +76,8 @@ This script will also activate necessary APIs required for Terraform to deploy F
 | gsuite\_admin\_email | G-Suite administrator email address to manage your Forseti installation | string | n/a | yes |
 | helm\_repository\_url | The Helm repository containing the 'forseti-security' Helm charts | string | `"https://forseti-security-charts.storage.googleapis.com/release/"` | no |
 | k8s\_forseti\_namespace | The Kubernetes namespace in which to deploy Forseti. | string | `"forseti"` | no |
-| k8s\_forseti\_orchestrator\_image\_tag | The tag for the container image for the Forseti orchestrator | string | `"v2.24.0"` | no |
-| k8s\_forseti\_server\_image\_tag | The tag for the container image for the Forseti server | string | `"v2.24.0"` | no |
+| k8s\_forseti\_orchestrator\_image\_tag | The tag for the container image for the Forseti orchestrator | string | `"v2.25.0"` | no |
+| k8s\_forseti\_server\_image\_tag | The tag for the container image for the Forseti server | string | `"v2.25.0"` | no |
 | k8s\_tiller\_sa\_name | The Kubernetes Service Account used by Tiller | string | `"tiller"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"1.14.10-gke.17"` | no |
 | network | The name of the VPC being created | string | `"forseti-gke-network"` | no |

examples/on_gke_end_to_end/variables.tf

@@ -126,12 +126,12 @@ variable "k8s_tiller_sa_name" {
 
 variable "k8s_forseti_orchestrator_image_tag" {
   description = "The tag for the container image for the Forseti orchestrator"
-  default     = "v2.24.0"
+  default     = "v2.25.0"
 }
 
 variable "k8s_forseti_server_image_tag" {
   description = "The tag for the container image for the Forseti server"
-  default     = "v2.24.0"
+  default     = "v2.25.0"
 }
 
 variable "kubernetes_version" {

examples/shared_vpc/README.md

@@ -8,7 +8,7 @@ This example illustrates how to set up a Forseti installation with shared VPC.
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | domain | Organization domain | string | n/a | yes |
-| forseti\_version | The version of Forseti to install | string | `"v2.24.0"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.0"` | no |
 | gsuite\_admin\_email | G Suite admin email | string | n/a | yes |
 | instance\_metadata | Metadata key/value pairs to make available from within the client and server instances. | map(string) | `<map>` | no |
 | network | Name of the shared VPC | string | n/a | yes |

examples/shared_vpc/variables.tf

@@ -16,7 +16,7 @@
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.24.0"
+  default     = "v2.25.0"
 }
 
 variable "network_project" {

modules/client/variables.tf

@@ -23,7 +23,7 @@ variable "project_id" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.24.0"
+  default     = "v2.25.0"
 }
 
 variable "forseti_repo_url" {