Merge branch 'GoogleCloudPlatform:main' into b_341109181

.github/workflows/build-downstream.yml

@@ -10,14 +10,14 @@ on:
         type: string
 
 concurrency:
-  group: ${{ inputs.repo  }}-${{ github.event_name == 'pull_request' && format('pr-{0}-', github.event.pull_request.number) || format('commit-{0}', github.sha) }}
+  group: ${{ inputs.repo }}-${{ github.event_name == 'merge_group' && format('merge-group-{0}', github.event.merge_group.head_sha) || github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || format('commit-{0}', github.sha) }}
   cancel-in-progress: true
 
 jobs:
   generate-repository:
     runs-on: ubuntu-22.04
     env:
-      BASE_BRANCH: ${{ github.event.pull_request.base.ref || github.ref_name }}
+      BASE_BRANCH: ${{ github.event_name == 'merge_group' && github.event.merge_group.base_ref || github.event.pull_request.base.ref || github.ref_name }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout Repository

.github/workflows/downstreams.yml

@@ -6,9 +6,12 @@ on:
     branches:
       - main
       - 'FEATURE-BRANCH-*'
+  merge_group:
+    types: [checks_requested]
+
 
 concurrency:
-  group: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || format('commit-{0}', github.sha) }}
+  group: ${{ github.event_name == 'merge_group' && format('merge-group-{0}', github.event.merge_group.head_sha) || github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || format('commit-{0}', github.sha) }}
   cancel-in-progress: true
 
 jobs:

docs/content/code-review/release-notes.md

@@ -98,10 +98,10 @@ For each release note block, choose an appropriate type from the following list:
 Do | Don't
 -- | -----
 Use past tense to describe the end state after the change is released. Start with a verb. For example, "added...", "fixed...", or "resolved...". You can use future tense to describe future changes, such as saying that a deprecated field will be removed in a future version. | Don't use present or future tense to describe changes that are included in the pull request.
-Write user-focused release notes. For example, reference specific impacted terraform resource and field names, and discuss changes in behavior users will experience. | Avoid API field/resource/feature names. Avoid implementation details. Avoid language that requires understanding of provider internals.
+Write user-focused release notes. For example, reference specific impacted terraform resource and field names, and discuss changes in behavior users will experience. | Avoid API field/resource/feature names. Avoid implementation details. Avoid language that requires understanding of provider internals. However, in case of substantial refactorings like API version changes or engine changes (tpgtools/DCL -> MMv1, handwritten <> MMv1) **do** cover the change so users can quickly identify the release if they are affected by the change.
 Surround resource or field names with backticks. | Don't use resource or field names without punctuation or with other punctuation like quotation marks.
 Use impersonal third person. | Don't use "I", "you", etc.
-If the pull request impacts any specific, begin your release note with that product name followed by a colon. Use lower case for the first letter after the colon. For example, `cloudrun: added...` For MMv1 resources, use the folder name that contains the yaml files as the product name; for handwritten or tpgtools resources, use the API subdomain; for broad cross-product changes, use `provider`. | Don't begin your release note with the full resource name. Don't add backticks around the product name. Don't capitalize the first letter after the colon.
+If the pull request impacts a specific product, begin your release note with that product name followed by a colon. Use lower case for the first letter after the colon. For example, `cloudrun: added...` For MMv1 resources, use the folder name that contains the yaml files as the product name; for handwritten or tpgtools resources, use the API subdomain; for broad cross-product changes, use `provider`. | Don't begin your release note with the full resource name. Don't add backticks around the product name. Don't capitalize the first letter after the colon.
 
 ### Examples
 

mmv1/api/resource/sweeper.go

@@ -16,5 +16,7 @@ package resource
 type Sweeper struct {
 	// The field checked by sweeper to determine
 	// eligibility for deletion for generated resources
-	SweepableIdentifierField string `yaml:"sweepable_identifier_field"`
+	SweepableIdentifierField string   `yaml:"sweepable_identifier_field"`
+	Regions                  []string `yaml:"regions,omitempty"`
+	Prefixes                 []string `yaml:"prefixes,omitempty"`
 }

mmv1/products/beyondcorp/SecurityGateway.yaml

@@ -22,9 +22,19 @@ update_verb: PATCH
 id_format: projects/{{project}}/locations/{{location}}/securityGateways/{{security_gateway_id}}
 import_format:
   - projects/{{project}}/locations/{{location}}/securityGateways/{{security_gateway_id}}
+iam_policy:
+  method_name_separator: ':'
+  iam_conditions_request_type: 'QUERY_PARAM_NESTED'
+  allowed_iam_role: 'roles/beyondcorp.securityGatewayUser'
+  parent_resource_attribute: 'security_gateway_id'
+  import_format:
+    - 'projects/{{project}}/locations/{{location}}/securityGateways/{{security_gateway_id}}'
+    - '{{security_gateway_id}}'
 examples:
   - name: beyondcorp_security_gateway_basic
     primary_resource_id: example
+    primary_resource_name: 'fmt.Sprintf("default%s", context["random_suffix"])'
+    region_override: 'global'
     vars:
       security_gateway_name: default
 autogen_async: true

mmv1/products/bigqueryreservation/CapacityCommitment.yaml

@@ -109,6 +109,7 @@ properties:
     type: String
     description: |
       The plan this capacity commitment is converted to after commitmentEndTime passes. Once the plan is changed, committed period is extended according to commitment plan. Only applicable for some commitment plans.
+    diff_suppress_func: 'bigqueryReservationCapacityCommitmentPlanDiffSuppressFunc'
   - name: 'edition'
     type: String
     description: |

mmv1/products/chronicle/Retrohunt.yaml

@@ -14,6 +14,7 @@
 ---
 name: Retrohunt
 description: Retrohunt is an execution of a Rule over a time range in the past.
+min_version: 'beta'
 references:
   guides:
     'Google SecOps Guides': 'https://cloud.google.com/chronicle/docs/secops/secops-overview'

mmv1/products/cloudquotas/QuotaAdjusterSettings.yaml

@@ -14,7 +14,7 @@
 ---
 name: 'QuotaAdjusterSettings'
 description: |
-  QuotaAdjusterSettings represents the preferred quota configuration specified for a project, folder or organization. There is only one QuotaAdjusterSettings resource for a quota value targeting a unique set of dimensions.
+  QuotaAdjusterSettings resource represents your quota adjuster settings for a particular project. When enabled, the quota adjuster monitors your usage for the specified resources and issues quota adjustment requests when resource usage approaches its quota value.
 min_version: beta
 references:
   guides:
@@ -49,13 +49,11 @@ examples:
 parameters:
   - name: 'parent'
     type: String
-    description: The parent of the quota preference. Allowed parents are "projects/[project-id / number]" or "folders/[folder-id / number]" or "organizations/[org-id / number]".
+    description: The parent of the quota preference. Allowed parent format is "projects/[project-id / number]".
     url_param_only: true
     required: true
     immutable: true
     default_from_api: true
-    validation:
-      regex: '^(projects|folders|organizations)/([^/]+)$'
 properties:
   - name: 'enablement'
     type: Enum
@@ -68,14 +66,14 @@ properties:
   - name: 'effectiveContainer'
     type: String
     description: |
-      Fields to capture the hierarchy enablement.
-      The container (org/folder/project) that determines if the quota adjuster is set for this project/folder/org. We use the nearest-ancestor to determine the effective container.
-      The nearest ancestor (including this container) with `enabled` set (either true or false) will be returned.
+      The resource container that determines if the quota adjuster is set for this project.
+      Expect this field to be empty currently.
     output: true
   - name: 'effectiveEnablement'
     type: Enum
     description: |
-      Based on the effective container`s setting above, determines Whether this container has the quota adjuster enabled.
+      Based on the effective container`s setting above, determines Whether this resource container has the quota adjuster enabled.
+      Expect this field to be empty currently.
     output: true
     enum_values:
       - 'DEFAULT'

mmv1/products/colab/NotebookExecution.yaml

@@ -0,0 +1,159 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+name: 'NotebookExecution'
+description: |
+  'An instance of a notebook Execution'
+
+references:
+  guides:
+    'Schedule a notebook run': 'https://cloud.google.com/colab/docs/schedule-notebook-run'
+  api: 'https://cloud.google.com/vertex-ai/docs/reference/rest/v1/projects.locations.notebookExecutionJobs'
+base_url: 'projects/{{project}}/locations/{{location}}/notebookExecutionJobs'
+self_link: 'projects/{{project}}/locations/{{location}}/notebookExecutionJobs/{{notebook_execution_job_id}}'
+immutable: true
+create_url: 'projects/{{project}}/locations/{{location}}/notebookExecutionJobs?notebook_execution_job_id={{notebook_execution_job_id}}'
+async:
+  type: 'OpAsync'
+  operation:
+    full_url: 'https://{{location}}-aiplatform.googleapis.com/v1/{{op_id}}'
+import_format:
+  - 'projects/{{project}}/locations/{{location}}/notebookExecutionJobs/{{notebook_execution_job_id}}'
+custom_code:
+  post_create: 'templates/terraform/post_create/colab_notebook_execution.go.tmpl'
+examples:
+  - name: 'colab_notebook_execution_basic'
+    primary_resource_id: 'notebook-execution'
+    vars:
+      runtime_template_name: 'runtime-template-name'
+      bucket: 'my_bucket'
+    test_env_vars:
+      project_id: 'PROJECT_NAME'
+      service_account: 'SERVICE_ACCT'
+    ignore_read_extra:
+      - direct_notebook_source.0.content
+  - name: 'colab_notebook_execution_full'
+    primary_resource_id: 'notebook-execution'
+    vars:
+      notebook_execution_job_id: 'colab-notebook-execution'
+      runtime_template_name: 'runtime-template-name'
+      bucket: 'my_bucket'
+    test_env_vars:
+      project_id: 'PROJECT_NAME'
+      service_account: 'SERVICE_ACCT'
+  - name: 'colab_notebook_execution_dataform'
+    primary_resource_id: 'notebook-execution'
+    primary_resource_name: 'fmt.Sprintf("tf-test-colab-notebook-execution%s", context["random_suffix"])'
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@gcp-sa-dataform.iam.gserviceaccount.com"
+        role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+    vars:
+      secret: 'secret'
+      dataform_repository: 'dataform-repository'
+      runtime_template_name: 'runtime-template-name'
+      bucket: 'my_bucket'
+      key_name: 'my-crypto-key'
+    test_env_vars:
+      project_id: 'PROJECT_NAME'
+      service_account: 'SERVICE_ACCT'
+    test_vars_overrides:
+      key_name: 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name'
+parameters:
+  - name: 'location'
+    type: String
+    required: true
+    url_param_only: true
+    description: 'The location for the resource: https://cloud.google.com/colab/docs/locations'
+  - name: 'notebookExecutionJobId'
+    type: String
+    url_param_only: true
+    description: 'User specified ID for the Notebook Execution Job'
+    custom_flatten: 'templates/terraform/custom_flatten/name_from_self_link.tmpl'
+    default_from_api: true
+properties:
+  - name: 'displayName'
+    type: String
+    description:
+      Required. The display name of the Notebook Execution.
+    required: true
+  - name: 'dataformRepositorySource'
+    type: NestedObject
+    description: 'The Dataform Repository containing the input notebook.'
+    exactly_one_of:
+      - dataform_repository_source
+      - gcs_notebook_source
+      - direct_notebook_source
+    properties:
+      - name: 'dataformRepositoryResourceName'
+        type: String
+        required: true
+        description: 'The resource name of the Dataform Repository.'
+        diff_suppress_func: 'tpgresource.CompareSelfLinkRelativePaths'
+      - name: 'commitSha'
+        type: String
+        description: 'The commit SHA to read repository with. If unset, the file will be read at HEAD.'
+  - name: 'gcsNotebookSource'
+    type: NestedObject
+    description: 'The Cloud Storage uri for the input notebook.'
+    exactly_one_of:
+      - dataform_repository_source
+      - gcs_notebook_source
+      - direct_notebook_source
+    properties:
+      - name: 'uri'
+        type: String
+        description: 'The Cloud Storage uri pointing to the ipynb file.'
+        required: true
+      - name: 'generation'
+        type: String
+        description: 'The version of the Cloud Storage object to read. If unset, the current version of the object is read. See https://cloud.google.com/storage/docs/metadata#generation-number.'
+  - name: 'directNotebookSource'
+    type: NestedObject
+    description: 'The content of the input notebook in ipynb format.'
+    ignore_read: true
+    exactly_one_of:
+      - dataform_repository_source
+      - gcs_notebook_source
+      - direct_notebook_source
+    properties:
+      - name: 'content'
+        type: String
+        required: true
+        description: 'The base64-encoded contents of the input notebook file.'
+        custom_flatten: 'templates/terraform/custom_flatten/colab_notebook_execution_direct_content.go.tmpl'
+  - name: executionTimeout
+    type: String
+    description: 'Max running time of the execution job in seconds (default 86400s / 24 hrs).'
+  - name: 'notebookRuntimeTemplateResourceName'
+    type: String
+    description: 'The NotebookRuntimeTemplate to source compute configuration from.'
+    exactly_one_of:
+      - notebook_runtime_template_resource_name
+  - name: 'gcsOutputUri'
+    required: true
+    type: String
+    description: 'The Cloud Storage location to upload the result to. Format:`gs://bucket-name`'
+  - name: 'executionUser'
+    type: String
+    exactly_one_of:
+      - execution_user
+      - service_account
+    description: 'The user email to run the execution as.'
+  - name: 'serviceAccount'
+    type: String
+    exactly_one_of:
+      - execution_user
+      - service_account
+    description: 'The service account to run the execution as.'

mmv1/products/colab/Runtime.yaml

@@ -14,6 +14,7 @@
 ---
 
 name: 'Runtime'
+api_resource_type_kind: NotebookRuntime
 description: |
   'A runtime is a Google-provisioned virtual machine (VM) that can run the code in your notebook (IPYNB file).'
 

mmv1/products/compute/Subnetwork.yaml

@@ -217,10 +217,11 @@ properties:
   - name: 'purpose'
     type: String
     description: |
-      The purpose of the resource. This field can be either `PRIVATE`, `REGIONAL_MANAGED_PROXY`, `GLOBAL_MANAGED_PROXY`, `PRIVATE_SERVICE_CONNECT` or `PRIVATE_NAT`([Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)).
+      The purpose of the resource. This field can be either `PRIVATE`, `REGIONAL_MANAGED_PROXY`, `GLOBAL_MANAGED_PROXY`, `PRIVATE_SERVICE_CONNECT`, `PEER_MIGRATION` or `PRIVATE_NAT`([Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)).
       A subnet with purpose set to `REGIONAL_MANAGED_PROXY` is a user-created subnetwork that is reserved for regional Envoy-based load balancers.
       A subnetwork in a given region with purpose set to `GLOBAL_MANAGED_PROXY` is a proxy-only subnet and is shared between all the cross-regional Envoy-based load balancers.
       A subnetwork with purpose set to `PRIVATE_SERVICE_CONNECT` reserves the subnet for hosting a Private Service Connect published service.
+      A subnetwork with purpose set to `PEER_MIGRATION` is a user created subnetwork that is reserved for migrating resources from one peered network to another.
       A subnetwork with purpose set to `PRIVATE_NAT` is used as source range for Private NAT gateways.
       Note that `REGIONAL_MANAGED_PROXY` is the preferred setting for all regional Envoy load balancers.
       If unspecified, the purpose defaults to `PRIVATE`.

mmv1/products/discoveryengine/ChatEngine.yaml

@@ -103,7 +103,7 @@ properties:
   - name: 'dataStoreIds'
     type: Array
     description: |
-      The data stores associated with this engine. Multiple DataStores in the same Collection can be associated here. All listed DataStores must be `SOLUTION_TYPE_CHAT`. Adding or removing data stores will force recreation.
+      The data stores associated with this engine. Multiple DataStores in the same Collection can be associated here. All listed DataStores must be `SOLUTION_TYPE_CHAT`.
     required: true
     item_type:
       type: String