Add deletion_policy field to Project resource (#11359) (#19026)

[upstream:4bb92c3b9037ad597bdc7b0c163cb720e896a003]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/11359.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resourcemanager: added `deletion_policy` field to replace `skip_delete` field in `google_project` resource. Setting `deletion_policy` to `PREVENT` will protect the project against any destroy actions caused by a terraform apply or terraform destroy. Setting `deletion_policy` to `ABANDON` allows the resource to be abandoned rather than deleted and it behaves the same with `skip_delete = true`. Default value is `DELETE`.
+```

google/services/resourcemanager/data_source_google_project_test.go

@@ -30,6 +30,7 @@ func TestAccDataSourceGoogleProject_basic(t *testing.T) {
 							// Virtual fields
 							"auto_create_network": {},
 							"skip_delete":         {},
+							"deletion_policy":     {},
 						}),
 				),
 			},

google/services/resourcemanager/resource_google_project.go

@@ -15,6 +15,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 
 	tpgcompute "github.com/hashicorp/terraform-provider-google/google/services/compute"
 	tpgserviceusage "github.com/hashicorp/terraform-provider-google/google/services/serviceusage"
@@ -75,6 +76,14 @@ func ResourceGoogleProject() *schema.Resource {
 				Computed:    true,
 				Description: `If true, the Terraform resource can be deleted without deleting the Project via the Google API.`,
 			},
+			"deletion_policy": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "DELETE",
+				Description: `The deletion policy for the Project. Setting PREVENT will protect the project against any destroy actions caused by a terraform apply or terraform destroy. Setting ABANDON allows the resource
+				to be abandoned rather than deleted. Possible values are: "PREVENT", "ABANDON", "DELETE"`,
+				ValidateFunc: validation.StringInSlice([]string{"PREVENT", "ABANDON", "DELETE"}, false),
+			},
 			"auto_create_network": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -307,7 +316,12 @@ func resourceGoogleProjectRead(d *schema.ResourceData, meta interface{}) error {
 		d.SetId("")
 		return nil
 	}
-
+	// Explicitly set client-side fields to default values if unset
+	if _, ok := d.GetOkExists("deletion_policy"); !ok {
+		if err := d.Set("deletion_policy", "DELETE"); err != nil {
+			return fmt.Errorf("Error setting deletion_policy: %s", err)
+		}
+	}
 	if err := d.Set("project_id", pid); err != nil {
 		return fmt.Errorf("Error setting project_id: %s", err)
 	}
@@ -501,18 +515,29 @@ func resourceGoogleProjectDelete(d *schema.ResourceData, meta interface{}) error
 	if err != nil {
 		return err
 	}
+	deletionPolicy := d.Get("deletion_policy").(string)
 	// Only delete projects if skip_delete isn't set
-	if !d.Get("skip_delete").(bool) {
-		parts := strings.Split(d.Id(), "/")
-		pid := parts[len(parts)-1]
-		if err := transport_tpg.Retry(transport_tpg.RetryOptions{
-			RetryFunc: func() error {
-				_, delErr := config.NewResourceManagerClient(userAgent).Projects.Delete(pid).Do()
-				return delErr
-			},
-			Timeout: d.Timeout(schema.TimeoutDelete),
-		}); err != nil {
-			return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("Project %s", pid))
+	if deletionPolicy == "PREVENT" {
+		return fmt.Errorf("Cannot destroy project as deletion_policy is set to PREVENT.")
+	} else if deletionPolicy == "ABANDON" {
+		log.Printf("[WARN] The project has been abandoned as deletion_policy set to ABANDON.")
+		d.SetId("")
+		return nil
+	} else {
+		// Only delete projects if deletion_policy isn't PREVENT or ABANDON
+		// Only delete projects if skip_delete isn't set
+		if !d.Get("skip_delete").(bool) {
+			parts := strings.Split(d.Id(), "/")
+			pid := parts[len(parts)-1]
+			if err := transport_tpg.Retry(transport_tpg.RetryOptions{
+				RetryFunc: func() error {
+					_, delErr := config.NewResourceManagerClient(userAgent).Projects.Delete(pid).Do()
+					return delErr
+				},
+				Timeout: d.Timeout(schema.TimeoutDelete),
+			}); err != nil {
+				return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("Project %s", pid))
+			}
 		}
 	}
 	d.SetId("")

google/services/resourcemanager/resource_google_project_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"reflect"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
@@ -97,7 +98,7 @@ func TestAccProject_billing(t *testing.T) {
 				ResourceName:            "google_project.acceptance",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"skip_delete"},
+				ImportStateVerifyIgnore: []string{"skip_delete", "deletion_policy"},
 			},
 			// Update to a different  billing account
 			{
@@ -138,7 +139,7 @@ func TestAccProject_labels(t *testing.T) {
 				ResourceName:            "google_project.acceptance",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"skip_delete", "labels", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"skip_delete", "labels", "terraform_labels", "deletion_policy"},
 			},
 			// update project with labels
 			{
@@ -211,7 +212,7 @@ func TestAccProject_migrateParent(t *testing.T) {
 				ResourceName:            "google_project.acceptance",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"skip_delete"},
+				ImportStateVerifyIgnore: []string{"skip_delete", "deletion_policy"},
 			},
 			{
 				Config: testAccProject_migrateParentOrg(pid, folderDisplayName, org),
@@ -220,7 +221,7 @@ func TestAccProject_migrateParent(t *testing.T) {
 				ResourceName:            "google_project.acceptance",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"skip_delete"},
+				ImportStateVerifyIgnore: []string{"skip_delete", "deletion_policy"},
 			},
 			{
 				Config: testAccProject_migrateParentFolder(pid, folderDisplayName, org),
@@ -229,7 +230,7 @@ func TestAccProject_migrateParent(t *testing.T) {
 				ResourceName:            "google_project.acceptance",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"skip_delete"},
+				ImportStateVerifyIgnore: []string{"skip_delete", "deletion_policy"},
 			},
 		},
 	})
@@ -352,6 +353,65 @@ func testAccCheckGoogleProjectHasNoLabels(t *testing.T, r, pid string) resource.
 	}
 }
 
+func TestAccProject_noAllowDestroy(t *testing.T) {
+	t.Parallel()
+
+	org := envvar.GetTestOrgFromEnv(t)
+	pid := fmt.Sprintf("%s-%d", TestPrefix, acctest.RandInt(t))
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccProject_noAllowDestroy(pid, org),
+			},
+			{
+				ResourceName:            "google_project.acceptance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_delete", "deletion_policy"},
+			},
+			{
+				Config:      testAccProject_noAllowDestroy(pid, org),
+				Destroy:     true,
+				ExpectError: regexp.MustCompile("deletion_policy"),
+			},
+			{
+				Config: testAccProject_create(pid, org),
+			},
+		},
+	})
+}
+
+func TestAccProject_abandon(t *testing.T) {
+	t.Parallel()
+
+	org := envvar.GetTestOrgFromEnv(t)
+	pid := fmt.Sprintf("%s-%d", TestPrefix, acctest.RandInt(t))
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccProject_abandon(pid, org),
+			},
+			{
+				ResourceName:            "google_project.acceptance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_policy"},
+			},
+			{
+				Config:  testAccProject_abandon(pid, org),
+				Destroy: true,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleProjectExists("google_project.acceptance", pid),
+				),
+			},
+		},
+	})
+}
+
 func testAccProject_createWithoutOrg(pid string) string {
 	return fmt.Sprintf(`
 resource "google_project" "acceptance" {
@@ -361,6 +421,28 @@ resource "google_project" "acceptance" {
 `, pid, pid)
 }
 
+func testAccProject_noAllowDestroy(pid, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+  project_id = "%s"
+  name       = "%s"
+  org_id = "%s"
+  deletion_policy = "PREVENT"
+}
+`, pid, pid, org)
+}
+
+func testAccProject_abandon(pid, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+  project_id = "%s"
+  name       = "%s"
+  org_id = "%s"
+  deletion_policy = "ABANDON"
+}
+`, pid, pid, org)
+}
+
 func testAccProject_createBilling(pid, org, billing string) string {
 	return fmt.Sprintf(`
 resource "google_project" "acceptance" {

website/docs/r/google_project.html.markdown

@@ -98,6 +98,11 @@ The following arguments are supported:
     `false`. Note that when `false`, Terraform enables `compute.googleapis.com` on the project to interact
     with the GCE API and currently leaves it enabled.
 
+* `deletion_policy` -  (Optional) The deletion policy for the Project. Setting PREVENT will protect the project
+   against any destroy actions caused by a terraform apply or terraform destroy. Setting ABANDON allows the resource 
+   to be abandoned rather than deleted, i.e., the Terraform resource can be deleted without deleting the Project via 
+   the Google API. Possible values are: "PREVENT", "ABANDON", "DELETE". Default value is `DELETE`.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are