From e5d36464b49938aaf133cecc27433397a445dd59 Mon Sep 17 00:00:00 2001 From: Larry Bordowitz Date: Mon, 30 Oct 2023 16:49:29 -0500 Subject: [PATCH] feat: Add certificate_manager_certificates variable for the https_proxy --- README.md | 3 ++- autogen/main.tf.tmpl | 11 +++++++---- autogen/variables.tf.tmpl | 8 +++++++- autogen/versions.tf.tmpl | 4 ++-- main.tf | 7 +++++-- modules/dynamic_backends/README.md | 3 ++- modules/dynamic_backends/main.tf | 7 +++++-- modules/dynamic_backends/variables.tf | 8 +++++++- modules/dynamic_backends/versions.tf | 4 ++-- modules/serverless_negs/README.md | 3 ++- modules/serverless_negs/main.tf | 7 +++++-- modules/serverless_negs/variables.tf | 8 +++++++- modules/serverless_negs/versions.tf | 4 ++-- variables.tf | 8 +++++++- versions.tf | 4 ++-- 15 files changed, 64 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index cc57a61c..62e79e15 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ module "gce-lb-http" { | address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no | | backends | Map backend indices to list of backend maps. | 
map(object({
    port                    = optional(number)
    project                 = optional(string)
    protocol                = optional(string)
    port_name               = optional(string)
    description             = optional(string)
    enable_cdn              = optional(bool)
    compression_mode        = optional(string)
    security_policy         = optional(string, null)
    edge_security_policy    = optional(string, null)
    custom_request_headers  = optional(list(string))
    custom_response_headers = optional(list(string))

    timeout_sec                     = optional(number)
    connection_draining_timeout_sec = optional(number)
    session_affinity                = optional(string)
    affinity_cookie_ttl_sec         = optional(number)

    health_check = object({
      host                = optional(string)
      request_path        = optional(string)
      request             = optional(string)
      response            = optional(string)
      port                = optional(number)
      port_name           = optional(string)
      proxy_header        = optional(string)
      port_specification  = optional(string)
      protocol            = optional(string)
      check_interval_sec  = optional(number)
      timeout_sec         = optional(number)
      healthy_threshold   = optional(number)
      unhealthy_threshold = optional(number)
      logging             = optional(bool)
    })

    log_config = object({
      enable      = optional(bool)
      sample_rate = optional(number)
    })

    groups = list(object({
      group = string

      balancing_mode               = optional(string)
      capacity_scaler              = optional(number)
      description                  = optional(string)
      max_connections              = optional(number)
      max_connections_per_instance = optional(number)
      max_connections_per_endpoint = optional(number)
      max_rate                     = optional(number)
      max_rate_per_instance        = optional(number)
      max_rate_per_endpoint        = optional(number)
      max_utilization              = optional(number)
    }))
    iap_config = object({
      enable               = bool
      oauth2_client_id     = optional(string)
      oauth2_client_secret = optional(string)
    })
    cdn_policy = optional(object({
      cache_mode                   = optional(string)
      signed_url_cache_max_age_sec = optional(string)
      default_ttl                  = optional(number)
      max_ttl                      = optional(number)
      client_ttl                   = optional(number)
      negative_caching             = optional(bool)
      negative_caching_policy = optional(object({
        code = optional(number)
        ttl  = optional(number)
      }))
      serve_while_stale = optional(number)
      cache_key_policy = optional(object({
        include_host           = optional(bool)
        include_protocol       = optional(bool)
        include_query_string   = optional(bool)
        query_string_blacklist = optional(list(string))
        query_string_whitelist = optional(list(string))
        include_http_headers   = optional(list(string))
        include_named_cookies  = optional(list(string))
      }))
    }))
  }))
| n/a | yes | | certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no | +| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no | | certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no | | create\_address | Create a new global IPv4 address | `bool` | `true` | no | | create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no | @@ -149,7 +150,7 @@ module "gce-lb-http" { | target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no | | target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no | | url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no | -| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no | +| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no | ## Outputs diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl index 8ff27fee..7f09b4d4 100644 --- a/autogen/main.tf.tmpl +++ b/autogen/main.tf.tmpl @@ -26,8 +26,9 @@ locals { health_checked_backends = { for backend_index, backend_value in var.backends : backend_index => backend_value if backend_value["health_check"] != null } {% endif %} - is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" - internal_network = local.is_internal ? var.network : null + is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" + internal_network = local.is_internal ? var.network : null + ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) } ### IPv4 block ### @@ -119,8 +120,10 @@ resource "google_compute_target_https_proxy" "default" { name = "${var.name}-https-proxy" url_map = local.url_map - ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) - certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + certificate_manager_certificates = var.certificate_manager_certificates + certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + + ssl_certificates = local.ssl_certificates ssl_policy = var.ssl_policy quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE" } diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl index 35c57b02..ff0486a8 100644 --- a/autogen/variables.tf.tmpl +++ b/autogen/variables.tf.tmpl @@ -232,7 +232,7 @@ variable "managed_ssl_certificate_domains" { } variable "use_ssl_certificates" { - description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`" + description = "If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate`" type = bool default = false } @@ -243,6 +243,12 @@ variable "ssl_certificates" { default = [] } +variable "certificate_manager_certificates" { + description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set." + type = list(string) + default = null +} + variable "edge_security_policy" { description = "The resource URL for the edge security policy to associate with the backend service" type = string diff --git a/autogen/versions.tf.tmpl b/autogen/versions.tf.tmpl index 5ce35249..153321a7 100644 --- a/autogen/versions.tf.tmpl +++ b/autogen/versions.tf.tmpl @@ -20,11 +20,11 @@ terraform { google = { source = "hashicorp/google" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } random = { source = "hashicorp/random" diff --git a/main.tf b/main.tf index 199ed859..030e0c30 100644 --- a/main.tf +++ b/main.tf @@ -26,6 +26,7 @@ locals { is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" internal_network = local.is_internal ? var.network : null + ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) } ### IPv4 block ### @@ -117,8 +118,10 @@ resource "google_compute_target_https_proxy" "default" { name = "${var.name}-https-proxy" url_map = local.url_map - ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) - certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + certificate_manager_certificates = var.certificate_manager_certificates + certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + + ssl_certificates = local.ssl_certificates ssl_policy = var.ssl_policy quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE" } diff --git a/modules/dynamic_backends/README.md b/modules/dynamic_backends/README.md index e7e84fae..325de70e 100644 --- a/modules/dynamic_backends/README.md +++ b/modules/dynamic_backends/README.md @@ -115,6 +115,7 @@ module "gce-lb-http" { | address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no | | backends | Map backend indices to list of backend maps. | 
map(object({
    port                    = optional(number)
    project                 = optional(string)
    protocol                = optional(string)
    port_name               = optional(string)
    description             = optional(string)
    enable_cdn              = optional(bool)
    compression_mode        = optional(string)
    security_policy         = optional(string, null)
    edge_security_policy    = optional(string, null)
    custom_request_headers  = optional(list(string))
    custom_response_headers = optional(list(string))

    timeout_sec                     = optional(number)
    connection_draining_timeout_sec = optional(number)
    session_affinity                = optional(string)
    affinity_cookie_ttl_sec         = optional(number)

    health_check = object({
      host                = optional(string)
      request_path        = optional(string)
      request             = optional(string)
      response            = optional(string)
      port                = optional(number)
      port_name           = optional(string)
      proxy_header        = optional(string)
      port_specification  = optional(string)
      protocol            = optional(string)
      check_interval_sec  = optional(number)
      timeout_sec         = optional(number)
      healthy_threshold   = optional(number)
      unhealthy_threshold = optional(number)
      logging             = optional(bool)
    })

    log_config = object({
      enable      = optional(bool)
      sample_rate = optional(number)
    })

    groups = list(object({
      group = string

      balancing_mode               = optional(string)
      capacity_scaler              = optional(number)
      description                  = optional(string)
      max_connections              = optional(number)
      max_connections_per_instance = optional(number)
      max_connections_per_endpoint = optional(number)
      max_rate                     = optional(number)
      max_rate_per_instance        = optional(number)
      max_rate_per_endpoint        = optional(number)
      max_utilization              = optional(number)
    }))
    iap_config = object({
      enable               = bool
      oauth2_client_id     = optional(string)
      oauth2_client_secret = optional(string)
    })
    cdn_policy = optional(object({
      cache_mode                   = optional(string)
      signed_url_cache_max_age_sec = optional(string)
      default_ttl                  = optional(number)
      max_ttl                      = optional(number)
      client_ttl                   = optional(number)
      negative_caching             = optional(bool)
      negative_caching_policy = optional(object({
        code = optional(number)
        ttl  = optional(number)
      }))
      serve_while_stale = optional(number)
      cache_key_policy = optional(object({
        include_host           = optional(bool)
        include_protocol       = optional(bool)
        include_query_string   = optional(bool)
        query_string_blacklist = optional(list(string))
        query_string_whitelist = optional(list(string))
        include_http_headers   = optional(list(string))
        include_named_cookies  = optional(list(string))
      }))
    }))
  }))
| n/a | yes | | certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no | +| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no | | certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no | | create\_address | Create a new global IPv4 address | `bool` | `true` | no | | create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no | @@ -142,7 +143,7 @@ module "gce-lb-http" { | target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no | | target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no | | url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no | -| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no | +| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no | ## Outputs diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf index 776137a1..30199ef8 100644 --- a/modules/dynamic_backends/main.tf +++ b/modules/dynamic_backends/main.tf @@ -26,6 +26,7 @@ locals { is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" internal_network = local.is_internal ? var.network : null + ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) } ### IPv4 block ### @@ -117,8 +118,10 @@ resource "google_compute_target_https_proxy" "default" { name = "${var.name}-https-proxy" url_map = local.url_map - ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) - certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + certificate_manager_certificates = var.certificate_manager_certificates + certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + + ssl_certificates = local.ssl_certificates ssl_policy = var.ssl_policy quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE" } diff --git a/modules/dynamic_backends/variables.tf b/modules/dynamic_backends/variables.tf index 771ecedd..52c5d17c 100644 --- a/modules/dynamic_backends/variables.tf +++ b/modules/dynamic_backends/variables.tf @@ -219,7 +219,7 @@ variable "managed_ssl_certificate_domains" { } variable "use_ssl_certificates" { - description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`" + description = "If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate`" type = bool default = false } @@ -230,6 +230,12 @@ variable "ssl_certificates" { default = [] } +variable "certificate_manager_certificates" { + description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set." + type = list(string) + default = null +} + variable "edge_security_policy" { description = "The resource URL for the edge security policy to associate with the backend service" type = string diff --git a/modules/dynamic_backends/versions.tf b/modules/dynamic_backends/versions.tf index 095762dd..d9c1b3ed 100644 --- a/modules/dynamic_backends/versions.tf +++ b/modules/dynamic_backends/versions.tf @@ -20,11 +20,11 @@ terraform { google = { source = "hashicorp/google" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } random = { source = "hashicorp/random" diff --git a/modules/serverless_negs/README.md b/modules/serverless_negs/README.md index 9d568175..066f7f47 100644 --- a/modules/serverless_negs/README.md +++ b/modules/serverless_negs/README.md @@ -81,6 +81,7 @@ module "lb-http" { | address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no | | backends | Map backend indices to list of backend maps. | 
map(object({
    project                 = optional(string)
    protocol                = optional(string)
    port_name               = optional(string)
    description             = optional(string)
    enable_cdn              = optional(bool)
    compression_mode        = optional(string)
    security_policy         = optional(string, null)
    edge_security_policy    = optional(string, null)
    custom_request_headers  = optional(list(string))
    custom_response_headers = optional(list(string))

    connection_draining_timeout_sec = optional(number)
    session_affinity                = optional(string)
    affinity_cookie_ttl_sec         = optional(number)


    log_config = object({
      enable      = optional(bool)
      sample_rate = optional(number)
    })

    groups = list(object({
      group = string

    }))
    iap_config = object({
      enable               = bool
      oauth2_client_id     = optional(string)
      oauth2_client_secret = optional(string)
    })
    cdn_policy = optional(object({
      cache_mode                   = optional(string)
      signed_url_cache_max_age_sec = optional(string)
      default_ttl                  = optional(number)
      max_ttl                      = optional(number)
      client_ttl                   = optional(number)
      negative_caching             = optional(bool)
      negative_caching_policy = optional(object({
        code = optional(number)
        ttl  = optional(number)
      }))
      serve_while_stale = optional(number)
      cache_key_policy = optional(object({
        include_host           = optional(bool)
        include_protocol       = optional(bool)
        include_query_string   = optional(bool)
        query_string_blacklist = optional(list(string))
        query_string_whitelist = optional(list(string))
        include_http_headers   = optional(list(string))
        include_named_cookies  = optional(list(string))
      }))
    }))
  }))
| n/a | yes | | certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no | +| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no | | certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no | | create\_address | Create a new global IPv4 address | `bool` | `true` | no | | create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no | @@ -104,7 +105,7 @@ module "lb-http" { | ssl\_certificates | SSL cert self\_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided. | `list(string)` | `[]` | no | | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no | | url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no | -| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no | +| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no | ## Outputs diff --git a/modules/serverless_negs/main.tf b/modules/serverless_negs/main.tf index 8215ee1b..6abb6044 100644 --- a/modules/serverless_negs/main.tf +++ b/modules/serverless_negs/main.tf @@ -25,6 +25,7 @@ locals { is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" internal_network = local.is_internal ? var.network : null + ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) } ### IPv4 block ### @@ -116,8 +117,10 @@ resource "google_compute_target_https_proxy" "default" { name = "${var.name}-https-proxy" url_map = local.url_map - ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), ) - certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + certificate_manager_certificates = var.certificate_manager_certificates + certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + + ssl_certificates = local.ssl_certificates ssl_policy = var.ssl_policy quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE" } diff --git a/modules/serverless_negs/variables.tf b/modules/serverless_negs/variables.tf index 3cbde3e5..b02d8c8f 100644 --- a/modules/serverless_negs/variables.tf +++ b/modules/serverless_negs/variables.tf @@ -168,7 +168,7 @@ variable "managed_ssl_certificate_domains" { } variable "use_ssl_certificates" { - description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`" + description = "If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate`" type = bool default = false } @@ -179,6 +179,12 @@ variable "ssl_certificates" { default = [] } +variable "certificate_manager_certificates" { + description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set." + type = list(string) + default = null +} + variable "edge_security_policy" { description = "The resource URL for the edge security policy to associate with the backend service" type = string diff --git a/modules/serverless_negs/versions.tf b/modules/serverless_negs/versions.tf index 07332232..06dc7985 100644 --- a/modules/serverless_negs/versions.tf +++ b/modules/serverless_negs/versions.tf @@ -20,11 +20,11 @@ terraform { google = { source = "hashicorp/google" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } random = { source = "hashicorp/random" diff --git a/variables.tf b/variables.tf index 771ecedd..52c5d17c 100644 --- a/variables.tf +++ b/variables.tf @@ -219,7 +219,7 @@ variable "managed_ssl_certificate_domains" { } variable "use_ssl_certificates" { - description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`" + description = "If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate`" type = bool default = false } @@ -230,6 +230,12 @@ variable "ssl_certificates" { default = [] } +variable "certificate_manager_certificates" { + description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set." + type = list(string) + default = null +} + variable "edge_security_policy" { description = "The resource URL for the edge security policy to associate with the backend service" type = string diff --git a/versions.tf b/versions.tf index 0a181446..58c70789 100644 --- a/versions.tf +++ b/versions.tf @@ -20,11 +20,11 @@ terraform { google = { source = "hashicorp/google" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.50, < 5.0" + version = ">= 5.3, < 6.0" } random = { source = "hashicorp/random"