Impact Assessment
Severity: Moderate
This release introduces several new resources, including Hypercompute clusters and organization security policy rules, alongside a deprecation in Dataplex data assets. It also enables in-place boot disk resizing for compute instances and resolves a persistent diff issue in Datastream connection profiles, smoothing out day-to-day infrastructure operations.
Editor's Note: We view this as a steady feature-expansion release that aligns with the platform's recent push toward enhanced network security and specialized compute workloads. The ability to resize compute instance boot disks in-place is a significant operational win that reduces recreation overhead. When updating your Dataplex configurations, we recommend preparing a targeted state move to transition away from the deprecated data asset resource before applying new plans.
Detailed Breakdown
#### Dataplex Resource Deprecation
* What changed: The google_dataplex_data_asset resource is now deprecated. The provider introduces google_dataplex_data_product_data_asset as its replacement.
* Why this matters: Relying on deprecated resources can lead to future breaking changes or unsupported API calls as the platform evolves its data product hierarchy.
* Concrete migration steps: Rename the resource block in your .tf files to google_dataplex_data_product_data_asset. Use the terraform state mv command to update your state file without destroying the underlying infrastructure.
#### Compute Instance In-Place Updates
* What changed: The initialize_params.size field within the google_compute_instance resource is now updatable in-place.
* Why this matters: Previously, changing the boot disk size required a destructive recreation of the entire VM. This change allows for seamless vertical scaling of storage for running instances.
* Concrete migration steps: Update the size value in your configuration and run terraform apply. Verify that the guest operating system recognizes the expanded disk space after the apply completes.
#### Firewall and Security Policy Expansions
* What changed: Added dest_network_context, src_network_context, and src_networks fields to google_compute_firewall_policy_rule, google_compute_network_firewall_policy_rule, and google_compute_region_network_firewall_policy_rule. Additionally, a new google_compute_organization_security_policy_rule resource is available.
* Why this matters: These additions provide finer-grained traffic control using network contexts, allowing security teams to define more precise, context-aware firewall rules at both the VPC and organizational levels.
* Concrete migration steps: Review existing firewall rules to determine if context-based filtering can simplify your network security posture. Add the new fields to existing rule blocks where applicable.
#### Cloud SQL Feature Additions
* What changed: The google_sql_database_instance resource now supports auto_upgrade_enabled, data_api_access, and enhanced_query_insights_enabled fields.
* Why this matters: Exposing these fields allows infrastructure teams to explicitly manage database observability and automated maintenance settings directly through code.
* Concrete migration steps: Add these boolean fields to your Cloud SQL resource definitions if you wish to manage Data API access or Query Insights via Terraform rather than the console.
#### GKE and Container Enhancements
* What changed: The sandbox_config field in google_container_node_pool (and cluster) resources is promoted to General Availability (GA). The google_gke_hub_feature resource also gained the spec.workloadidentity field.
* Why this matters: GA promotion means gVisor sandboxing is fully supported for production workloads without requiring the beta provider. The workload identity addition expands fleet-wide identity management capabilities.
* Concrete migration steps: Remove the provider = google-beta meta-argument from node pools utilizing sandbox_config.
#### Network Security and Gateway Updates
* What changed: Added the url_filtering_profile field to google_network_security_security_profile and google_network_security_security_profile_group. The google_network_services_gateway resource now supports multiple ports for the SECURE_WEB_GATEWAY type.
* Why this matters: Enables native configuration of URL filtering and multi-port secure web gateways, reducing the need for manual console configurations for advanced network security.
* Concrete migration steps: Update your security profile resources to include url_filtering_profile if you are implementing web filtering, and adjust gateway port lists as needed.
#### Provider Behavior Fixes
* What changed: Fixed a permadiff where client_id in google_datastream_connection_profile.salesforce_profile.oauth2_client_credentials was not read properly. Added a retry mechanism for google_service_networking_connection creation to handle IAM propagation delays. Added a 10-second post-create/update delay for KMS AutokeyConfig.
* Why this matters: These fixes reduce noise in plan outputs and decrease pipeline failures caused by eventual consistency in IAM and KMS APIs.
* Concrete migration steps: Upgrade the provider version. You may also remove any custom time_sleep resources previously used to work around the service networking IAM propagation delay.
#### Additional Resource Updates
* What changed: Introduced the google_hypercomputecluster_cluster resource. Added http_config to google_developer_connect_connection, source_backupdr_backup to google_filestore_instance, and the AZURE_AD_GROUPS_DISPLAY_NAME enum to google_iam_workforce_pool_provider.
* Why this matters: Keeps the provider current with new Google Cloud offerings like Hypercompute clusters and expands integration options for Filestore, Developer Connect, and Workforce Identity.
* Concrete migration steps: Implement the new google_hypercomputecluster_cluster resource if your architecture requires specialized AI/ML compute clusters. Update existing resources with the new fields if those specific integrations are required.
Before You Upgrade
1. Search your codebase for the deprecated Dataplex resource using grep -r "google_dataplex_data_asset" . to identify modules needing updates.
2. Prepare state migration commands for affected Dataplex assets: terraform state mv google_dataplex_data_asset.example google_dataplex_data_product_data_asset.example.
3. Identify compute instances with hardcoded disk sizes by running grep -A 5 "initialize_params" . to see where in-place resizing can now be utilized.
4. Run a refresh-only plan (terraform plan -refresh-only) on environments using Datastream Salesforce profiles to confirm the client_id permadiff is resolved.
5. Update GKE configurations by removing provider = google-beta from any google_container_node_pool blocks that only used it for sandbox_config.
6. Evaluate Cloud SQL blocks to determine if data_api_access or enhanced_query_insights_enabled should be explicitly defined to prevent configuration drift.
7. Locate service networking connections (grep -r "google_service_networking_connection" .) and remove any custom time_sleep workarounds previously used for IAM propagation.
8. Validate the updated configuration syntax against the new provider version by running terraform validate before executing a full plan.
Sources & Timeline
* Sources:
* [Release v7.22.0](https://github.com/hashicorp/terraform-provider-google/releases/tag/v7.22.0)
* [Release v7.21.0](https://github.com/hashicorp/terraform-provider-google/releases/tag/v7.21.0)
* Version Range: v7.21.0 → v7.22.0
* Verified At: 2026-03-03T22:05:12.907617+00:00