diff --git a/README.md b/README.md
index 9a8a3ee5..c0b7a09b 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ To include G Suite integration for creating groups and adding Service Accounts i
 
 ## Compatibility
 
-This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
+This module is meant for use with Terraform 0.13+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=0.13, please open an issue.
  If you haven't
 [upgraded][terraform-0.13-upgrade] and need a Terraform
 0.12.x-compatible version of this module, the last released version
@@ -29,7 +29,7 @@ There are multiple examples included in the [examples](./examples/) folder but s
 ```hcl
 module "project-factory" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.5"
+  version = "~> 15.0"
 
   name                 = "pf-test-1"
   random_project_id    = true
@@ -161,7 +161,8 @@ determining that location is as follows:
 | tag\_binding\_values | Tag values to bind the project to. | `list(string)` | `[]` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
-| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |
+| vpc\_service\_control\_attach\_dry\_run | Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc\_service\_control\_attach\_enabled should be false for this to be true | `bool` | `false` | no |
+| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc\_service\_control\_attach\_dry\_run should be false for this to be true | `bool` | `false` | no |
 | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no |
 | vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. | `string` | `"5s"` | no |
 
@@ -187,6 +188,7 @@ determining that location is as follows:
 | service\_account\_name | The fully-qualified name of the default service account |
 | service\_account\_unique\_id | The unique id of the default service account |
 | tag\_bindings | Tag bindings |
+| usage\_report\_export\_bucket | GCE usage reports bucket |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -197,9 +199,9 @@ determining that location is as follows:
 -   [gcloud sdk](https://cloud.google.com/sdk/install) >= 269.0.0
 -   [jq](https://stedolan.github.io/jq/) >= 1.6
 -   [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
--   [terraform-provider-google] plugin ~> 4.11
--   [terraform-provider-google-beta] plugin ~> 4.11
--   [terraform-provider-gsuite] plugin 0.1.x if GSuite functionality is desired
+-   [terraform-provider-google] plugin >= 5.22
+-   [terraform-provider-google-beta] plugin >= 5.22
+-   [terraform-provider-gsuite] plugin ~> 0.1.x if GSuite functionality is desired
 
 ### Permissions
 
diff --git a/docs/upgrading_to_project_factory_v15.0.md b/docs/upgrading_to_project_factory_v15.0.md
new file mode 100644
index 00000000..ccc809dd
--- /dev/null
+++ b/docs/upgrading_to_project_factory_v15.0.md
@@ -0,0 +1,8 @@
+# Upgrading to Project Factory v15.0
+
+The v15.0 release of Project Factory is a backwards incompatible release.
+
+### Google Cloud Platform Provider upgrade
+
+The Project Factory module now requires version 5.22 or higher of the Google Cloud Platform Provider and 5.22 or higher of
+the Google Cloud Platform Beta Provider.
diff --git a/main.tf b/main.tf
index c2971a0e..c8a5a138 100644
--- a/main.tf
+++ b/main.tf
@@ -65,6 +65,7 @@ module "project-factory" {
   default_service_account            = var.default_service_account
   disable_dependent_services         = var.disable_dependent_services
   vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
+  vpc_service_control_attach_dry_run = var.vpc_service_control_attach_dry_run
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
   vpc_service_control_sleep_duration = var.vpc_service_control_sleep_duration
   default_network_tier               = var.default_network_tier
diff --git a/modules/core_project_factory/main.tf b/modules/core_project_factory/main.tf
index dbf0b178..37b79026 100644
--- a/modules/core_project_factory/main.tf
+++ b/modules/core_project_factory/main.tf
@@ -109,7 +109,7 @@ module "project_services" {
   Shared VPC configuration
  *****************************************/
 resource "time_sleep" "wait_5_seconds" { #TODO rename resource in the next breaking change.
-  count           = var.vpc_service_control_attach_enabled ? 1 : 0
+  count           = var.vpc_service_control_attach_enabled || var.vpc_service_control_attach_dry_run ? 1 : 0
   depends_on      = [google_access_context_manager_service_perimeter_resource.service_perimeter_attachment[0], google_project_service.enable_access_context_manager[0]]
   create_duration = var.vpc_service_control_sleep_duration
 }
@@ -345,7 +345,7 @@ resource "google_storage_bucket_iam_member" "api_s_account_storage_admin_on_proj
 }
 
 /******************************************
-  Attachment to VPC Service Control Perimeter
+  Attachment to VPC Service Control Perimeter in Enforce Mode
  *****************************************/
 resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_attachment" {
   count          = var.vpc_service_control_attach_enabled ? 1 : 0
@@ -354,11 +354,21 @@ resource "google_access_context_manager_service_perimeter_resource" "service_per
   resource       = "projects/${google_project.main.number}"
 }
 
+/******************************************
+  Attachment to VPC Service Control Perimeter in Dry Run Mode
+ *****************************************/
+resource "google_access_context_manager_service_perimeter_dry_run_resource" "service_perimeter_attachment_dry_run" {
+  count          = var.vpc_service_control_attach_dry_run && !var.vpc_service_control_attach_enabled ? 1 : 0
+  depends_on     = [google_service_account.default_service_account]
+  perimeter_name = var.vpc_service_control_perimeter_name
+  resource       = "projects/${google_project.main.number}"
+}
+
 /******************************************
   Enable Access Context Manager API
  *****************************************/
 resource "google_project_service" "enable_access_context_manager" {
-  count   = var.vpc_service_control_attach_enabled ? 1 : 0
+  count   = var.vpc_service_control_attach_enabled || var.vpc_service_control_attach_dry_run ? 1 : 0
   project = google_project.main.number
   service = "accesscontextmanager.googleapis.com"
 }
diff --git a/modules/core_project_factory/outputs.tf b/modules/core_project_factory/outputs.tf
index dbb5f763..6a0cc36e 100644
--- a/modules/core_project_factory/outputs.tf
+++ b/modules/core_project_factory/outputs.tf
@@ -100,3 +100,8 @@ output "tag_bindings" {
   description = "Tag bindings"
   value       = google_tags_tag_binding.bindings
 }
+
+output "usage_report_export_bucket" {
+  description = "GCE usage reports bucket"
+  value       = try(google_project_usage_export_bucket.usage_report_export[0], null)
+}
diff --git a/modules/core_project_factory/variables.tf b/modules/core_project_factory/variables.tf
index f5202ed6..79b29e72 100644
--- a/modules/core_project_factory/variables.tf
+++ b/modules/core_project_factory/variables.tf
@@ -111,7 +111,7 @@ variable "activate_apis" {
 variable "activate_api_identities" {
   description = <<EOF
     The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).
-    APIs in this list will automatically be appended to `activate_apis`.
+    APIs in this list will automatically be appended to `activate_apis`. Use for services supported by `gcloud beta services identity create`
     Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).
     Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.
   EOF
@@ -230,7 +230,13 @@ variable "enable_shared_vpc_host_project" {
 }
 
 variable "vpc_service_control_attach_enabled" {
-  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_attach_dry_run" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true"
   type        = bool
   default     = false
 }
diff --git a/modules/core_project_factory/versions.tf b/modules/core_project_factory/versions.tf
index 2dde8dd8..2a9df785 100644
--- a/modules/core_project_factory/versions.tf
+++ b/modules/core_project_factory/versions.tf
@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.64, < 6"
+      version = ">= 5.22, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.64, < 6"
+      version = ">= 5.22, < 6"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/outputs.tf b/outputs.tf
index 41de9e88..08fd84b4 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -103,3 +103,8 @@ output "tag_bindings" {
   description = "Tag bindings"
   value       = module.project-factory.tag_bindings
 }
+
+output "usage_report_export_bucket" {
+  description = "GCE usage reports bucket"
+  value       = module.project-factory.usage_report_export_bucket
+}
diff --git a/variables.tf b/variables.tf
index 5dc6c5f5..c0b2a6ae 100644
--- a/variables.tf
+++ b/variables.tf
@@ -289,7 +289,13 @@ variable "budget_custom_period_end_date" {
 }
 
 variable "vpc_service_control_attach_enabled" {
-  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_attach_dry_run" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true"
   type        = bool
   default     = false
 }
diff --git a/versions.tf b/versions.tf
index cd13f904..f884c83b 100644
--- a/versions.tf
+++ b/versions.tf
@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.28, < 6"
+      version = ">= 5.22, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.28, < 6"
+      version = ">= 5.22, < 6"
     }
   }
   provider_meta "google" {