From 2dbe85c0200bd6aa7283d0e789f1e9aa20938c9a Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Tue, 16 Jul 2024 16:13:51 -0400 Subject: [PATCH 1/6] bump identity_service_config to ga --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 14 +++++++------- autogen/main/main.tf.tmpl | 5 +++-- autogen/main/outputs.tf.tmpl | 11 +++++------ autogen/main/variables.tf.tmpl | 13 ++++++++----- cluster.tf | 7 +++++++ main.tf | 3 +++ modules/beta-autopilot-private-cluster/main.tf | 5 +++-- modules/beta-autopilot-private-cluster/outputs.tf | 9 ++++----- .../beta-autopilot-private-cluster/variables.tf | 2 ++ modules/beta-autopilot-public-cluster/main.tf | 5 +++-- modules/beta-autopilot-public-cluster/outputs.tf | 9 ++++----- modules/beta-autopilot-public-cluster/variables.tf | 2 ++ .../beta-private-cluster-update-variant/cluster.tf | 14 +++++++------- .../beta-private-cluster-update-variant/main.tf | 5 +++-- .../beta-private-cluster-update-variant/outputs.tf | 9 ++++----- .../variables.tf | 9 +++++---- modules/beta-private-cluster/cluster.tf | 14 +++++++------- modules/beta-private-cluster/main.tf | 5 +++-- modules/beta-private-cluster/outputs.tf | 9 ++++----- modules/beta-private-cluster/variables.tf | 9 +++++---- .../beta-public-cluster-update-variant/cluster.tf | 14 +++++++------- modules/beta-public-cluster-update-variant/main.tf | 5 +++-- .../beta-public-cluster-update-variant/outputs.tf | 9 ++++----- .../variables.tf | 9 +++++---- modules/beta-public-cluster/cluster.tf | 14 +++++++------- modules/beta-public-cluster/main.tf | 5 +++-- modules/beta-public-cluster/outputs.tf | 9 ++++----- modules/beta-public-cluster/variables.tf | 9 +++++---- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/main.tf | 3 +++ modules/private-cluster-update-variant/outputs.tf | 5 +++++ .../private-cluster-update-variant/variables.tf | 7 +++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/main.tf | 3 +++ modules/private-cluster/outputs.tf | 5 +++++ modules/private-cluster/variables.tf | 7 +++++++ outputs.tf | 5 +++++ variables.tf | 7 +++++++ 41 files changed, 189 insertions(+), 106 deletions(-) diff --git a/README.md b/README.md index f78a2470e1..09f8b4159c 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -258,6 +259,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 5d5b5a6bcc..5ff606c353 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -216,6 +216,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -234,13 +241,6 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value } } - - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } {% endif %} {% endif %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index dbeef5fc7a..bcfcfdabdf 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -163,12 +163,12 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false {% if beta_cluster %} # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -226,6 +226,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + {% if autopilot_cluster != true %} cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates @@ -239,7 +241,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 7bf4b04ab9..9c533ce198 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -223,18 +223,17 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } - -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } {% endif %} +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c429de7f35..a9da88404c 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -880,19 +880,22 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } + {% endif %} +{% endif %} -variable "enable_gcfs" { +{% if autopilot_cluster != true %} +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } - {% endif %} {% endif %} + {% if autopilot_cluster %} variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." diff --git a/cluster.tf b/cluster.tf index 1bdf843645..918685b820 100644 --- a/cluster.tf +++ b/cluster.tf @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility diff --git a/main.tf b/main.tf index 68624dd498..f4e73b6306 100644 --- a/main.tf +++ b/main.tf @@ -123,6 +123,7 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -168,6 +169,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index c8843bbcea..78a5f4c3df 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -91,11 +91,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -130,11 +130,12 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index a7ecafb1d4..a4fcecd4cb 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -178,17 +178,16 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } -output "secret_manager_addon_enabled" { - description = "Whether Secret Manager add-on is enabled" - value = local.cluster_secret_manager_addon_enabled -} - output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 017f13766e..3d91a7fdd8 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -486,6 +486,8 @@ variable "enable_l4_ilb_subsetting" { description = "Enable L4 ILB Subsetting on the cluster" default = false } + + variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 04d1560feb..c07cabbd8c 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -90,11 +90,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -129,11 +129,12 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 15700691ae..2dd0cee97f 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -168,17 +168,16 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } -output "secret_manager_addon_enabled" { - description = "Whether Secret Manager add-on is enabled" - value = local.cluster_secret_manager_addon_enabled -} - output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index f73b556115..248e18bf28 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -456,6 +456,8 @@ variable "enable_l4_ilb_subsetting" { description = "Enable L4 ILB Subsetting on the cluster" default = false } + + variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 630ccc6669..e9d40a4014 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index c99571da2d..8871203901 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -136,11 +136,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -188,6 +188,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -196,7 +198,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index fedfd98dcb..a819774c93 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -204,17 +204,16 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } -output "secret_manager_addon_enabled" { - description = "Whether Secret Manager add-on is enabled" - value = local.cluster_secret_manager_addon_enabled -} - output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 1dc85ac867..2d5dd198dd 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -844,18 +844,19 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 88469dd152..5a7f7847c7 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index c99571da2d..8871203901 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -136,11 +136,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -188,6 +188,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -196,7 +198,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index fedfd98dcb..a819774c93 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -204,17 +204,16 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } -output "secret_manager_addon_enabled" { - description = "Whether Secret Manager add-on is enabled" - value = local.cluster_secret_manager_addon_enabled -} - output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 1dc85ac867..2d5dd198dd 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -844,18 +844,19 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 91608910c7..1069db0ee0 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 2c68d8c4d7..a69dd7d7dd 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -135,11 +135,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -187,6 +187,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -195,7 +197,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index a2cb3583f8..933b9667b7 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -194,17 +194,16 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } -output "secret_manager_addon_enabled" { - description = "Whether Secret Manager add-on is enabled" - value = local.cluster_secret_manager_addon_enabled -} - output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 6175048ab5..eda6856559 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -814,18 +814,19 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 102b17e3da..53c0ae3811 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 2c68d8c4d7..a69dd7d7dd 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -135,11 +135,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -187,6 +187,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -195,7 +197,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index a2cb3583f8..933b9667b7 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -194,17 +194,16 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } -output "secret_manager_addon_enabled" { - description = "Whether Secret Manager add-on is enabled" - value = local.cluster_secret_manager_addon_enabled -} - output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6175048ab5..eda6856559 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -814,18 +814,19 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 98d97d5a35..53ac15a36a 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -291,6 +292,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2872a0649e..69270570a2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 7525e01485..fa54ba0f73 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -124,6 +124,7 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -169,6 +170,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index fbc4cf14ee..eeec118921 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -190,6 +190,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 31e1435bce..3243357434 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -771,6 +771,13 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 6ed41131d3..12c11c315c 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -269,6 +270,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 4216d133d0..f117c3ee6b 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 7525e01485..fa54ba0f73 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -124,6 +124,7 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -169,6 +170,8 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index fbc4cf14ee..eeec118921 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -190,6 +190,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 31e1435bce..3243357434 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -771,6 +771,13 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/outputs.tf b/outputs.tf index 442fd87a7a..c6a853f743 100644 --- a/outputs.tf +++ b/outputs.tf @@ -180,6 +180,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/variables.tf b/variables.tf index 087a42b962..578a3b0c4e 100644 --- a/variables.tf +++ b/variables.tf @@ -741,6 +741,13 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string From ed55165fe30e4386d3a8999f4d8cbe4a15e7a4e1 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 18 Jul 2024 14:46:25 -0400 Subject: [PATCH 2/6] Update autogen/main/variables.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/variables.tf.tmpl | 1 - 1 file changed, 1 deletion(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 982c432f67..a9da55d219 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -901,7 +901,6 @@ variable "enable_identity_service" { default = false } {% endif %} - {% if autopilot_cluster %} variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." From d1a734e003edf1090607b0dfd12766344b6d110a Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 18 Jul 2024 14:46:29 -0400 Subject: [PATCH 3/6] Update autogen/main/main.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/main.tf.tmpl | 1 - 1 file changed, 1 deletion(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 72738ae3d4..5356f7dd69 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -227,7 +227,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - {% if autopilot_cluster != true %} cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates From d04888c58a994f0646b849d630a53002f0517559 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 18 Jul 2024 14:46:34 -0400 Subject: [PATCH 4/6] Update autogen/main/outputs.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/outputs.tf.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 9c533ce198..bd11d979b3 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -223,6 +223,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled From 5935034df77ec2a99a9626cb66072af531aacab4 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 18 Jul 2024 14:59:08 -0400 Subject: [PATCH 5/6] bump identity_service_config to ga --- main.tf | 1 - .../beta-autopilot-private-cluster/main.tf | 1 - .../beta-autopilot-private-cluster/outputs.tf | 1 + .../variables.tf | 1 - modules/beta-autopilot-public-cluster/main.tf | 1 - .../beta-autopilot-public-cluster/outputs.tf | 1 + .../variables.tf | 1 - .../main.tf | 1 - .../outputs.tf | 1 + .../variables.tf | 1 - modules/beta-private-cluster/main.tf | 1 - modules/beta-private-cluster/outputs.tf | 1 + modules/beta-private-cluster/variables.tf | 1 - .../main.tf | 1 - .../outputs.tf | 1 + .../variables.tf | 1 - modules/beta-public-cluster/main.tf | 1 - modules/beta-public-cluster/outputs.tf | 1 + modules/beta-public-cluster/variables.tf | 1 - .../private-cluster-update-variant/README.md | 155 ------------------ .../private-cluster-update-variant/main.tf | 1 - .../variables.tf | 1 - modules/private-cluster/main.tf | 1 - modules/private-cluster/variables.tf | 1 - variables.tf | 1 - 25 files changed, 6 insertions(+), 173 deletions(-) diff --git a/main.tf b/main.tf index 4f5dc23dde..f7bb8b486b 100644 --- a/main.tf +++ b/main.tf @@ -170,7 +170,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 98f4021ac7..836c151bc1 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -132,7 +132,6 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index a4fcecd4cb..66610c3682 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -178,6 +178,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 2cfb4890ef..7d9fd4262e 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -493,7 +493,6 @@ variable "enable_l4_ilb_subsetting" { default = false } - variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index e8840d4ab4..fb8af5bef8 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -131,7 +131,6 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 2dd0cee97f..98cf3fbdd3 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -168,6 +168,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index ab0bbe3bf8..fc60d9c42e 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -463,7 +463,6 @@ variable "enable_l4_ilb_subsetting" { default = false } - variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 1b44b1b2f2..1bfa3658a5 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -189,7 +189,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index a819774c93..99a88a3264 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -204,6 +204,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 4222ad86f8..62717aff0d 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -862,7 +862,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 1b44b1b2f2..1bfa3658a5 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -189,7 +189,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index a819774c93..99a88a3264 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -204,6 +204,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 4222ad86f8..62717aff0d 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -862,7 +862,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 99ce6c6dd6..0039ec882f 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -188,7 +188,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 933b9667b7..9747767770 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -194,6 +194,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 2df9c970ba..71c4561b65 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -832,7 +832,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 99ce6c6dd6..0039ec882f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -188,7 +188,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 933b9667b7..9747767770 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -194,6 +194,7 @@ output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled } + output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2df9c970ba..71c4561b65 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -832,7 +832,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index cb64b72928..70304fdc65 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -162,161 +162,6 @@ Then perform the following commands on the root folder: - `terraform destroy` to destroy the built infrastructure -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | -| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | -| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | -| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | -| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | -| cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | -| cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | -| cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | -| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | -| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| config\_connector | Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | -| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | -| create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | -| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | -| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | -| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | -| deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | -| description | The description of the cluster | `string` | `""` | no | -| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | -| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | -| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | -| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | -| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | -| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | -| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | -| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | -| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | -| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | -| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | -| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | -| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | -| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | -| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | -| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | -| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | -| gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | -| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | -| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | -| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | -| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | -| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | -| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | -| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | -| maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | -| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | -| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | -| monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | -| monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | -| name | The name of the cluster (required) | `string` | n/a | yes | -| network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `false` | no | -| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | -| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | -| node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | -| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | -| node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | -| node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | -| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | -| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | -| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | -| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | -| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | -| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | -| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | -| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | -| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | -| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | -| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | -| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | -| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | -| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | -| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | -| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | -| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | -| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | -| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| ca\_certificate | Cluster ca certificate (base64 encoded) | -| cluster\_id | Cluster ID | -| dns\_cache\_enabled | Whether DNS Cache enabled | -| endpoint | Cluster endpoint | -| fleet\_membership | Fleet membership (if registered) | -| gateway\_api\_channel | The gateway api channel of this cluster. | -| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | -| http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity pool | -| identity\_service\_enabled | Whether Identity Service is enabled | -| instance\_group\_urls | List of GKE generated instance groups | -| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| location | Cluster location (region if regional cluster, zone if zonal cluster) | -| logging\_service | Logging service used | -| master\_authorized\_networks\_config | Networks from which access to master is permitted | -| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | -| master\_version | Current master kubernetes version | -| mesh\_certificates\_config | Mesh certificates configuration | -| min\_master\_version | Minimum master kubernetes version | -| monitoring\_service | Monitoring service used | -| name | Cluster name | -| network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_names | List of node pools names | -| node\_pools\_versions | Node pool versions by node pool name | -| peering\_name | The name of the peering between this cluster and the Google owned VPC. | -| region | Cluster region | -| release\_channel | The release channel of this cluster | -| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | -| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | -| type | Cluster type (regional / zonal) | -| vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | -| zones | List of zones in which the cluster resides | - ## node_pools variable diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 71a054ec09..90702177dd 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -171,7 +171,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 22adf0032c..abf2a688ff 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -783,7 +783,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 71a054ec09..90702177dd 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -171,7 +171,6 @@ locals { confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled - cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 22adf0032c..abf2a688ff 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -783,7 +783,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/variables.tf b/variables.tf index fd562055af..338f0c4f3a 100644 --- a/variables.tf +++ b/variables.tf @@ -753,7 +753,6 @@ variable "enable_identity_service" { default = false } - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string From 863524f0460ad7c2fed6845ad3a8e172101da1a2 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 18 Jul 2024 15:27:46 -0400 Subject: [PATCH 6/6] bump kubelet config to ga + minor doc fixes --- .../private-cluster-update-variant/README.md | 155 ++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 70304fdc65..cb64b72928 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -162,6 +162,161 @@ Then perform the following commands on the root folder: - `terraform destroy` to destroy the built infrastructure +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | +| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | +| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | +| cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | +| cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | +| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | +| config\_connector | Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | +| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | +| create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | +| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | +| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | +| deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| description | The description of the cluster | `string` | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | +| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | +| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | +| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | +| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | +| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | +| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | +| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | +| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | +| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | +| gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | +| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | +| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | +| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | +| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | +| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | +| maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | +| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | +| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | +| monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | +| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | +| name | The name of the cluster (required) | `string` | n/a | yes | +| network | The VPC network to host the cluster in (required) | `string` | n/a | yes | +| network\_policy | Enable network policy addon | `bool` | `false` | no | +| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | +| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | +| node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | +| node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | +| node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | +| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | +| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | +| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | +| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | +| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | +| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | +| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | +| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | +| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | +| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | +| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | +| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | Cluster ca certificate (base64 encoded) | +| cluster\_id | Cluster ID | +| dns\_cache\_enabled | Whether DNS Cache enabled | +| endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | +| gateway\_api\_channel | The gateway api channel of this cluster. | +| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | +| http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | +| instance\_group\_urls | List of GKE generated instance groups | +| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | +| location | Cluster location (region if regional cluster, zone if zonal cluster) | +| logging\_service | Logging service used | +| master\_authorized\_networks\_config | Networks from which access to master is permitted | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | +| master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | +| min\_master\_version | Minimum master kubernetes version | +| monitoring\_service | Monitoring service used | +| name | Cluster name | +| network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_names | List of node pools names | +| node\_pools\_versions | Node pool versions by node pool name | +| peering\_name | The name of the peering between this cluster and the Google owned VPC. | +| region | Cluster region | +| release\_channel | The release channel of this cluster | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | +| type | Cluster type (regional / zonal) | +| vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | +| zones | List of zones in which the cluster resides | + ## node_pools variable