From 0005ab9f9b9d23e4747dae9e369f69bbaab40b27 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Wed, 5 Jun 2024 16:46:11 -0700 Subject: [PATCH 1/6] fix: avoid `auto_provisioning_defaults` drift (#1806) --- README.md | 2 +- autogen/main/cluster.tf.tmpl | 5 ++ autogen/main/variables.tf.tmpl | 66 ++++++++++--------- cluster.tf | 5 ++ .../README.md | 2 +- .../cluster.tf | 5 ++ .../variables.tf | 66 ++++++++++--------- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 5 ++ modules/beta-private-cluster/variables.tf | 66 ++++++++++--------- .../README.md | 2 +- .../cluster.tf | 5 ++ .../variables.tf | 66 ++++++++++--------- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 5 ++ modules/beta-public-cluster/variables.tf | 66 ++++++++++--------- .../private-cluster-update-variant/README.md | 2 +- .../private-cluster-update-variant/cluster.tf | 5 ++ .../variables.tf | 66 ++++++++++--------- modules/private-cluster/README.md | 2 +- modules/private-cluster/cluster.tf | 5 ++ modules/private-cluster/variables.tf | 66 ++++++++++--------- variables.tf | 66 ++++++++++--------- 23 files changed, 327 insertions(+), 255 deletions(-) diff --git a/README.md b/README.md index 5c569a14e6..cd04741814 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 4e8fad174d..859499c51a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -166,6 +166,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + {% if beta_cluster %} min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 124ff5c863..375df975b5 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -244,39 +244,43 @@ variable "enable_resource_consumption_export" { {% if autopilot_cluster != true %} variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/cluster.tf b/cluster.tf index bc391b164d..7bb3a42d4e 100644 --- a/cluster.tf +++ b/cluster.tf @@ -139,6 +139,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 45f5eb13d0..df021bbc49 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -176,7 +176,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 093d8d651e..a5b96fd63c 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index da2a3d8b97..f5bae458a5 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 2915dd3238..2fec641037 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -154,7 +154,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 185f113a13..4ec2614867 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index da2a3d8b97..f5bae458a5 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index e72edde309..eb71fa8cf5 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -170,7 +170,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 1a5b397c70..8461ae63b7 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 6cadf89cfd..0a3b46eefb 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index c31a9df9d9..5f1d6445f9 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -148,7 +148,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index cef6c02d86..0a92c4d317 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6cadf89cfd..0a3b46eefb 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 88a23661c9..ad4e7d90cf 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -171,7 +171,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 5289bd2255..a6bff1de29 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -139,6 +139,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c16ebc925e..9f3c9f0952 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index be4b37b691..692d0a0e79 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -149,7 +149,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 18afb5e0c2..7f3f78766b 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -139,6 +139,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c16ebc925e..9f3c9f0952 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/variables.tf b/variables.tf index 8c965b8ec8..bf850ccc99 100644 --- a/variables.tf +++ b/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } From c2df48408500ae91435441a36c702333afe0809e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 02:50:47 +0000 Subject: [PATCH 2/6] chore(deps): Update Terraform terraform-google-modules/kubernetes-engine/google to v31 (#1966) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 4 ++-- examples/deploy_service/main.tf | 2 +- examples/disable_client_cert/main.tf | 2 +- examples/island_cluster_with_vm_router/main.tf | 2 +- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/node_pool_update_variant_public_beta/main.tf | 2 +- examples/private_zonal_with_networking/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/main.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/safer_cluster_iap_bastion/cluster.tf | 2 +- examples/shared_vpc/main.tf | 2 +- examples/simple_autopilot_private/main.tf | 2 +- examples/simple_autopilot_private_non_default_sa/main.tf | 2 +- examples/simple_autopilot_public/main.tf | 2 +- examples/simple_regional/main.tf | 2 +- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_private/main.tf | 2 +- examples/simple_regional_private_beta/main.tf | 2 +- .../simple_regional_private_with_cluster_version/main.tf | 2 +- examples/simple_regional_with_gateway_api/main.tf | 2 +- examples/simple_regional_with_kubeconfig/main.tf | 4 ++-- examples/simple_regional_with_networking/main.tf | 2 +- examples/simple_windows_node_pool/main.tf | 2 +- examples/simple_zonal_private/main.tf | 2 +- examples/simple_zonal_with_acm/acm.tf | 2 +- examples/simple_zonal_with_acm/main.tf | 2 +- examples/simple_zonal_with_asm/main.tf | 4 ++-- examples/simple_zonal_with_hub/hub.tf | 2 +- examples/simple_zonal_with_hub/main.tf | 2 +- examples/simple_zonal_with_hub_kubeconfig/hub.tf | 2 +- examples/stub_domains/main.tf | 2 +- examples/stub_domains_private/main.tf | 2 +- examples/stub_domains_upstream_nameservers/main.tf | 2 +- examples/upstream_nameservers/main.tf | 2 +- examples/workload_identity/main.tf | 8 ++++---- examples/workload_metadata_config/main.tf | 2 +- 40 files changed, 46 insertions(+), 46 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 45a627c467..7df2197cfe 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part1" region = var.region diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 816e2bde95..527d2ef100 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part2" region = var.region diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 6694582d56..ff4db070a5 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -33,7 +33,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part3" region = var.region @@ -48,7 +48,7 @@ module "gke" { module "wi" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" gcp_sa_name = "cnrmsa" cluster_name = module.gke.name name = "cnrm-controller-manager" diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index e825609a1f..a7151da4b2 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index af1e3f141d..535d5200a1 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/island_cluster_with_vm_router/main.tf b/examples/island_cluster_with_vm_router/main.tf index 86ce138888..5984412ee5 100644 --- a/examples/island_cluster_with_vm_router/main.tf +++ b/examples/island_cluster_with_vm_router/main.tf @@ -143,7 +143,7 @@ module "net" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 30.0" + version = "~> 31.0" depends_on = [google_compute_instance.vm] diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 7626216fb7..634a3b2965 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index b18de30482..b526e656bd 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster-update-variant" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index c78d2bd050..99e9134518 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index dcab030f8b..4821df4ac6 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster-update-variant" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index 1f7f4c2047..692a7bd1fd 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -61,7 +61,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/regional_private_node_pool_oauth_scopes/main.tf b/examples/regional_private_node_pool_oauth_scopes/main.tf index 0bba21cdaa..bf46331191 100644 --- a/examples/regional_private_node_pool_oauth_scopes/main.tf +++ b/examples/regional_private_node_pool_oauth_scopes/main.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "random-test-cluster" diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index ceea648aa5..5d6df90110 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -52,7 +52,7 @@ resource "random_shuffle" "version" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster-${random_string.suffix.result}" diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index 9debb69001..8fbaa05646 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = var.cluster_name diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index 5ff24c3c02..5803a64c6f 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index 125ba24706..d98f7f00df 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index b9ff6e92a5..332e41f1cc 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 2fc462ca3a..451ef70317 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 5fc839611d..2127fa9eea 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index cd76c5dcc6..2c1f082af9 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index 2b120d14d8..25cf124ef9 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 43d2f7835f..822c7946ce 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_with_cluster_version/main.tf b/examples/simple_regional_private_with_cluster_version/main.tf index 6d95353710..23b5b83c99 100644 --- a/examples/simple_regional_private_with_cluster_version/main.tf +++ b/examples/simple_regional_private_with_cluster_version/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index b96367d767..34500ada3a 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index a2fcc3c72e..7387bb0c15 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -45,7 +45,7 @@ module "gke" { module "gke_auth" { source = "terraform-google-modules/kubernetes-engine/google//modules/auth" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index 28363ea059..a37c1fb6e9 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -53,7 +53,7 @@ module "gcp-network" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index 2ec1464bd3..0562eea5a4 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index a541829254..138bfcd314 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index cee5eda4d2..56d510cb89 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -16,7 +16,7 @@ module "acm" { source = "terraform-google-modules/kubernetes-engine/google//modules/acm" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index de06aa5d46..c62dc3b26b 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index f9b368000a..f54653b1ed 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -28,7 +28,7 @@ data "google_project" "project" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "test-prefix-cluster-test-suffix" @@ -57,7 +57,7 @@ module "gke" { module "asm" { source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_hub/hub.tf b/examples/simple_zonal_with_hub/hub.tf index 36120501b3..5b7171ab4c 100644 --- a/examples/simple_zonal_with_hub/hub.tf +++ b/examples/simple_zonal_with_hub/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index 4b4563d8d0..6c13cbdbbc 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_hub_kubeconfig/hub.tf b/examples/simple_zonal_with_hub_kubeconfig/hub.tf index 19e243947a..d904d87c6b 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/hub.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/hub-legacy" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = "remote" diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index 8607a6fc72..82599a7534 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index 5ebc7a057a..5bb6268ffc 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -30,7 +30,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 02639383dd..5a95ab8e69 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 7349ab5cdf..876152ad28 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index fe1b13bfcd..98b406e31b 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -54,7 +54,7 @@ module "gke" { # example without existing KSA module "workload_identity" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "iden-${module.gke.name}" @@ -74,7 +74,7 @@ resource "kubernetes_service_account" "test" { module "workload_identity_existing_ksa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "existing-${module.gke.name}" @@ -93,7 +93,7 @@ resource "google_service_account" "custom" { module "workload_identity_existing_gsa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = google_service_account.custom.account_id diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 856591c444..4ee285814d 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" From 15380ebc28bf05eb899da9dd15e8c0c85f74a512 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 09:05:42 -0700 Subject: [PATCH 3/6] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.15.1 (#1963) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 8 ++++---- test/integration/go.sum | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 66e00997e6..22c3f33686 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -1,11 +1,11 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration -go 1.21 +go 1.22 -toolchain go1.22.3 +toolchain go1.22.4 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1 github.com/gruntwork-io/terratest v0.46.15 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 @@ -109,7 +109,7 @@ require ( k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/kyaml v0.17.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/test/integration/go.sum b/test/integration/go.sum index ff32902444..86bcb3a020 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 h1:zT+PND04OQ96kmnQorLFtuY4Ny3KZ4fqxdy9faxMS6A= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0/go.mod h1:Srfs5phdVU1kwoRWedu4hngTkwN3OILEWgUgE+IVp6s= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1 h1:c1tEK/Ma0NstqqkjS1tCClrFxIX1cNLdrM5cB03Sv24= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1/go.mod h1:bssUTs81Q0xIUg/dYT8/8fqEXOVB8GQVyngw9U79EN4= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -1080,8 +1080,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.17.0 h1:G2bWs03V9Ur2PinHLzTUJ8Ded+30SzXZKiO92SRDs3c= -sigs.k8s.io/kustomize/kyaml v0.17.0/go.mod h1:6lxkYF1Cv9Ic8g/N7I86cvxNc5iinUo/P2vKsHNmpyE= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From 29113e4c0fc5f69b7b5a7a53f059dd239b2c928d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 08:21:32 -0700 Subject: [PATCH 4/6] chore(deps): Update nginx Docker tag to v1.27.0 (#1970) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index a7151da4b2..418cc61ed1 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.26.0" + image = "nginx:1.27.0" name = "nginx-example" } } From 329c08f5a0410fc89af018407151e521896248d1 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 11 Jun 2024 12:33:04 -0700 Subject: [PATCH 5/6] chore(CI): add CURRENT_STATE_DECRYPTED (#1974) --- .../disable_client_cert/testdata/TestDisableClientCert.json | 1 + .../testdata/TestPrivateZonalWithNetworking.json | 1 + test/integration/safer_cluster/testdata/TestSaferCluster.json | 1 + .../sandbox_enabled/testdata/TestSandboxEnabled.json | 1 + .../testdata/TestSimpleAutopilotPrivate.json | 1 + .../testdata/TestSimpleAutopilotPublic.json | 1 + .../simple_regional/testdata/TestSimpleRegional.json | 1 + .../testdata/TestSimpleRegionalPrivate.json | 1 + .../simple_regional_with_gateway_api/controls/gcloud.rb | 2 +- test/integration/simple_regional_with_ipv6/controls/gcloud.rb | 2 +- .../testdata/TestSimpleRegionalWithKubeConfig.json | 1 + .../testdata/TestSimpleRegionalWithNetworking.json | 1 + .../testdata/TestSimpleWindowsNodePool.json | 1 + test/integration/simple_zonal/testdata/TestSimpleZonal.json | 1 + .../simple_zonal_private/testdata/TestSimpleZonalPrivate.json | 1 + 15 files changed, 15 insertions(+), 2 deletions(-) diff --git a/test/integration/disable_client_cert/testdata/TestDisableClientCert.json b/test/integration/disable_client_cert/testdata/TestDisableClientCert.json index d10f0d2945..235c0a8b8b 100755 --- a/test/integration/disable_client_cert/testdata/TestDisableClientCert.json +++ b/test/integration/disable_client_cert/testdata/TestDisableClientCert.json @@ -27,6 +27,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json index 51f49e2285..c6bdd3f7cb 100755 --- a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json +++ b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json @@ -27,6 +27,7 @@ "currentNodeCount": 1, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/safer_cluster/testdata/TestSaferCluster.json b/test/integration/safer_cluster/testdata/TestSaferCluster.json index cb1bdb3674..e2836b34c7 100755 --- a/test/integration/safer_cluster/testdata/TestSaferCluster.json +++ b/test/integration/safer_cluster/testdata/TestSaferCluster.json @@ -29,6 +29,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.23.14-gke.401", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json b/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json index cb2ffe680c..6ba2bb70cb 100755 --- a/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json +++ b/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json index 997ba9b5e5..62103f7ee9 100644 --- a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json +++ b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json @@ -70,6 +70,7 @@ "currentNodeCount": 2, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json index 0e92769fe6..d014c325dc 100644 --- a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json +++ b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json @@ -70,6 +70,7 @@ "currentNodeCount": 2, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional/testdata/TestSimpleRegional.json b/test/integration/simple_regional/testdata/TestSimpleRegional.json index 85c8e55db7..16d6297fdc 100644 --- a/test/integration/simple_regional/testdata/TestSimpleRegional.json +++ b/test/integration/simple_regional/testdata/TestSimpleRegional.json @@ -38,6 +38,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.27.3-gke.100", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json b/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json index 295ae578f7..4c9fbcd32b 100644 --- a/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json +++ b/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.25.4-gke.2100", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb b/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb index 14722175bd..631eae3d2a 100644 --- a/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb +++ b/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb @@ -66,7 +66,7 @@ end it "has the expected databaseEncryption config" do - expect(data['databaseEncryption']).to eq({ + expect(data['databaseEncryption']).to include({ "state" => 'DECRYPTED', }) end diff --git a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb index 6b3e65e3ce..0080ed5c14 100644 --- a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb +++ b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb @@ -64,7 +64,7 @@ end it "has the expected databaseEncryption config" do - expect(data['databaseEncryption']).to eq({ + expect(data['databaseEncryption']).to include({ "state" => 'DECRYPTED', }) end diff --git a/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json b/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json index 33e3de8c05..216876af9f 100644 --- a/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json +++ b/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.25.5-gke.1500", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json b/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json index 5c2b2478f4..82160d884e 100644 --- a/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json +++ b/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.25.5-gke.1500", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json b/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json index d5569ab489..b1cb9ae910 100644 --- a/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json +++ b/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json @@ -35,6 +35,7 @@ "currentNodeCount": 2, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_zonal/testdata/TestSimpleZonal.json b/test/integration/simple_zonal/testdata/TestSimpleZonal.json index 5d1987285b..79b4b79a8b 100644 --- a/test/integration/simple_zonal/testdata/TestSimpleZonal.json +++ b/test/integration/simple_zonal/testdata/TestSimpleZonal.json @@ -26,6 +26,7 @@ "currentNodeCount": 4, "currentNodeVersion": "1.25.6-gke.1000", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json b/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json index 0172ee91fd..c0f5e13070 100644 --- a/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json +++ b/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json @@ -25,6 +25,7 @@ "currentNodeCount": 1, "currentNodeVersion": "1.25.5-gke.1500", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { From 6dd46d133edc317e36fe0eb1aecbebd3c36fe6f0 Mon Sep 17 00:00:00 2001 From: Naveen Mandadhi Date: Wed, 12 Jun 2024 15:56:28 -0500 Subject: [PATCH 6/6] chore: add gke island cluster anywhere in GCP design (#1967) --- .../README.md | 37 ++++ .../main.tf | 93 ++++++++ .../manifests/k8s.yaml | 88 ++++++++ .../network.tf | 207 ++++++++++++++++++ .../outputs.tf | 19 ++ .../router.tf | 54 +++++ .../terraform.tfvars | 46 ++++ .../variables.tf | 78 +++++++ .../versions.tf | 28 +++ 9 files changed, 650 insertions(+) create mode 100644 examples/island_cluster_anywhere_in_gcp_design/README.md create mode 100644 examples/island_cluster_anywhere_in_gcp_design/main.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml create mode 100644 examples/island_cluster_anywhere_in_gcp_design/network.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/outputs.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/router.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars create mode 100644 examples/island_cluster_anywhere_in_gcp_design/variables.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/versions.tf diff --git a/examples/island_cluster_anywhere_in_gcp_design/README.md b/examples/island_cluster_anywhere_in_gcp_design/README.md new file mode 100644 index 0000000000..73a18ff5ca --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/README.md @@ -0,0 +1,37 @@ +# GKE island cluster anywhere in GCP design + +This example provisions a cluster in an island VPC allowing reuse of the IP address space for multiple clusters across different GCP organizations. + +## Deploy + +1. Create NCC hub. +2. Update `ncc_hub_project_id`, `ncc_hub_name`, `network_name` and gke spokes in `terraform.tfvars`. +3. Run `terraform apply`. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| gke\_spokes | n/a | `any` | n/a | yes | +| ingress\_ip\_addrs\_subnet\_cidr | Subnet to use for reserving internal ip addresses for the ILBs. | `string` | n/a | yes | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | n/a | yes | +| ncc\_hub\_name | n/a | `string` | n/a | yes | +| ncc\_hub\_project\_id | n/a | `string` | n/a | yes | +| net\_attachment\_subnet\_cidr | Subnet for the router PSC interface network attachment in island network. | `string` | n/a | yes | +| node\_locations | n/a | `list(string)` | n/a | yes | +| primary\_net\_name | Primary VPC network name. | `string` | n/a | yes | +| primary\_subnet | Subnet to use in primary network to deploy the router. | `string` | n/a | yes | +| proxy\_subnet\_cidr | CIDR for the regional managed proxy subnet. | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| router\_machine\_type | n/a | `string` | n/a | yes | +| secondary\_ranges | n/a | `map(string)` | n/a | yes | +| subnet\_cidr | Primary subnet CIDR used by the cluster. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| cluster\_ids | n/a | + + diff --git a/examples/island_cluster_anywhere_in_gcp_design/main.tf b/examples/island_cluster_anywhere_in_gcp_design/main.tf new file mode 100644 index 0000000000..8dbbe9894b --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/main.tf @@ -0,0 +1,93 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_id" "rand" { + byte_length = 4 +} + +resource "google_service_account" "gke-sa" { + for_each = { for k, v in var.gke_spokes : k => v } + + account_id = "gke-sa-${random_id.rand.hex}" + project = each.value["project_id"] +} + +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" + version = "~> 31.0" + + for_each = { for k, v in var.gke_spokes : k => v } + + name = each.value["cluster_name"] + project_id = each.value["project_id"] + region = var.region + release_channel = "RAPID" + zones = var.node_locations + network = module.net[each.key].network_name + subnetwork = "${each.value["cluster_name"]}-${var.region}-snet" + ip_range_pods = "${each.value["cluster_name"]}-${var.region}-snet-pods" + ip_range_services = "${each.value["cluster_name"]}-${var.region}-snet-services" + enable_private_endpoint = true + enable_private_nodes = true + datapath_provider = "ADVANCED_DATAPATH" + monitoring_enable_managed_prometheus = false + enable_shielded_nodes = true + master_global_access_enabled = false + master_ipv4_cidr_block = var.secondary_ranges["master_cidr"] + master_authorized_networks = var.master_authorized_networks + deletion_protection = false + remove_default_node_pool = true + disable_default_snat = true + gateway_api_channel = "CHANNEL_STANDARD" + + node_pools = [ + { + name = "default" + machine_type = "e2-highcpu-2" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = true + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = google_service_account.gke-sa[each.key].email + initial_node_count = 1 + enable_secure_boot = true + }, + ] + + node_pools_tags = { + all = ["gke-${random_id.rand.hex}"] + } + + node_pools_oauth_scopes = { + all = [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + ] + } + + timeouts = { + create = "15m" + update = "15m" + delete = "15m" + } +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml b/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml new file mode 100644 index 0000000000..b728ce8a59 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml @@ -0,0 +1,88 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whereami +spec: + replicas: 3 + selector: + matchLabels: + app: whereami + template: + metadata: + labels: + app: whereami + spec: + containers: + - name: whereami + image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.19 + ports: + - name: http + containerPort: 8080 + resources: + requests: + cpu: "50m" + memory: 128Mi + limits: + cpu: "100m" + memory: 256Mi + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 1 +--- +apiVersion: v1 +kind: Service +metadata: + name: whereami +spec: + type: ClusterIP + selector: + app: whereami + ports: + - port: 80 + targetPort: 8080 + protocol: TCP +--- +kind: Gateway +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: l7-ilb +spec: + gatewayClassName: gke-l7-rilb + listeners: + - name: http + protocol: HTTP + port: 80 + addresses: + - type: NamedAddress + value: gke-spoke-1-l7-rilb-ip +--- +kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: whereami +spec: + parentRefs: + - kind: Gateway + name: l7-ilb + rules: + - backendRefs: + - name: whereami + port: 80 diff --git a/examples/island_cluster_anywhere_in_gcp_design/network.tf b/examples/island_cluster_anywhere_in_gcp_design/network.tf new file mode 100644 index 0000000000..a0539c8252 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/network.tf @@ -0,0 +1,207 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +module "net" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + + for_each = { for k, v in var.gke_spokes : k => v } + + network_name = "gke-net-${random_id.rand.hex}" + routing_mode = "GLOBAL" + project_id = each.value["project_id"] + + subnets = [ + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-snet" + subnet_ip = var.subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-int-ip-addr-snet" + subnet_ip = var.ingress_ip_addrs_subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-net-attachment-snet" + subnet_ip = var.net_attachment_subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-proxy-snet" + subnet_ip = var.proxy_subnet_cidr + subnet_region = var.region + purpose = "REGIONAL_MANAGED_PROXY" + role = "ACTIVE" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-private-nat-snet" + subnet_ip = each.value["private_nat_subnet_cidr"] + subnet_region = var.region + subnet_private_access = "true" + purpose = "PRIVATE_NAT" + }, + ] + + secondary_ranges = { + "${each.value["cluster_name"]}-${var.region}-snet" = [ + { + range_name = "${each.value["cluster_name"]}-${var.region}-snet-pods" + ip_cidr_range = var.secondary_ranges["pods"] + }, + { + range_name = "${each.value["cluster_name"]}-${var.region}-snet-services" + ip_cidr_range = var.secondary_ranges["services"] + }, + ] + } + + firewall_rules = [ + { + name = "${each.value["cluster_name"]}-iap" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + ports = ["22"] + } + ] + ranges = ["35.235.240.0/20"] + }, + { + name = "${each.value["cluster_name"]}-tcp-primary" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [ + var.net_attachment_subnet_cidr + ] + }, + { + name = "${each.value["cluster_name"]}-allow-proxy" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [var.proxy_subnet_cidr] + target_service_accounts = [google_service_account.gke-sa[each.key].email] + }, + ] +} + +resource "google_compute_route" "primary_to_spoke" { + for_each = { for k, v in var.gke_spokes : k => v } + + name = "primary-to-spoke-for-${each.value["cluster_name"]}" + description = "primary to GKE spoke through router" + project = var.ncc_hub_project_id + network = var.primary_net_name + dest_range = each.value["spoke_netmap_subnet"] + next_hop_instance = google_compute_instance.vm[each.key].id +} + +resource "google_network_connectivity_spoke" "spoke" { + provider = google-beta + for_each = { for k, v in var.gke_spokes : k => v } + + name = "${each.value["cluster_name"]}-spoke-${random_id.rand.hex}" + project = each.value["project_id"] + location = "global" + description = "vpc spoke for inter vpc nat" + hub = "projects/${var.ncc_hub_project_id}/locations/global/hubs/${var.ncc_hub_name}" + linked_vpc_network { + exclude_export_ranges = [ + var.subnet_cidr, + var.ingress_ip_addrs_subnet_cidr, + var.net_attachment_subnet_cidr, + var.secondary_ranges["pods"], + var.secondary_ranges["services"], + var.secondary_ranges["master_cidr"], + var.proxy_subnet_cidr + ] + uri = module.net[each.key].network_self_link + } +} + +resource "google_compute_network_attachment" "router_net_attachment" { + provider = google-beta + for_each = { for k, v in var.gke_spokes : k => v } + + name = "net-attachment-${each.value["cluster_name"]}" + project = each.value["project_id"] + region = var.region + description = "router network attachment for cluster ${each.value["cluster_name"]}" + connection_preference = "ACCEPT_MANUAL" + + subnetworks = [ + module.net[each.key].subnets["${var.region}/${each.value["cluster_name"]}-${var.region}-net-attachment-snet"]["self_link"] + ] + + producer_accept_lists = [ + var.ncc_hub_project_id + ] +} + +module "cloud_router" { + source = "terraform-google-modules/cloud-router/google" + version = "~> 6.0" + for_each = { for k, v in var.gke_spokes : k => v } + + name = "router-${each.value["cluster_name"]}-${random_id.rand.hex}" + project = each.value["project_id"] + network = module.net[each.key].network_name + region = var.region +} + +resource "google_compute_router_nat" "nat_type" { + provider = google-beta + depends_on = [module.cloud_router] + + for_each = { for k, v in var.gke_spokes : k => v } + + name = "private-nat-${random_id.rand.hex}" + router = "router-${each.value["cluster_name"]}-${random_id.rand.hex}" + project = each.value["project_id"] + region = var.region + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + type = "PRIVATE" + rules { + rule_number = 100 + description = "rule for private nat" + match = "nexthop.hub == \"//networkconnectivity.googleapis.com/projects/${var.ncc_hub_project_id}/locations/global/hubs/${var.ncc_hub_name}\"" + action { + source_nat_active_ranges = [ + module.net[each.key].subnets["${var.region}/${each.value["cluster_name"]}-${var.region}-private-nat-snet"]["self_link"] + ] + } + } +} + +resource "google_compute_address" "gke-l7-rilb-ip" { + for_each = { for k, v in var.gke_spokes : k => v } + + name = "${each.value["cluster_name"]}-l7-rilb-ip" + address_type = "INTERNAL" + region = var.region + project = each.value["project_id"] + subnetwork = module.net[each.key].subnets["${var.region}/${each.value["cluster_name"]}-${var.region}-int-ip-addr-snet"]["self_link"] +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/outputs.tf b/examples/island_cluster_anywhere_in_gcp_design/outputs.tf new file mode 100644 index 0000000000..438d3f7be0 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/outputs.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "cluster_ids" { + value = [for c in module.gke : c.cluster_id] +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/router.tf b/examples/island_cluster_anywhere_in_gcp_design/router.tf new file mode 100644 index 0000000000..3e91f328de --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/router.tf @@ -0,0 +1,54 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_compute_instance" "vm" { + provider = google-beta + for_each = { for k, v in var.gke_spokes : k => v } + + project = var.ncc_hub_project_id + zone = var.node_locations[0] + name = "${each.value["cluster_name"]}-router-${random_id.rand.hex}" + machine_type = var.router_machine_type + allow_stopping_for_update = true + boot_disk { + initialize_params { + image = "debian-cloud/debian-12" + } + } + can_ip_forward = true + shielded_instance_config { + enable_secure_boot = true + } + network_interface { + subnetwork = var.primary_subnet + } + network_interface { + network_attachment = google_compute_network_attachment.router_net_attachment[each.key].self_link + } + metadata_startup_script = <<-EOT + #!/bin/bash + set -ex + sudo apt-get update + echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf + sudo sysctl -p + sudo iptables -t nat -A PREROUTING -d ${each.value["spoke_netmap_subnet"]} -i ens4 -j NETMAP --to ${var.ingress_ip_addrs_subnet_cidr} + GWY_URL="http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway" + GWY_IP=$(curl $${GWY_URL} -H "Metadata-Flavor: Google") + sudo ip route add ${var.ingress_ip_addrs_subnet_cidr} via $${GWY_IP} dev ens5 + sudo iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE + sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE + EOT +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars b/examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars new file mode 100644 index 0000000000..ebdd1f0e13 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars @@ -0,0 +1,46 @@ +ncc_hub_project_id = "" +ncc_hub_name = "" +region = "us-central1" +primary_net_name = "" +primary_subnet = "projects//regions/us-central1/subnetworks/" +gke_spokes = [ + { + project_id = "", + cluster_name = "gke-spoke-1", + private_nat_subnet_cidr = "100.65.1.0/24", + spoke_netmap_subnet = "10.244.0.0/28" + }, + { + project_id = "", + cluster_name = "gke-spoke-2", + private_nat_subnet_cidr = "100.65.2.0/24", + spoke_netmap_subnet = "10.244.0.16/28" + }, + { + project_id = "", + cluster_name = "gke-spoke-3", + private_nat_subnet_cidr = "100.65.3.0/24", + spoke_netmap_subnet = "10.244.0.32/28" + } +] +node_locations = [ + "us-central1-a", + "us-central1-b", + "us-central1-f" +] +subnet_cidr = "100.64.0.0/19" +net_attachment_subnet_cidr = "100.64.87.0/29" +router_machine_type = "n2-highcpu-4" +secondary_ranges = { + pods = "100.64.32.0/19" + services = "100.64.64.0/20" + master_cidr = "100.64.96.32/28" +} +proxy_subnet_cidr = "100.64.83.0/24" +ingress_ip_addrs_subnet_cidr = "100.64.84.0/28" +master_authorized_networks = [ + { + cidr_block = "100.64.0.0/10" + display_name = "cluster net" + } +] diff --git a/examples/island_cluster_anywhere_in_gcp_design/variables.tf b/examples/island_cluster_anywhere_in_gcp_design/variables.tf new file mode 100644 index 0000000000..293165c18f --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/variables.tf @@ -0,0 +1,78 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "region" { + type = string +} + +variable "node_locations" { + type = list(string) +} + +variable "subnet_cidr" { + type = string + description = "Primary subnet CIDR used by the cluster." +} + +variable "net_attachment_subnet_cidr" { + type = string + description = "Subnet for the router PSC interface network attachment in island network." +} + +variable "ingress_ip_addrs_subnet_cidr" { + type = string + description = "Subnet to use for reserving internal ip addresses for the ILBs." +} + +variable "proxy_subnet_cidr" { + type = string + description = "CIDR for the regional managed proxy subnet." +} + +variable "secondary_ranges" { + type = map(string) +} + +variable "master_authorized_networks" { + type = list(object({ cidr_block = string, display_name = string })) + description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." +} + +variable "primary_net_name" { + type = string + description = "Primary VPC network name." +} + +variable "ncc_hub_project_id" { + type = string +} + +variable "ncc_hub_name" { + type = string +} + +variable "router_machine_type" { + type = string +} + +variable "primary_subnet" { + type = string + description = "Subnet to use in primary network to deploy the router." +} + +variable "gke_spokes" { + type = any +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/versions.tf b/examples/island_cluster_anywhere_in_gcp_design/versions.tf new file mode 100644 index 0000000000..4818f24fa7 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" + + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + } + } +}