From 78865b4b99e1f349ef7b66e06dac718ca93dde34 Mon Sep 17 00:00:00 2001 From: Maksym Date: Sat, 23 Sep 2023 15:01:44 +0800 Subject: [PATCH] feat!: Add support for additional pod secondary ranges at the cluster level (#1738) Co-authored-by: Maksym Kursin Co-authored-by: Bharath KKB --- README.md | 1 + autogen/main/cluster.tf.tmpl | 6 ++++++ autogen/main/main.tf.tmpl | 4 ++-- autogen/main/variables.tf.tmpl | 6 ++++++ autogen/main/versions.tf.tmpl | 6 +++--- cluster.tf | 6 ++++++ main.tf | 2 +- modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 6 ++++++ modules/beta-autopilot-private-cluster/main.tf | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 6 ++++++ modules/beta-autopilot-public-cluster/main.tf | 2 +- modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 6 ++++++ modules/beta-private-cluster-update-variant/main.tf | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 6 ++++++ modules/beta-private-cluster/main.tf | 2 +- modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 6 ++++++ modules/beta-public-cluster-update-variant/main.tf | 2 +- modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 6 ++++++ modules/beta-public-cluster/main.tf | 2 +- modules/beta-public-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/versions.tf | 4 ++-- modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 6 ++++++ modules/private-cluster-update-variant/main.tf | 2 +- modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 6 ++++++ modules/private-cluster/main.tf | 2 +- modules/private-cluster/variables.tf | 6 ++++++ modules/private-cluster/versions.tf | 2 +- variables.tf | 6 ++++++ versions.tf | 2 +- 49 files changed, 158 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 45881e57fa..fdb677beb9 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) |
object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
auto_repair = bool
auto_upgrade = bool
disk_size = optional(number)
disk_type = optional(string)
})
|
{
"auto_repair": true,
"auto_upgrade": true,
"disk_size": 100,
"disk_type": "pd-standard",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 6312993cb4..69da5b71c5 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -337,6 +337,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 26c410d5fc..7d3110e834 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -90,9 +90,9 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} {% if autopilot_cluster != true %} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools): local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0] )) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] {% else %} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0])) : [] {% endif %} {% if autopilot_cluster != true %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2525d07242..e7a2e77f2c 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -139,6 +139,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 784680c9bd..d2a2b93b4f 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" @@ -46,7 +46,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index 5767bce6db..8334f7db01 100644 --- a/cluster.tf +++ b/cluster.tf @@ -220,6 +220,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/main.tf b/main.tf index 2cf4877992..1aa928a202 100644 --- a/main.tf +++ b/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index bda0297ff9..ee45b31d3e 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -74,6 +74,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 5e79c23dac..7ed8a9fd17 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -138,6 +138,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index dd7466ff31..897a6bce8b 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -62,7 +62,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0])) : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 86483f30d9..b3171164cf 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -131,6 +131,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 1e0bb3f35d..94a6a4feb1 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index f788a817a8..5b7da3d32e 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -68,6 +68,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 4c9569106a..901ffe4889 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -138,6 +138,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 874bbb76f9..09183c0c7f 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -62,7 +62,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0])) : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index c8776f6853..0cbb512b96 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -131,6 +131,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 5c9a7f479a..395be4698d 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index e9aed6200b..10b1630c32 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 0234c223f2..e81bea4c69 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -277,6 +277,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 931844d9a5..37a123edd6 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 119f9a5c09..f872cf31bc 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 5b33710694..ac420da8e6 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f47073beca..b3a75fc13f 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -145,6 +145,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 02c6f3fca3..2646fa3858 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -277,6 +277,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 931844d9a5..37a123edd6 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 119f9a5c09..f872cf31bc 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 01acd8f3b2..4132fa898d 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 2ea2d6489d..8782c424f1 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -161,6 +161,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 43b03300df..b240b2739f 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -277,6 +277,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index c6327ea6f5..f94626a147 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 05bab8df6b..f1247ad30e 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 1c70d8a3c1..285c24c848 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index eee0349812..39cee6f597 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -139,6 +139,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1183a20d12..aa6cefa09c 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -277,6 +277,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index c6327ea6f5..f94626a147 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 05bab8df6b..f1247ad30e 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 90b615732b..5bfc9dcdc3 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 0eea714f74..097fb66526 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -163,6 +163,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) |
object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
auto_repair = bool
auto_upgrade = bool
disk_size = optional(number)
disk_type = optional(string)
})
|
{
"auto_repair": true,
"auto_upgrade": true,
"disk_size": 100,
"disk_type": "pd-standard",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a6bcda84ee..6db8bb3e5a 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -220,6 +220,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 54d054edc0..2ef1d88410 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 22e808f617..f06b1e9d95 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 127daffdd5..dd78320bc0 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index edbe5304d0..3ebfe4acf7 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -141,6 +141,7 @@ Then perform the following commands on the root folder: | add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) |
object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
auto_repair = bool
auto_upgrade = bool
disk_size = optional(number)
disk_type = optional(string)
})
|
{
"auto_repair": true,
"auto_upgrade": true,
"disk_size": 100,
"disk_type": "pd-standard",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 9b3b5217ef..dc50906bd6 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -220,6 +220,12 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } } maintenance_policy { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 54d054edc0..2ef1d88410 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -79,7 +79,7 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] cluster_network_policy = var.network_policy ? [{ enabled = true diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 22e808f617..f06b1e9d95 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index b485db03fd..c323f025ff 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/variables.tf b/variables.tf index 69911eb955..e5757a9b07 100644 --- a/variables.tf +++ b/variables.tf @@ -137,6 +137,12 @@ variable "ip_range_pods" { description = "The _name_ of the secondary subnet ip range to use for pods" } +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + variable "ip_range_services" { type = string description = "The _name_ of the secondary subnet range to use for services" diff --git a/versions.tf b/versions.tf index b8db42966b..dc299651d1 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes"