diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index fd82bbd19f..5adaae2b2f 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -434,14 +434,12 @@ resource "google_container_cluster" "primary" { enable_private_endpoint = private_cluster_config.value.enable_private_endpoint enable_private_nodes = private_cluster_config.value.enable_private_nodes master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block - {% if beta_cluster %} dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { enabled = master_global_access_config.value } } - {% endif %} } } {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 923e1cc9b3..3d5225e339 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -410,16 +410,18 @@ variable "master_ipv4_cidr_block" { description = "(Beta) The IP range in CIDR notation to use for the hosted master network" default = "10.0.0.0/28" } -{% if beta_cluster %} variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." - + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + + {% if beta_cluster %} default = true + {% else %} + default = false + {% endif %} } {% endif %} -{% endif %} variable "dns_cache" { type = bool diff --git a/modules/acm/README.md b/modules/acm/README.md index 769bcf97bb..de785bccd5 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -74,6 +74,7 @@ data "google_client_config" "default" {} | enable\_policy\_controller | Whether to enable the ACM Policy Controller on the cluster | `bool` | `true` | no | | enable\_referential\_rules | Enables referential constraints which reference another object in it definition and are therefore eventually consistent. | `bool` | `true` | no | | hierarchy\_controller | Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/anthos-config-management/docs/how-to/installing-hierarchy-controller) for more details | `map(any)` | `null` | no | +| https\_proxy | URL for the HTTPS proxy to be used when communicating with the Git repo. | `string` | `null` | no | | install\_template\_library | Whether to install the default Policy Controller template library | `bool` | `true` | no | | location | GCP location used to reach cluster. | `string` | n/a | yes | | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | `string` | `""` | no | diff --git a/modules/acm/feature.tf b/modules/acm/feature.tf index bd928551d0..3bb977388a 100644 --- a/modules/acm/feature.tf +++ b/modules/acm/feature.tf @@ -47,6 +47,7 @@ resource "google_gke_hub_feature_membership" "main" { sync_branch = var.sync_branch != "" ? var.sync_branch : null sync_rev = var.sync_revision != "" ? var.sync_revision : null secret_type = var.secret_type + https_proxy = var.https_proxy } } diff --git a/modules/acm/variables.tf b/modules/acm/variables.tf index c225a45a79..f9bf8a41f5 100644 --- a/modules/acm/variables.tf +++ b/modules/acm/variables.tf @@ -90,6 +90,12 @@ variable "secret_type" { default = "ssh" } +variable "https_proxy" { + description = "URL for the HTTPS proxy to be used when communicating with the Git repo." + type = string + default = null +} + variable "create_ssh_key" { description = "Controls whether a key will be generated for Git authentication" type = bool diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index a51c08ecaa..edc894d1fe 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -108,7 +108,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 1c9530ef3b..c241e385b4 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -295,7 +295,7 @@ variable "master_ipv4_cidr_block" { variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." default = true } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 66e5fba227..80b7d787a4 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -224,7 +224,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 4cc44fe307..31c0f37c57 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -398,7 +398,7 @@ variable "master_ipv4_cidr_block" { variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." default = true } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 716fff38d2..06f0beb5c6 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -202,7 +202,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 4cc44fe307..31c0f37c57 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -398,7 +398,7 @@ variable "master_ipv4_cidr_block" { variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." default = true } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c418c1946b..8b2e05e7c7 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -202,6 +202,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 315265d189..7c4811b0f2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -274,6 +274,12 @@ resource "google_container_cluster" "primary" { enable_private_endpoint = private_cluster_config.value.enable_private_endpoint enable_private_nodes = private_cluster_config.value.enable_private_nodes master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + dynamic "master_global_access_config" { + for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] + content { + enabled = master_global_access_config.value + } + } } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 6a2e1b4eeb..b42b4396bb 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -372,6 +372,13 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "master_global_access_enabled" { + type = bool + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + + default = false +} + variable "dns_cache" { type = bool description = "The status of the NodeLocal DNSCache addon." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index f2c19387b1..7379373c5b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 1af16cc510..e2f369d375 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -274,6 +274,12 @@ resource "google_container_cluster" "primary" { enable_private_endpoint = private_cluster_config.value.enable_private_endpoint enable_private_nodes = private_cluster_config.value.enable_private_nodes master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + dynamic "master_global_access_config" { + for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] + content { + enabled = master_global_access_config.value + } + } } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 6a2e1b4eeb..b42b4396bb 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -372,6 +372,13 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "master_global_access_enabled" { + type = bool + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + + default = false +} + variable "dns_cache" { type = bool description = "The status of the NodeLocal DNSCache addon."