diff --git a/README.md b/README.md
index 9f35eb7b50..cca8e719ac 100644
--- a/README.md
+++ b/README.md
@@ -222,13 +222,14 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 35e7c05031..1d1b10cfb4 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -309,6 +309,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -853,7 +861,7 @@ resource "google_container_node_pool" "windows_pools" {
{% endif %}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
index 49b847fcba..11b15736b7 100644
--- a/autogen/main/main.tf.tmpl
+++ b/autogen/main/main.tf.tmpl
@@ -109,6 +109,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
{% endif %}
{% if beta_cluster and autopilot_cluster != true %}
cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index 3f845ede9a..39e764f3a1 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -580,7 +580,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -731,6 +731,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
{% endif %}
variable "timeouts" {
type = map(string)
diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
index 4dbcebecae..31c1e0d04a 100644
--- a/autogen/main/versions.tf.tmpl
+++ b/autogen/main/versions.tf.tmpl
@@ -24,11 +24,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
index 2eae51d4bd..88da0f4adc 100644
--- a/autogen/safer-cluster/variables.tf.tmpl
+++ b/autogen/safer-cluster/variables.tf.tmpl
@@ -476,7 +476,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`"
type = string
default = null
}
diff --git a/cluster.tf b/cluster.tf
index 78450925b9..5839a11c6c 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -229,6 +229,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -571,7 +579,7 @@ resource "google_container_node_pool" "pools" {
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -787,7 +795,7 @@ resource "google_container_node_pool" "windows_pools" {
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf
index 9c997717dc..45a627c467 100644
--- a/examples/acm-terraform-blog-part1/terraform/gke.tf
+++ b/examples/acm-terraform-blog-part1/terraform/gke.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 14.0"
+ version = "~> 15.0"
project_id = var.project
disable_services_on_destroy = false
diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf
index 2c0d637463..816e2bde95 100644
--- a/examples/acm-terraform-blog-part2/terraform/gke.tf
+++ b/examples/acm-terraform-blog-part2/terraform/gke.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 14.0"
+ version = "~> 15.0"
project_id = var.project
disable_services_on_destroy = false
diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf
index 9f43da79bc..6694582d56 100644
--- a/examples/acm-terraform-blog-part3/terraform/gke.tf
+++ b/examples/acm-terraform-blog-part3/terraform/gke.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 14.0"
+ version = "~> 15.0"
project_id = var.project
disable_services_on_destroy = false
diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf
index 8665a9b3d1..f72733494f 100644
--- a/examples/safer_cluster_iap_bastion/apis.tf
+++ b/examples/safer_cluster_iap_bastion/apis.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 14.0"
+ version = "~> 15.0"
project_id = var.project_id
disable_services_on_destroy = false
diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf
index 11a34fa0c6..5fc839611d 100644
--- a/examples/simple_regional/main.tf
+++ b/examples/simple_regional/main.tf
@@ -45,4 +45,5 @@ module "gke" {
gcs_fuse_csi_driver = true
fleet_project = var.project_id
deletion_protection = false
+ stateful_ha = true
}
diff --git a/main.tf b/main.tf
index 4025b6063c..2536671a13 100644
--- a/main.tf
+++ b/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index 9a8ba5529b..9e2e75794d 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -132,7 +132,7 @@ Then perform the following commands on the root folder:
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index 21e9e1c2af..b364595144 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -406,7 +406,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf
index 1d0a0e5984..7580b366e9 100644
--- a/modules/beta-autopilot-private-cluster/versions.tf
+++ b/modules/beta-autopilot-private-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index 256ee9594a..12dfbd4a6c 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -121,7 +121,7 @@ Then perform the following commands on the root folder:
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index e4402016ef..4de57f2186 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -376,7 +376,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf
index 073f851245..5cf26c9d4e 100644
--- a/modules/beta-autopilot-public-cluster/versions.tf
+++ b/modules/beta-autopilot-public-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 4a8749665a..25668d1688 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -272,13 +272,14 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index bb08e9c7a6..aad857010b 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -737,7 +745,7 @@ resource "google_container_node_pool" "pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -979,7 +987,7 @@ resource "google_container_node_pool" "windows_pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
index f7ef1e33d2..3389a4a7a1 100644
--- a/modules/beta-private-cluster-update-variant/main.tf
+++ b/modules/beta-private-cluster-update-variant/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? {
load_balancer_type = var.cloudrun_load_balancer_type
} : {}
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index 1e224dab3d..f020bdf571 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -556,7 +556,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -702,6 +702,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf
index b5a118d0d6..3d48de936d 100644
--- a/modules/beta-private-cluster-update-variant/versions.tf
+++ b/modules/beta-private-cluster-update-variant/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index f614da039c..ba18785991 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -250,13 +250,14 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 6569b5bbbb..2ee0d36d81 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -662,7 +670,7 @@ resource "google_container_node_pool" "pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -903,7 +911,7 @@ resource "google_container_node_pool" "windows_pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
index f7ef1e33d2..3389a4a7a1 100644
--- a/modules/beta-private-cluster/main.tf
+++ b/modules/beta-private-cluster/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? {
load_balancer_type = var.cloudrun_load_balancer_type
} : {}
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index 1e224dab3d..f020bdf571 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -556,7 +556,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -702,6 +702,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
index 2232e58ef1..1b0043e5ec 100644
--- a/modules/beta-private-cluster/versions.tf
+++ b/modules/beta-private-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index 9d8c747db3..77dc7b85f5 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -261,13 +261,14 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index 76df60f9ea..829f8a734e 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -718,7 +726,7 @@ resource "google_container_node_pool" "pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -960,7 +968,7 @@ resource "google_container_node_pool" "windows_pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf
index d92b11fadd..a14251068c 100644
--- a/modules/beta-public-cluster-update-variant/main.tf
+++ b/modules/beta-public-cluster-update-variant/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? {
load_balancer_type = var.cloudrun_load_balancer_type
} : {}
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index b30abac532..f5fab8c8f8 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -526,7 +526,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -672,6 +672,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf
index bbfa6c9a90..1c2823a6b6 100644
--- a/modules/beta-public-cluster-update-variant/versions.tf
+++ b/modules/beta-public-cluster-update-variant/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index d196ac6ff8..31b4320598 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -239,13 +239,14 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index 01a6fd29c5..4723a7f68e 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -643,7 +651,7 @@ resource "google_container_node_pool" "pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -884,7 +892,7 @@ resource "google_container_node_pool" "windows_pools" {
}
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
index d92b11fadd..a14251068c 100644
--- a/modules/beta-public-cluster/main.tf
+++ b/modules/beta-public-cluster/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? {
load_balancer_type = var.cloudrun_load_balancer_type
} : {}
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index b30abac532..f5fab8c8f8 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -526,7 +526,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -672,6 +672,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
index c5f1cb6548..02d99f1f80 100644
--- a/modules/beta-public-cluster/versions.tf
+++ b/modules/beta-public-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.9.0, < 6"
+ version = ">= 5.25.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf
index 81cbb620c2..8e09bb13eb 100644
--- a/modules/binary-authorization/main.tf
+++ b/modules/binary-authorization/main.tf
@@ -25,7 +25,7 @@ locals {
module "project-services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 14.0"
+ version = "~> 15.0"
project_id = var.project_id
activate_apis = local.required_enabled_apis
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index 940fc161f1..bbf508a0e7 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -255,13 +255,14 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
index 1c1048d273..3914ed54c0 100644
--- a/modules/private-cluster-update-variant/cluster.tf
+++ b/modules/private-cluster-update-variant/cluster.tf
@@ -229,6 +229,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -665,7 +673,7 @@ resource "google_container_node_pool" "pools" {
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -882,7 +890,7 @@ resource "google_container_node_pool" "windows_pools" {
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
index f2a6e28ea8..fb7f0edf1c 100644
--- a/modules/private-cluster-update-variant/main.tf
+++ b/modules/private-cluster-update-variant/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index 56197217bb..523e6f44a3 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -532,7 +532,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -678,6 +678,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 9dabaf2c1a..86fc0ee1b3 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -233,13 +233,14 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no |
+| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
index 88f148b99f..67f1661bb9 100644
--- a/modules/private-cluster/cluster.tf
+++ b/modules/private-cluster/cluster.tf
@@ -229,6 +229,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "stateful_ha_config" {
+ for_each = local.stateful_ha_config
+
+ content {
+ enabled = stateful_ha_config.value.enabled
+ }
+ }
+
config_connector_config {
enabled = var.config_connector
}
@@ -590,7 +598,7 @@ resource "google_container_node_pool" "pools" {
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
@@ -806,7 +814,7 @@ resource "google_container_node_pool" "windows_pools" {
dynamic "local_nvme_ssd_block_config" {
- for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
+ for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index f2a6e28ea8..fb7f0edf1c 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -94,6 +94,7 @@ locals {
logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus
gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }]
gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : []
+ stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : []
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 56197217bb..523e6f44a3 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -532,7 +532,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -678,6 +678,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
index 274199a59f..ee2e8bee69 100644
--- a/modules/safer-cluster-update-variant/README.md
+++ b/modules/safer-cluster-update-variant/README.md
@@ -270,7 +270,7 @@ For simplicity, we suggest using `roles/container.admin` and
| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. | `string` | `null` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE` | `string` | `null` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
index c98da16f81..d6e72d35c4 100644
--- a/modules/safer-cluster-update-variant/variables.tf
+++ b/modules/safer-cluster-update-variant/variables.tf
@@ -476,7 +476,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`"
type = string
default = null
}
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
index 274199a59f..ee2e8bee69 100644
--- a/modules/safer-cluster/README.md
+++ b/modules/safer-cluster/README.md
@@ -270,7 +270,7 @@ For simplicity, we suggest using `roles/container.admin` and
| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
-| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. | `string` | `null` | no |
+| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE` | `string` | `null` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
index c98da16f81..d6e72d35c4 100644
--- a/modules/safer-cluster/variables.tf
+++ b/modules/safer-cluster/variables.tf
@@ -476,7 +476,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`"
type = string
default = null
}
diff --git a/modules/services/main.tf b/modules/services/main.tf
index 74dbc89e18..9ef548c06a 100644
--- a/modules/services/main.tf
+++ b/modules/services/main.tf
@@ -16,7 +16,7 @@
module "services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 14.0"
+ version = "~> 15.0"
project_id = var.project_id
enable_apis = var.enable_apis
diff --git a/test/integration/go.mod b/test/integration/go.mod
index 6f7ec7f963..10cccf883e 100644
--- a/test/integration/go.mod
+++ b/test/integration/go.mod
@@ -2,7 +2,7 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/te
go 1.21
-toolchain go1.21.9
+toolchain go1.21.10
require (
github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1
diff --git a/test/integration/simple_regional/testdata/TestSimpleRegional.json b/test/integration/simple_regional/testdata/TestSimpleRegional.json
index 1c22283ddb..85c8e55db7 100644
--- a/test/integration/simple_regional/testdata/TestSimpleRegional.json
+++ b/test/integration/simple_regional/testdata/TestSimpleRegional.json
@@ -17,6 +17,9 @@
},
"networkPolicyConfig": {
"disabled": true
+ },
+ "statefulHaConfig": {
+ "enabled": true
}
},
"autopilot": {},
diff --git a/test/setup/main.tf b/test/setup/main.tf
index 2e6f551f91..f0b3e278a6 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -45,7 +45,7 @@ locals {
module "gke-project-1" {
source = "terraform-google-modules/project-factory/google"
- version = "~> 14.0"
+ version = "~> 15.0"
name = "ci-gke-${random_id.random_project_id_suffix.hex}"
random_project_id = true
@@ -69,7 +69,7 @@ module "gke-project-1" {
module "gke-project-2" {
source = "terraform-google-modules/project-factory/google"
- version = "~> 14.0"
+ version = "~> 15.0"
name = "ci-gke-${random_id.random_project_id_suffix.hex}"
random_project_id = true
@@ -91,7 +91,7 @@ module "gke-project-2" {
# apis as documented https://cloud.google.com/service-mesh/docs/scripted-install/reference#setting_up_your_project
module "gke-project-asm" {
source = "terraform-google-modules/project-factory/google"
- version = "~> 14.0"
+ version = "~> 15.0"
name = "ci-gke-asm-${random_id.random_project_id_suffix.hex}"
random_project_id = true
diff --git a/variables.tf b/variables.tf
index acad329e75..86fd4e048a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -502,7 +502,7 @@ variable "security_posture_mode" {
}
variable "security_posture_vulnerability_mode" {
- description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
+ description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
@@ -648,6 +648,12 @@ variable "gcs_fuse_csi_driver" {
default = false
}
+variable "stateful_ha" {
+ type = bool
+ description = "Whether the Stateful HA Addon is enabled for this cluster."
+ default = false
+}
+
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."