From a2f36c69e7c12fa273ce89d215bc68db2a9baf2d Mon Sep 17 00:00:00 2001 From: Eric Zhao Date: Fri, 7 Oct 2022 15:30:59 +1000 Subject: [PATCH] fix: expose global master access in GA modules --- autogen/main/cluster.tf.tmpl | 2 -- autogen/main/variables.tf.tmpl | 6 ++---- modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 4 ++-- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 4 ++-- modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 6 ++++++ modules/private-cluster-update-variant/variables.tf | 7 +++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 6 ++++++ modules/private-cluster/variables.tf | 7 +++++++ 14 files changed, 39 insertions(+), 15 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index c7003e2b10..dd5646a7ea 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -421,14 +421,12 @@ resource "google_container_cluster" "primary" { enable_private_endpoint = private_cluster_config.value.enable_private_endpoint enable_private_nodes = private_cluster_config.value.enable_private_nodes master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block - {% if beta_cluster %} dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { enabled = master_global_access_config.value } } - {% endif %} } } {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index b63db64f60..32bb567d4a 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -397,16 +397,14 @@ variable "master_ipv4_cidr_block" { description = "(Beta) The IP range in CIDR notation to use for the hosted master network" default = "10.0.0.0/28" } -{% if beta_cluster %} variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." - default = true + default = false } {% endif %} -{% endif %} variable "dns_cache" { type = bool diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 084ac9c49c..68ab5311c7 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -107,7 +107,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index e717a8045a..6c546e98c5 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -284,9 +284,9 @@ variable "master_ipv4_cidr_block" { variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." - default = true + default = false } variable "dns_cache" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index a5969fef1c..929b5a9b5c 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -223,7 +223,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 6fb862ef97..b2300eaeda 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -387,9 +387,9 @@ variable "master_ipv4_cidr_block" { variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." - default = true + default = false } variable "dns_cache" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 3e40ef386c..db6d8a9a91 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -201,7 +201,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6fb862ef97..b2300eaeda 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -387,9 +387,9 @@ variable "master_ipv4_cidr_block" { variable "master_global_access_enabled" { type = bool - description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." - default = true + default = false } variable "dns_cache" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index afcca1ddcc..288d6ae160 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -202,6 +202,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 870c3bd6c4..a23980baea 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -267,6 +267,12 @@ resource "google_container_cluster" "primary" { enable_private_endpoint = private_cluster_config.value.enable_private_endpoint enable_private_nodes = private_cluster_config.value.enable_private_nodes master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + dynamic "master_global_access_config" { + for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] + content { + enabled = master_global_access_config.value + } + } } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index d929ed1ffa..ddadcc3a59 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -366,6 +366,13 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "master_global_access_enabled" { + type = bool + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + + default = false +} + variable "dns_cache" { type = bool description = "The status of the NodeLocal DNSCache addon." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 049bf6aaf4..a950c51ff9 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `false` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 281ab3d029..0811976e06 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -267,6 +267,12 @@ resource "google_container_cluster" "primary" { enable_private_endpoint = private_cluster_config.value.enable_private_endpoint enable_private_nodes = private_cluster_config.value.enable_private_nodes master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + dynamic "master_global_access_config" { + for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] + content { + enabled = master_global_access_config.value + } + } } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index d929ed1ffa..ddadcc3a59 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -366,6 +366,13 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "master_global_access_enabled" { + type = bool + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." + + default = false +} + variable "dns_cache" { type = bool description = "The status of the NodeLocal DNSCache addon."