From e9de006f535e67a311a01e60a554c636f127fafa Mon Sep 17 00:00:00 2001 From: jacobi petrucciani <8117202+jpetrucciani@users.noreply.github.com> Date: Wed, 2 Nov 2022 22:03:19 -0400 Subject: [PATCH] feat!: add service_external_ips option (#1441) * add service_external_ips option * fixing formatting error Co-authored-by: Bharath KKB --- README.md | 1 + autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/variables.tf.tmpl | 6 ++++++ autogen/main/versions.tf.tmpl | 2 +- cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/variables.tf | 6 ++++++ modules/private-cluster/versions.tf | 2 +- variables.tf | 6 ++++++ versions.tf | 2 +- 33 files changed, 143 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c3439bd593..3d777a1356 100644 --- a/README.md +++ b/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index f64cbfadbc..f485dcb247 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -208,6 +208,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 1f02b1947a..923e1cc9b3 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index f5481ef03d..4761bcb223 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -38,7 +38,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.31.0, < 5.0" + version = ">= 4.35.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index 0fdd80ffe3..c9574e9218 100644 --- a/cluster.tf +++ b/cluster.tf @@ -109,6 +109,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 1f24e82245..a51c08ecaa 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -124,6 +124,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index d84cac9379..d61138267d 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -94,6 +94,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 6b636ca6a1..1c9530ef3b 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index c6c28765ba..14c6eb91f3 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -113,6 +113,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 1abfba29c9..aa78edc45b 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -94,6 +94,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index deac775e2c..e465277f65 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 60ff13f832..66e5fba227 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -253,6 +253,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 0db920aa90..daad8f3295 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 32dc2eb63f..4cc44fe307 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index be418a2acf..716fff38d2 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -231,6 +231,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 1c6af12832..de0f41ec0f 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 32dc2eb63f..4cc44fe307 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index e5ee291be0..edd667ad70 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -242,6 +242,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index e1949e29a3..f464068cff 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index bf5631eaef..65ced56983 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 783f4909e0..66fd8e6fc4 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -220,6 +220,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index f9d528e47c..3cc7330640 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index bf5631eaef..65ced56983 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 87cb4c1881..c418c1946b 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -226,6 +226,7 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 3292efc00d..7cf9af2da6 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -109,6 +109,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index e318e45788..6a2e1b4eeb 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 1dca32b387..e56c527d70 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.31.0, < 5.0" + version = ">= 4.35.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index eb3d174a4d..f2c19387b1 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -204,6 +204,7 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index abe4e9c1fa..4c7955a9dd 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -109,6 +109,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + addons_config { http_load_balancing { disabled = !var.http_load_balancing diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index e318e45788..6a2e1b4eeb 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 7a86bcb2a1..53121ca7f6 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.31.0, < 5.0" + version = ">= 4.35.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/variables.tf b/variables.tf index 989cc20ad9..f56a45caa5 100644 --- a/variables.tf +++ b/variables.tf @@ -96,6 +96,12 @@ variable "http_load_balancing" { default = true } +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/versions.tf b/versions.tf index 2c93d45647..1c52084aa5 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.31.0, < 5.0" + version = ">= 4.35.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes"