diff --git a/README.md b/README.md index 522564c06e..84900def2e 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 9feae9b023..3b40a1f7a5 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -53,14 +53,13 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } -{% if beta_cluster %} + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { enabled = confidential_nodes.value.enabled } } -{% endif %} subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 3420587e94..bd962f65b1 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -200,6 +200,7 @@ locals { cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] {% if beta_cluster %} # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled @@ -208,7 +209,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2ebcbd8ece..7c0f99abca 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -468,13 +468,13 @@ variable "shadow_firewall_rules_priority" { default = 999 } -{% if beta_cluster %} variable "enable_confidential_nodes" { type = bool description = "An optional flag to enable confidential node config." default = false } +{% if beta_cluster %} variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/cluster.tf b/cluster.tf index 6de632f8a9..c25fff76cf 100644 --- a/cluster.tf +++ b/cluster.tf @@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" min_master_version = var.release_channel != null ? null : local.master_version diff --git a/main.tf b/main.tf index 8eb8b7c473..bc9197b328 100644 --- a/main.tf +++ b/main.tf @@ -142,6 +142,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 551de2fac2..6cf56fb127 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -39,6 +39,7 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index fd72a8fb3c..e281997555 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -121,6 +121,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache @@ -128,7 +129,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 5faebd7065..133b708f0a 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -39,6 +39,7 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 32fab5a8af..589243b7ac 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -120,6 +120,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache @@ -127,7 +128,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ac589a7faf..2991859cf6 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index bb6cf30de5..71c6816ded 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -166,6 +166,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache @@ -173,7 +174,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index ad630ef7c5..5a12134b76 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index bb6cf30de5..71c6816ded 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -166,6 +166,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache @@ -173,7 +174,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 8fb29d2f5b..8ce40ba779 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 99512f81ae..9fb09b8d45 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -165,6 +165,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache @@ -172,7 +173,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 012ce31570..d9627d3173 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" { channel = release_channel.value.channel } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 99512f81ae..9fb09b8d45 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -165,6 +165,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache @@ -172,7 +173,6 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index cdc59dbd55..caf54fb1ce 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a52836d8b5..b18d68145f 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" min_master_version = var.release_channel != null ? null : local.master_version diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 7051be0fc0..68006e721c 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -143,6 +143,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 2c98a8532c..8b5e1ac491 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -414,6 +414,12 @@ variable "shadow_firewall_rules_priority" { default = 999 } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} + variable "network_policy" { type = bool diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index e7251e2710..cca2ea3427 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -150,6 +150,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index aaedfaf344..e200e2153d 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" min_master_version = var.release_channel != null ? null : local.master_version diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 7051be0fc0..68006e721c 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -143,6 +143,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2c98a8532c..8b5e1ac491 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -414,6 +414,12 @@ variable "shadow_firewall_rules_priority" { default = 999 } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} + variable "network_policy" { type = bool diff --git a/variables.tf b/variables.tf index 1ee6995719..0c6f8cf0a2 100644 --- a/variables.tf +++ b/variables.tf @@ -390,6 +390,12 @@ variable "shadow_firewall_rules_priority" { default = 999 } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} + variable "network_policy" { type = bool