From ef8ce4f0cbdf5d04ce7ba962f3f0f5c164219159 Mon Sep 17 00:00:00 2001 From: Manuel Morejon Date: Thu, 28 Sep 2023 14:49:37 +0200 Subject: [PATCH] feat: add security posture Signed-off-by: Manuel Morejon --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 6 ++++++ autogen/main/variables.tf.tmpl | 12 ++++++++++++ autogen/safer-cluster/main.tf.tmpl | 4 ++++ autogen/safer-cluster/variables.tf.tmpl | 12 ++++++++++++ cluster.tf | 6 ++++++ modules/beta-autopilot-private-cluster/README.md | 2 ++ modules/beta-autopilot-private-cluster/cluster.tf | 6 ++++++ modules/beta-autopilot-private-cluster/variables.tf | 12 ++++++++++++ modules/beta-autopilot-public-cluster/README.md | 2 ++ modules/beta-autopilot-public-cluster/cluster.tf | 6 ++++++ modules/beta-autopilot-public-cluster/variables.tf | 12 ++++++++++++ .../beta-private-cluster-update-variant/README.md | 2 ++ .../beta-private-cluster-update-variant/cluster.tf | 6 ++++++ .../beta-private-cluster-update-variant/variables.tf | 12 ++++++++++++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 6 ++++++ modules/beta-private-cluster/variables.tf | 12 ++++++++++++ modules/beta-public-cluster-update-variant/README.md | 2 ++ .../beta-public-cluster-update-variant/cluster.tf | 6 ++++++ .../beta-public-cluster-update-variant/variables.tf | 12 ++++++++++++ modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 6 ++++++ modules/beta-public-cluster/variables.tf | 12 ++++++++++++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 6 ++++++ modules/private-cluster-update-variant/variables.tf | 12 ++++++++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 6 ++++++ modules/private-cluster/variables.tf | 12 ++++++++++++ modules/safer-cluster-update-variant/README.md | 2 ++ modules/safer-cluster-update-variant/main.tf | 4 ++++ modules/safer-cluster-update-variant/variables.tf | 12 ++++++++++++ modules/safer-cluster/README.md | 2 ++ modules/safer-cluster/main.tf | 4 ++++ modules/safer-cluster/variables.tf | 12 ++++++++++++ variables.tf | 12 ++++++++++++ 37 files changed, 250 insertions(+) diff --git a/README.md b/README.md index fdb677beb9..eca742a64c 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,8 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 4c96c90062..e0a47fef4d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -335,6 +335,12 @@ resource "google_container_cluster" "primary" { workload_vulnerability_mode = var.workload_vulnerability_mode } {% endif %} + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 1848cf0afe..b3ef4a3ef7 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -568,6 +568,18 @@ variable "enable_fqdn_network_policy" { } {% endif %} +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 8c1c686e2f..ffb2b5b876 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -204,4 +204,8 @@ module "gke" { // Enabling vulnerability and audit for workloads workload_vulnerability_mode = var.workload_vulnerability_mode workload_config_audit_mode = var.workload_config_audit_mode + + // Enabling security posture + security_posture_mode = var.security_posture_mode + security_posture_vulnerability_mode = var.security_posture_vulnerability_mode } diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 182162bb16..5ee525162b 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -463,6 +463,18 @@ variable "gke_backup_agent_config" { default = false } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`." + type = string + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/cluster.tf b/cluster.tf index 7c8b05cdaa..54cfca3158 100644 --- a/cluster.tf +++ b/cluster.tf @@ -211,6 +211,12 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 10aaf334d2..c2f326a070 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -126,6 +126,8 @@ Then perform the following commands on the root folder: | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 2ac70aaa03..c213947212 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -136,6 +136,12 @@ resource "google_container_cluster" "primary" { } workload_vulnerability_mode = var.workload_vulnerability_mode } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 6152837fd6..f30c037ac1 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -392,6 +392,18 @@ variable "enable_fqdn_network_policy" { default = null } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 62260d6bb2..15bd0b50dc 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -115,6 +115,8 @@ Then perform the following commands on the root folder: | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 03da3ad707..762ed302ee 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -136,6 +136,12 @@ resource "google_container_cluster" "primary" { } workload_vulnerability_mode = var.workload_vulnerability_mode } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 277281a69e..7df45dbc9d 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -362,6 +362,18 @@ variable "enable_fqdn_network_policy" { default = null } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 9784d38d29..00e73921a5 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -264,6 +264,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index fdbecb2ac2..e3f9af68f9 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" { } workload_vulnerability_mode = var.workload_vulnerability_mode } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 6a444b2f53..aa51f06286 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -537,6 +537,18 @@ variable "enable_fqdn_network_policy" { default = null } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 9563237347..038feab52e 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -242,6 +242,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 520b0529a8..a4b76a09e6 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" { } workload_vulnerability_mode = var.workload_vulnerability_mode } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6a444b2f53..aa51f06286 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -537,6 +537,18 @@ variable "enable_fqdn_network_policy" { default = null } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 3b515c1f2d..1e3e3c9d94 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -253,6 +253,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 63af038480..d5bca53049 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" { } workload_vulnerability_mode = var.workload_vulnerability_mode } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 46572f3c17..120876600d 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -507,6 +507,18 @@ variable "enable_fqdn_network_policy" { default = null } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 4d606346bd..4d8cb1206f 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -231,6 +231,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a8db1c6e13..4d7b732fa6 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" { } workload_vulnerability_mode = var.workload_vulnerability_mode } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 46572f3c17..120876600d 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -507,6 +507,18 @@ variable "enable_fqdn_network_policy" { default = null } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 097fb66526..15a49d4e29 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -245,6 +245,8 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 191c99ec50..5ce65b3d45 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -211,6 +211,12 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index f06b1e9d95..a7acb4d2e9 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -506,6 +506,18 @@ variable "shadow_firewall_rules_log_config" { } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 3ebfe4acf7..25688b62bc 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -223,6 +223,8 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index c2fa9906dc..55e80eead5 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -211,6 +211,12 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index f06b1e9d95..a7acb4d2e9 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -506,6 +506,18 @@ variable "shadow_firewall_rules_log_config" { } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 915a8d8d55..a0093c6935 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -267,6 +267,8 @@ For simplicity, we suggest using `roles/container.admin` and | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. | `string` | `null` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 4e64aca38c..4579d88fd3 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -200,4 +200,8 @@ module "gke" { // Enabling vulnerability and audit for workloads workload_vulnerability_mode = var.workload_vulnerability_mode workload_config_audit_mode = var.workload_config_audit_mode + + // Enabling security posture + security_posture_mode = var.security_posture_mode + security_posture_vulnerability_mode = var.security_posture_vulnerability_mode } diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index ec2b11849e..c0434025f8 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -463,6 +463,18 @@ variable "gke_backup_agent_config" { default = false } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`." + type = string + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 915a8d8d55..a0093c6935 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -267,6 +267,8 @@ For simplicity, we suggest using `roles/container.admin` and | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. | `string` | `null` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 0d0910d1cc..c5232566eb 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -200,4 +200,8 @@ module "gke" { // Enabling vulnerability and audit for workloads workload_vulnerability_mode = var.workload_vulnerability_mode workload_config_audit_mode = var.workload_config_audit_mode + + // Enabling security posture + security_posture_mode = var.security_posture_mode + security_posture_vulnerability_mode = var.security_posture_vulnerability_mode } diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index ec2b11849e..c0434025f8 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -463,6 +463,18 @@ variable "gke_backup_agent_config" { default = false } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`." + type = string + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/variables.tf b/variables.tf index e5757a9b07..1cb3055c33 100644 --- a/variables.tf +++ b/variables.tf @@ -476,6 +476,18 @@ variable "shadow_firewall_rules_log_config" { } +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses"