terraform-google-modules · apeabody · Jul 15, 2024 · Jul 12, 2024
@@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
+| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
@@ -258,6 +259,7 @@ Then perform the following commands on the root folder:
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
 | identity\_namespace | Workload Identity pool |
 | instance\_group\_urls | List of GKE generated instance groups |
+| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | logging\_service | Logging service used |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |

@@ -216,11 +216,11 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  enable_kubernetes_alpha = var.enable_kubernetes_alpha
+  enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
-  {% if beta_cluster %}
   enable_intranode_visibility = var.enable_intranode_visibility
 
+  {% if beta_cluster %}
   dynamic "secret_manager_config" {
     for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
     content {

@@ -162,12 +162,12 @@ locals {
   cluster_output_http_load_balancing_enabled        = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
   cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
+  cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
 
 {% if beta_cluster %}
   # BETA features
   cluster_output_istio_disabled                   = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled      = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_intranode_visbility_enabled      = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled         = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
   cluster_output_secret_manager_addon_enabled     = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
@@ -225,6 +225,7 @@ locals {
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
   confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   {% if autopilot_cluster != true %}
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
@@ -238,7 +239,6 @@ locals {
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   {% endif %}
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
-  cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled         = local.cluster_output_identity_service_enabled
   cluster_secret_manager_addon_enabled     = local.cluster_output_secret_manager_addon_enabled
 

@@ -224,11 +224,6 @@ output "pod_security_policy_enabled" {
   value       = local.cluster_pod_security_policy_enabled
 }
 
-output "intranode_visibility_enabled" {
-  description = "Whether intra-node visibility is enabled"
-  value       = local.cluster_intranode_visibility_enabled
-}
-
 output "identity_service_enabled" {
   description = "Whether Identity Service is enabled"
   value       = local.cluster_identity_service_enabled
@@ -240,6 +235,11 @@ output "secret_manager_addon_enabled" {
 }
 {% endif %}
 
+output "intranode_visibility_enabled" {
+  description = "Whether intra-node visibility is enabled"
+  value       = local.cluster_intranode_visibility_enabled
+}
+
 output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership

@@ -817,6 +817,12 @@ variable "config_connector" {
   default     = false
 }
 
+variable "enable_intranode_visibility" {
+  type        = bool
+  description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
+  default     = false
+}
+
 {% endif %}
 variable "enable_l4_ilb_subsetting" {
   type        = bool
@@ -874,12 +880,6 @@ variable "sandbox_enabled" {
   default     = false
 }
 
-variable "enable_intranode_visibility" {
-  type        = bool
-  description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
-  default     = false
-}
-
 variable "enable_identity_service" {
   type        = bool
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."

@@ -173,8 +173,10 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  enable_kubernetes_alpha = var.enable_kubernetes_alpha
-  enable_tpu              = var.enable_tpu
+  enable_kubernetes_alpha     = var.enable_kubernetes_alpha
+  enable_tpu                  = var.enable_tpu
+  enable_intranode_visibility = var.enable_intranode_visibility
+
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 

@@ -122,6 +122,7 @@ locals {
   cluster_output_http_load_balancing_enabled        = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
   cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
+  cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
 
 
   master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
@@ -165,7 +166,8 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
-  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
   }] : []

@@ -90,11 +90,11 @@ locals {
   cluster_output_http_load_balancing_enabled        = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
   cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
+  cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
 
   # BETA features
   cluster_output_istio_disabled               = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled  = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_intranode_visbility_enabled  = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled     = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
@@ -128,12 +128,12 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
-  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
 
   # BETA features
   cluster_istio_enabled                = !local.cluster_output_istio_disabled
   cluster_pod_security_policy_enabled  = local.cluster_output_pod_security_policy_enabled
-  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
   cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 

@@ -179,11 +179,6 @@ output "pod_security_policy_enabled" {
   value       = local.cluster_pod_security_policy_enabled
 }
 
-output "intranode_visibility_enabled" {
-  description = "Whether intra-node visibility is enabled"
-  value       = local.cluster_intranode_visibility_enabled
-}
-
 output "identity_service_enabled" {
   description = "Whether Identity Service is enabled"
   value       = local.cluster_identity_service_enabled
@@ -194,6 +189,11 @@ output "secret_manager_addon_enabled" {
   value       = local.cluster_secret_manager_addon_enabled
 }
 
+output "intranode_visibility_enabled" {
+  description = "Whether intra-node visibility is enabled"
+  value       = local.cluster_intranode_visibility_enabled
+}
+
 output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership

@@ -89,11 +89,11 @@ locals {
   cluster_output_http_load_balancing_enabled        = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
   cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
+  cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
 
   # BETA features
   cluster_output_istio_disabled               = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled  = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_intranode_visbility_enabled  = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled     = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
@@ -127,12 +127,12 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
-  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
 
   # BETA features
   cluster_istio_enabled                = !local.cluster_output_istio_disabled
   cluster_pod_security_policy_enabled  = local.cluster_output_pod_security_policy_enabled
-  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
   cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 

@@ -169,11 +169,6 @@ output "pod_security_policy_enabled" {
   value       = local.cluster_pod_security_policy_enabled
 }
 
-output "intranode_visibility_enabled" {
-  description = "Whether intra-node visibility is enabled"
-  value       = local.cluster_intranode_visibility_enabled
-}
-
 output "identity_service_enabled" {
   description = "Whether Identity Service is enabled"
   value       = local.cluster_identity_service_enabled
@@ -184,6 +179,11 @@ output "secret_manager_addon_enabled" {
   value       = local.cluster_secret_manager_addon_enabled
 }
 
+output "intranode_visibility_enabled" {
+  description = "Whether intra-node visibility is enabled"
+  value       = local.cluster_intranode_visibility_enabled
+}
+
 output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership

@@ -135,11 +135,11 @@ locals {
   cluster_output_http_load_balancing_enabled        = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
   cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
+  cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
 
   # BETA features
   cluster_output_istio_disabled               = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled  = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_intranode_visbility_enabled  = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled     = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
@@ -186,7 +186,8 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
-  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
+  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
   }] : []
@@ -195,7 +196,6 @@ locals {
   cluster_istio_enabled                = !local.cluster_output_istio_disabled
   cluster_telemetry_type_is_set        = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled  = local.cluster_output_pod_security_policy_enabled
-  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
   cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled