diff --git a/README.md b/README.md index 6596164332..02d01fbf31 100644 --- a/README.md +++ b/README.md @@ -182,6 +182,7 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 596aef8236..c33b37ac7a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -257,8 +257,9 @@ resource "google_container_cluster" "primary" { enable_autopilot = true {% endif %} dynamic "master_authorized_networks_config" { - for_each = {% if private_cluster %}var.enable_private_endpoint || {% endif %}length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = {% if private_cluster %}var.enable_private_endpoint || {% endif %}var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2cf74bc9a8..90f82987ab 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/cluster.tf b/cluster.tf index ad40edfcd6..76d4538871 100644 --- a/cluster.tf +++ b/cluster.tf @@ -190,8 +190,9 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy dynamic "master_authorized_networks_config" { - for_each = length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index c2061175bc..930a3c0199 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -107,6 +107,7 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 62cfa46d95..f6716e75bf 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -106,8 +106,9 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 565d9e49e2..b8d087b804 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 7b20a1f5f2..9df58422ce 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -98,6 +98,7 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index dc9915bc7b..728ef8cb71 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -106,8 +106,9 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 53ca4803f2..22a05337af 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 7625e7e425..a8e7996627 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -225,6 +225,7 @@ Then perform the following commands on the root folder: | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 4ce2398e78..a9622c2704 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -211,8 +211,9 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 05926d10e5..19c405fe8d 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 9a279e761b..5d5ff6779a 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -203,6 +203,7 @@ Then perform the following commands on the root folder: | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 76a2ea084d..dfeb41a6be 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -211,8 +211,9 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 05926d10e5..19c405fe8d 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 6e0c8408d7..777c5cfd37 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -216,6 +216,7 @@ Then perform the following commands on the root folder: | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 0bd731d0f9..64011629eb 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -211,8 +211,9 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 69d75ed31e..64ff4d60c0 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 53ebcd9b1a..4442628e76 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 234d71e718..e0cec842dd 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -211,8 +211,9 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 69d75ed31e..64ff4d60c0 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 039db40664..63b5bfcbaf 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -213,6 +213,7 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2d2f5ca5f5..2824749cf2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -190,8 +190,9 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 3873ff737c..74a97127fe 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index abe27d1a8a..8b6b6184d5 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -191,6 +191,7 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 5f3886a4ff..7c28997ad1 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -190,8 +190,9 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { + gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { for_each = var.master_authorized_networks content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 3873ff737c..74a97127fe 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json index c6bdd3f7cb..e14afc8565 100755 --- a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json +++ b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json @@ -210,6 +210,7 @@ "config": { "diskSizeGb": 100, "diskType": "pd-standard", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", "imageType": "COS_CONTAINERD", "labels": { "cluster_name": "CLUSTER_NAME", diff --git a/variables.tf b/variables.tf index f14763dbe0..5e802430ee 100644 --- a/variables.tf +++ b/variables.tf @@ -78,6 +78,12 @@ variable "master_authorized_networks" { default = [] } +variable "gcp_public_cidrs_access_enabled" { + type = bool + description = "Allow access through Google Cloud public IP addresses" + default = null +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it"