diff --git a/Makefile b/Makefile index 4bcc64c590..45f6c99a45 100644 --- a/Makefile +++ b/Makefile @@ -18,8 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -# Pin to 1.3.9 per https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/issues/1208 -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.8 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd DOCKER_BIN ?= docker diff --git a/README.md b/README.md index 7e51d76f51..3dad3a7919 100644 --- a/README.md +++ b/README.md @@ -207,7 +207,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index dc5bc2f079..d18f7a1d76 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -135,12 +135,12 @@ resource "google_container_cluster" "primary" { content { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] - + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade",true) } - + {% if beta_cluster %} min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") {% endif %} @@ -309,7 +309,7 @@ resource "google_container_cluster" "primary" { {% endif %} } {% if autopilot_cluster != true %} - + datapath_provider = var.datapath_provider {% endif %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index ce599c65b0..da8d6d28ca 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -68,7 +68,7 @@ locals { resource_type = "memory" minimum = var.cluster_autoscaling.min_memory_gb maximum = var.cluster_autoscaling.max_memory_gb - }], var.cluster_autoscaling.gpu_resources) : [] + }], var.cluster_autoscaling.gpu_resources) : [] {% endif %} @@ -77,12 +77,14 @@ locals { network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id zone_count = length(var.zones) cluster_type = var.regional ? "regional" : "zonal" +{% if autopilot_cluster != true %} // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous. {% if beta_cluster %} // When a release channel is used, node auto-upgrade are enabled and cannot be disabled. default_auto_upgrade = var.regional || var.release_channel != null ? true : false {% else %} default_auto_upgrade = var.regional ? true : false +{% endif %} {% endif %} cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null @@ -133,14 +135,12 @@ locals { }] {% endif %} - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones {% if private_cluster %} - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint - cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block {% else %} cluster_endpoint = google_container_cluster.primary.endpoint @@ -152,17 +152,18 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false +{% if autopilot_cluster != true %} + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled +{% endif %} + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false {% if beta_cluster %} # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features {% endif %} @@ -176,11 +177,11 @@ locals { [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] ) - + cluster_output_node_pools_versions = merge( { for np in google_container_node_pool.pools : np.name => np.version }, { for np in google_container_node_pool.windows_pools : np.name => np.version }, - ) + ) {% endif %} cluster_master_auth_list_layer1 = local.cluster_output_master_auth @@ -221,7 +222,9 @@ locals { # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache + {% if autopilot_cluster != true %} cluster_telemetry_type_is_set = var.cluster_telemetry_type != null + {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c0f83fba1f..c4f44dfcc7 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -102,12 +102,14 @@ variable "service_external_ips" { default = false } +{% if autopilot_cluster != true %} variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." default = "DATAPATH_PROVIDER_UNSPECIFIED" } +{% endif %} variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" @@ -335,7 +337,7 @@ variable "configure_ip_masq" { default = false } -{% if beta_cluster %} +{% if beta_cluster and autopilot_cluster != true%} variable "cluster_telemetry_type" { type = string description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" @@ -343,6 +345,7 @@ variable "cluster_telemetry_type" { } {% endif %} +{% if autopilot_cluster != true%} variable "logging_service" { type = string description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" @@ -355,6 +358,7 @@ variable "monitoring_service" { default = "monitoring.googleapis.com/kubernetes" } +{% endif %} variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -397,11 +401,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} {% if private_cluster %} variable "deploy_using_private_endpoint" { @@ -697,6 +696,7 @@ variable "enable_kubernetes_alpha" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -720,12 +720,14 @@ variable "config_connector" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } variable "cloudrun_load_balancer_type" { description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" + type = string + default = "" } variable "enable_pod_security_policy" { diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 2f3b3861d2..62620f9121 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -22,6 +22,10 @@ terraform { {% if beta_cluster %} required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -30,6 +34,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v25.0.0" @@ -44,6 +52,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v25.0.0" diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index eef4673c83..2b6926483d 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -26,6 +26,7 @@ module "gke" { {% endif %} project_id = var.project_id name = var.name + description = var.description regional = var.regional region = var.region zones = var.zones @@ -188,8 +189,6 @@ module "gke" { enable_shielded_nodes = var.enable_shielded_nodes - skip_provisioners = var.skip_provisioners - gce_pd_csi_driver = var.gce_pd_csi_driver filestore_csi_driver = var.filestore_csi_driver diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 3820987fd3..77b1850243 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -306,6 +306,7 @@ variable "master_ipv4_cidr_block" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -341,6 +342,7 @@ variable "cluster_dns_domain" { variable "default_max_pods_per_node" { description = "The maximum number of pods to schedule per node" + type = number default = 110 } @@ -355,6 +357,7 @@ variable "database_encryption" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } @@ -364,18 +367,6 @@ variable "resource_usage_export_dataset_id" { default = "" } -variable "enable_network_egress_export" { - type = bool - description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic." - default = false -} - -variable "enable_resource_consumption_export" { - type = bool - description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export." - default = true -} - variable "enable_cost_allocation" { type = bool description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery" @@ -424,12 +415,6 @@ variable "enable_private_endpoint" { default = true } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index f549e0cba6..e50738bc07 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -511,6 +511,6 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.8' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' options: machineType: 'N1_HIGHCPU_8' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index e96b7c24c0..b163e13577 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,7 +22,7 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.8' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' options: machineType: 'N1_HIGHCPU_8' env: diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index e8368eb02b..cacdf508fb 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -48,7 +48,6 @@ module "gke" { enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "172.16.0.0/28" - datapath_provider = "ADVANCED_DATAPATH" master_authorized_networks = [ { diff --git a/examples/simple_regional/README.md b/examples/simple_regional/README.md index fdb4cba6ed..ff250928da 100644 --- a/examples/simple_regional/README.md +++ b/examples/simple_regional/README.md @@ -15,7 +15,6 @@ This example illustrates how to create a simple cluster. | network | The VPC network to host the cluster in | `any` | n/a | yes | | project\_id | The project ID to host the cluster in | `any` | n/a | yes | | region | The region to host the cluster in | `any` | n/a | yes | -| skip\_provisioners | Flag to skip local-exec provisioners | `bool` | `false` | no | | subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | ## Outputs diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index e5aa348590..3b1f43fdd9 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -40,5 +40,4 @@ module "gke" { service_account = var.compute_engine_service_account enable_cost_allocation = true enable_binary_authorization = var.enable_binary_authorization - skip_provisioners = var.skip_provisioners } diff --git a/examples/simple_regional/variables.tf b/examples/simple_regional/variables.tf index b60c83ed5d..f3082fee8e 100644 --- a/examples/simple_regional/variables.tf +++ b/examples/simple_regional/variables.tf @@ -47,12 +47,6 @@ variable "compute_engine_service_account" { description = "Service account to associate to the nodes in the cluster" } -variable "skip_provisioners" { - type = bool - description = "Flag to skip local-exec provisioners" - default = false -} - variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 5294ce6fe4..3d6191cf67 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -10,7 +10,6 @@ This example illustrates how to create a simple cluster with beta features. | cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | -| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf index fdbe18eef5..04ac6dc193 100644 --- a/examples/simple_regional_beta/variables.tf +++ b/examples/simple_regional_beta/variables.tf @@ -113,9 +113,3 @@ variable "regional" { description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" default = true } - -variable "datapath_provider" { - type = string - description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." - default = "DATAPATH_PROVIDER_UNSPECIFIED" -} diff --git a/examples/simple_regional_with_gateway_api/README.md b/examples/simple_regional_with_gateway_api/README.md index ca82e650ce..1bd3c19302 100644 --- a/examples/simple_regional_with_gateway_api/README.md +++ b/examples/simple_regional_with_gateway_api/README.md @@ -16,7 +16,6 @@ This example illustrates how to create a simple cluster. | network | The VPC network to host the cluster in | `any` | n/a | yes | | project\_id | The project ID to host the cluster in | `any` | n/a | yes | | region | The region to host the cluster in | `any` | n/a | yes | -| skip\_provisioners | Flag to skip local-exec provisioners | `bool` | `false` | no | | subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | ## Outputs diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index 96e9c126c2..e7a4e78ffa 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -40,6 +40,5 @@ module "gke" { service_account = var.compute_engine_service_account enable_cost_allocation = true enable_binary_authorization = var.enable_binary_authorization - skip_provisioners = var.skip_provisioners gateway_api_channel = var.gateway_api_channel } diff --git a/examples/simple_regional_with_gateway_api/variables.tf b/examples/simple_regional_with_gateway_api/variables.tf index 90ba0ea0ff..310c744c5e 100644 --- a/examples/simple_regional_with_gateway_api/variables.tf +++ b/examples/simple_regional_with_gateway_api/variables.tf @@ -47,12 +47,6 @@ variable "compute_engine_service_account" { description = "Service account to associate to the nodes in the cluster" } -variable "skip_provisioners" { - type = bool - description = "Flag to skip local-exec provisioners" - default = false -} - variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false diff --git a/examples/simple_regional_with_kubeconfig/README.md b/examples/simple_regional_with_kubeconfig/README.md index 0f2a550277..5fc908b71f 100644 --- a/examples/simple_regional_with_kubeconfig/README.md +++ b/examples/simple_regional_with_kubeconfig/README.md @@ -14,7 +14,6 @@ This example illustrates how to create a simple cluster and output a `kubeconfig | network | The VPC network to host the cluster in | `any` | n/a | yes | | project\_id | The project ID to host the cluster in | `any` | n/a | yes | | region | The region to host the cluster in | `any` | n/a | yes | -| skip\_provisioners | Flag to skip local-exec provisioners | `bool` | `false` | no | | subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | ## Outputs diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index 183c0721dc..b0aecd4fcf 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -38,7 +38,6 @@ module "gke" { ip_range_services = var.ip_range_services create_service_account = false service_account = var.compute_engine_service_account - skip_provisioners = var.skip_provisioners } module "gke_auth" { diff --git a/examples/simple_regional_with_kubeconfig/variables.tf b/examples/simple_regional_with_kubeconfig/variables.tf index 832e036d0a..de02c95f60 100644 --- a/examples/simple_regional_with_kubeconfig/variables.tf +++ b/examples/simple_regional_with_kubeconfig/variables.tf @@ -46,9 +46,3 @@ variable "ip_range_services" { variable "compute_engine_service_account" { description = "Service account to associate to the nodes in the cluster" } - -variable "skip_provisioners" { - type = bool - description = "Flag to skip local-exec provisioners" - default = false -} diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index ce486ec503..1019aa2404 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -7,7 +7,6 @@ This example illustrates how to create a simple zonal cluster with ASM. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes | | ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes | | network | The VPC network to host the cluster in | `any` | n/a | yes | diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index c7351435c3..97aa499dcb 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -locals { - cluster_type = "simple-zonal-asm" -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_zonal_with_asm/variables.tf b/examples/simple_zonal_with_asm/variables.tf index 6dd142621c..82b0cd184b 100644 --- a/examples/simple_zonal_with_asm/variables.tf +++ b/examples/simple_zonal_with_asm/variables.tf @@ -18,11 +18,6 @@ variable "project_id" { description = "The project ID to host the cluster in" } -variable "cluster_name_suffix" { - description = "A suffix to append to the default cluster name" - default = "" -} - variable "region" { description = "The region to host the cluster in" } diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 204e13b739..4ea51c67a5 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -75,7 +75,7 @@ module "workload_identity_existing_ksa" { location = module.gke.location namespace = "default" use_existing_k8s_sa = true - k8s_sa_name = kubernetes_service_account.test.metadata.0.name + k8s_sa_name = kubernetes_service_account.test.metadata[0].name } # example with existing GSA diff --git a/main.tf b/main.tf index ed5429147f..6d671bfbbc 100644 --- a/main.tf +++ b/main.tf @@ -98,9 +98,7 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones cluster_endpoint = google_container_cluster.primary.endpoint @@ -111,10 +109,10 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 815c188c68..f59f68f67f 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -25,7 +25,12 @@ terraform { } google = { source = "hashicorp/google" - # Avoid v25.0.0 for https://github.com/hashicorp/terraform-provider-google/issues/13507 + # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 + version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 5.0" + } + google-beta = { + source = "hashicorp/google-beta" + # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 5.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index c02d12ea49..334bfd72a7 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -20,7 +20,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - # Avoid v25.0.0 for https://github.com/hashicorp/terraform-provider-google/issues/13507 + # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 5.0" } } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 08372212c3..d95e559333 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -73,11 +73,9 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | -| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | @@ -103,7 +101,6 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -111,7 +108,6 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | @@ -128,7 +124,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 8e1964224c..241b1aa3d9 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -55,9 +55,6 @@ locals { network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id zone_count = length(var.zones) cluster_type = var.regional ? "regional" : "zonal" - // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous. - // When a release channel is used, node auto-upgrade are enabled and cannot be disabled. - default_auto_upgrade = var.regional || var.release_channel != null ? true : false cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} @@ -69,13 +66,11 @@ locals { }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint - cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) @@ -83,16 +78,14 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features @@ -127,7 +120,6 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index fa6fa44532..007b2046a2 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -102,12 +102,6 @@ variable "service_external_ips" { default = false } -variable "datapath_provider" { - type = string - description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." - default = "DATAPATH_PROVIDER_UNSPECIFIED" -} - variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" @@ -208,24 +202,6 @@ variable "configure_ip_masq" { default = false } -variable "cluster_telemetry_type" { - type = string - description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" - default = null -} - -variable "logging_service" { - type = string - description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" - default = "logging.googleapis.com/kubernetes" -} - -variable "monitoring_service" { - type = string - description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" - default = "monitoring.googleapis.com/kubernetes" -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -268,11 +244,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "deploy_using_private_endpoint" { type = bool diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index e116c00b89..888b07bdb9 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -19,6 +19,10 @@ terraform { required_version = ">=0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -27,6 +31,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v25.0.0" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 59adfa9eee..bd1724b8c3 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -67,11 +67,9 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | -| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | @@ -94,13 +92,11 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | @@ -117,7 +113,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 6ec8dbcd69..f9c8f12b1e 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -55,9 +55,6 @@ locals { network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id zone_count = length(var.zones) cluster_type = var.regional ? "regional" : "zonal" - // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous. - // When a release channel is used, node auto-upgrade are enabled and cannot be disabled. - default_auto_upgrade = var.regional || var.release_channel != null ? true : false cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} @@ -69,9 +66,7 @@ locals { }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones cluster_endpoint = google_container_cluster.primary.endpoint @@ -82,16 +77,14 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features @@ -126,7 +119,6 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 4d3034f480..897e261e80 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -102,12 +102,6 @@ variable "service_external_ips" { default = false } -variable "datapath_provider" { - type = string - description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." - default = "DATAPATH_PROVIDER_UNSPECIFIED" -} - variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" @@ -208,24 +202,6 @@ variable "configure_ip_masq" { default = false } -variable "cluster_telemetry_type" { - type = string - description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" - default = null -} - -variable "logging_service" { - type = string - description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" - default = "logging.googleapis.com/kubernetes" -} - -variable "monitoring_service" { - type = string - description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" - default = "monitoring.googleapis.com/kubernetes" -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -268,11 +244,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "dns_cache" { type = bool diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index b6e1f53519..ac9a466684 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -19,6 +19,10 @@ terraform { required_version = ">=0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -27,6 +31,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v25.0.0" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3d4460ff1e..ad2c816aee 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -258,7 +258,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 3c8e1f590d..dbbf64e978 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -111,13 +111,11 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint - cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) @@ -125,16 +123,15 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 7fa57dfe6d..7ed013cfc8 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -380,11 +380,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "deploy_using_private_endpoint" { type = bool @@ -660,6 +655,7 @@ variable "enable_kubernetes_alpha" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -683,11 +679,13 @@ variable "config_connector" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } variable "cloudrun_load_balancer_type" { description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + type = string default = "" } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 878a4834fe..23d268fc37 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -19,6 +19,10 @@ terraform { required_version = ">=0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -27,6 +31,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v25.0.0" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 187319a38f..06510a1a16 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -236,7 +236,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 3c8e1f590d..dbbf64e978 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -111,13 +111,11 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint - cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) @@ -125,16 +123,15 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 7fa57dfe6d..7ed013cfc8 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -380,11 +380,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "deploy_using_private_endpoint" { type = bool @@ -660,6 +655,7 @@ variable "enable_kubernetes_alpha" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -683,11 +679,13 @@ variable "config_connector" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } variable "cloudrun_load_balancer_type" { description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + type = string default = "" } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index da5f3f6323..3862d0a5d7 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -19,6 +19,10 @@ terraform { required_version = ">=0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -27,6 +31,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v25.0.0" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 8b027d13f6..e7afd3d7a3 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -247,7 +247,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index cd60bce502..59ae5281d7 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -111,9 +111,7 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones cluster_endpoint = google_container_cluster.primary.endpoint @@ -124,16 +122,15 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 970d25f40d..04a2a21685 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -380,11 +380,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "dns_cache" { type = bool @@ -630,6 +625,7 @@ variable "enable_kubernetes_alpha" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -653,11 +649,13 @@ variable "config_connector" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } variable "cloudrun_load_balancer_type" { description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + type = string default = "" } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 622145d914..866413bcf5 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -19,6 +19,10 @@ terraform { required_version = ">=0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -27,6 +31,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v25.0.0" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 74a82dfa1c..3dfed71816 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -225,7 +225,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index cd60bce502..59ae5281d7 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -111,9 +111,7 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones cluster_endpoint = google_container_cluster.primary.endpoint @@ -124,16 +122,15 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 970d25f40d..04a2a21685 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -380,11 +380,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "dns_cache" { type = bool @@ -630,6 +625,7 @@ variable "enable_kubernetes_alpha" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -653,11 +649,13 @@ variable "config_connector" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } variable "cloudrun_load_balancer_type" { description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + type = string default = "" } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index ccf46416fa..8f28406fb9 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -19,6 +19,10 @@ terraform { required_version = ">=0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.51.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.51.0, < 5.0" @@ -27,6 +31,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v25.0.0" diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 6c7b10adc8..008ac2c4e1 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -17,7 +17,16 @@ terraform { required_version = ">= 0.13.0" - + required_providers { + google = { + source = "hashicorp/google" + version = "< 5.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "< 5.0" + } + } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v25.0.0" } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index da9bee0dee..8e57f91b55 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -21,7 +21,12 @@ terraform { required_providers { google = { source = "hashicorp/google" - # Avoid v25.0.0 for https://github.com/hashicorp/terraform-provider-google/issues/13507 + # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 + version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 5.0" + } + google-beta = { + source = "hashicorp/google-beta" + # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 5.0" } } diff --git a/modules/hub-legacy/README.md b/modules/hub-legacy/README.md index 8686b2c56e..999f8113d4 100644 --- a/modules/hub-legacy/README.md +++ b/modules/hub-legacy/README.md @@ -37,7 +37,6 @@ To deploy this config: |------|-------------|------|---------|:--------:| | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | -| enable\_gke\_hub\_registration | Enables GKE Hub Registration when set to true | `bool` | `true` | no | | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | | gke\_hub\_membership\_name | Membership name that uniquely represents the cluster being registered on the Hub | `string` | `"gke-hub-membership"` | no | | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | `string` | `"gke-hub-sa"` | no | diff --git a/modules/hub-legacy/main.tf b/modules/hub-legacy/main.tf index 700f474b2c..c2dcb88c42 100644 --- a/modules/hub-legacy/main.tf +++ b/modules/hub-legacy/main.tf @@ -27,9 +27,6 @@ locals { destroy_gke_body = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${local.cluster_uri} ${local.hub_project}" } -data "google_client_config" "default" { -} - resource "google_service_account" "gke_hub_sa" { count = var.use_existing_sa ? 0 : 1 account_id = var.gke_hub_sa_name diff --git a/modules/hub-legacy/variables.tf b/modules/hub-legacy/variables.tf index b9b15d8295..f8c7af6493 100644 --- a/modules/hub-legacy/variables.tf +++ b/modules/hub-legacy/variables.tf @@ -52,12 +52,6 @@ variable "gcloud_sdk_version" { default = "296.0.1" } -variable "enable_gke_hub_registration" { - description = "Enables GKE Hub Registration when set to true" - type = bool - default = true -} - variable "gke_hub_sa_name" { description = "Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace." type = string @@ -90,6 +84,7 @@ variable "module_depends_on" { variable "use_kubeconfig" { description = "Use existing kubeconfig to register membership. Set this to true for non GKE clusters. Assumes kubectl context is set to cluster to register." + type = bool default = false } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 8d2f021aed..3bf80cfab9 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -17,7 +17,16 @@ terraform { required_version = ">= 0.13.0" - + required_providers { + google = { + source = "hashicorp/google" + version = "< 5.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "< 5.0" + } + } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v25.0.0" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index f3519d5cee..92c28f3e79 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -240,7 +240,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index edf1dbe2b2..5ae0f32e47 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -98,13 +98,11 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint - cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) @@ -112,10 +110,10 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index ae93690587..7564e7993d 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -372,11 +372,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "deploy_using_private_endpoint" { type = bool diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 55c4424ee8..21b51d266c 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -27,6 +27,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v25.0.0" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 94b9c58d98..fd9069fe62 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -218,7 +218,6 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index edf1dbe2b2..5ae0f32e47 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -98,13 +98,11 @@ locals { mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] - cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations - cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint - cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) @@ -112,10 +110,10 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index ae93690587..7564e7993d 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -372,11 +372,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "deploy_using_private_endpoint" { type = bool diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index d8bbe63be4..e1cf7c9539 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -27,6 +27,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v25.0.0" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index e47612dcbb..e603253068 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -219,10 +219,8 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | -| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | @@ -267,7 +265,6 @@ For simplicity, we suggest using `roles/container.admin` and | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 9366427a43..9489698570 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -22,6 +22,7 @@ module "gke" { source = "../beta-private-cluster-update-variant/" project_id = var.project_id name = var.name + description = var.description regional = var.regional region = var.region zones = var.zones @@ -184,8 +185,6 @@ module "gke" { enable_shielded_nodes = var.enable_shielded_nodes - skip_provisioners = var.skip_provisioners - gce_pd_csi_driver = var.gce_pd_csi_driver filestore_csi_driver = var.filestore_csi_driver diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index ceb2611cb0..67d3430601 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -306,6 +306,7 @@ variable "master_ipv4_cidr_block" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -341,6 +342,7 @@ variable "cluster_dns_domain" { variable "default_max_pods_per_node" { description = "The maximum number of pods to schedule per node" + type = number default = 110 } @@ -355,6 +357,7 @@ variable "database_encryption" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } @@ -364,18 +367,6 @@ variable "resource_usage_export_dataset_id" { default = "" } -variable "enable_network_egress_export" { - type = bool - description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic." - default = false -} - -variable "enable_resource_consumption_export" { - type = bool - description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export." - default = true -} - variable "enable_cost_allocation" { type = bool description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery" @@ -424,12 +415,6 @@ variable "enable_private_endpoint" { default = true } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index e47612dcbb..e603253068 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -219,10 +219,8 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | -| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | @@ -267,7 +265,6 @@ For simplicity, we suggest using `roles/container.admin` and | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index e79a73d8aa..1f831cd1cb 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -22,6 +22,7 @@ module "gke" { source = "../beta-private-cluster/" project_id = var.project_id name = var.name + description = var.description regional = var.regional region = var.region zones = var.zones @@ -184,8 +185,6 @@ module "gke" { enable_shielded_nodes = var.enable_shielded_nodes - skip_provisioners = var.skip_provisioners - gce_pd_csi_driver = var.gce_pd_csi_driver filestore_csi_driver = var.filestore_csi_driver diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index ceb2611cb0..67d3430601 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -306,6 +306,7 @@ variable "master_ipv4_cidr_block" { variable "istio" { description = "(Beta) Enable Istio addon" + type = bool default = false } @@ -341,6 +342,7 @@ variable "cluster_dns_domain" { variable "default_max_pods_per_node" { description = "The maximum number of pods to schedule per node" + type = number default = 110 } @@ -355,6 +357,7 @@ variable "database_encryption" { variable "cloudrun" { description = "(Beta) Enable CloudRun addon" + type = bool default = false } @@ -364,18 +367,6 @@ variable "resource_usage_export_dataset_id" { default = "" } -variable "enable_network_egress_export" { - type = bool - description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic." - default = false -} - -variable "enable_resource_consumption_export" { - type = bool - description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export." - default = true -} - variable "enable_cost_allocation" { type = bool description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery" @@ -424,12 +415,6 @@ variable "enable_private_endpoint" { default = true } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf index f1ab833284..b02fc8b369 100644 --- a/test/fixtures/beta_cluster/main.tf +++ b/test/fixtures/beta_cluster/main.tf @@ -68,9 +68,6 @@ module "this" { enable_binary_authorization = true enable_pod_security_policy = true - - // Dataplane-V2 Feature - datapath_provider = "ADVANCED_DATAPATH" } data "google_client_config" "default" { diff --git a/test/fixtures/simple_regional/example.tf b/test/fixtures/simple_regional/example.tf index cb50faf354..cab3eeb2e7 100644 --- a/test/fixtures/simple_regional/example.tf +++ b/test/fixtures/simple_regional/example.tf @@ -25,6 +25,5 @@ module "example" { ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name compute_engine_service_account = var.compute_engine_service_accounts[0] - skip_provisioners = true enable_binary_authorization = true } diff --git a/test/fixtures/simple_regional_with_gateway_api/example.tf b/test/fixtures/simple_regional_with_gateway_api/example.tf index 189a65ba1e..b7f9df7fec 100644 --- a/test/fixtures/simple_regional_with_gateway_api/example.tf +++ b/test/fixtures/simple_regional_with_gateway_api/example.tf @@ -29,7 +29,6 @@ module "example" { ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name compute_engine_service_account = var.compute_engine_service_accounts[local.cluster_index] - skip_provisioners = true enable_binary_authorization = true gateway_api_channel = "CHANNEL_STANDARD" } diff --git a/test/fixtures/simple_regional_with_kubeconfig/example.tf b/test/fixtures/simple_regional_with_kubeconfig/example.tf index 85af7a5803..5bb0bb2be0 100644 --- a/test/fixtures/simple_regional_with_kubeconfig/example.tf +++ b/test/fixtures/simple_regional_with_kubeconfig/example.tf @@ -25,6 +25,5 @@ module "example" { ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name compute_engine_service_account = var.compute_engine_service_accounts[0] - skip_provisioners = true } diff --git a/test/fixtures/simple_zonal_with_asm/example.tf b/test/fixtures/simple_zonal_with_asm/example.tf index 30df325bd1..76b573ada5 100644 --- a/test/fixtures/simple_zonal_with_asm/example.tf +++ b/test/fixtures/simple_zonal_with_asm/example.tf @@ -21,12 +21,11 @@ data "google_project" "project" { module "example" { source = "../../../examples/simple_zonal_with_asm" - project_id = var.project_ids[2] - cluster_name_suffix = "-${random_string.suffix.result}" - region = var.region - zones = slice(var.zones, 0, 1) - network = google_compute_network.main.name - subnetwork = google_compute_subnetwork.main.name - ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name - ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + project_id = var.project_ids[2] + region = var.region + zones = slice(var.zones, 0, 1) + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name } diff --git a/variables.tf b/variables.tf index 764abfdb13..08b7a7465d 100644 --- a/variables.tf +++ b/variables.tf @@ -372,11 +372,6 @@ variable "cluster_resource_labels" { default = {} } -variable "skip_provisioners" { - type = bool - description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." - default = false -} variable "dns_cache" { type = bool diff --git a/versions.tf b/versions.tf index 1d828ffcbe..a616508c44 100644 --- a/versions.tf +++ b/versions.tf @@ -27,6 +27,10 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.10" } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } } provider_meta "google" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v25.0.0"