Add example to FAST GKE stage, streamline GKE Hub module variables and usage (#1977)
* implement optionals in gke-hub module * simplify gke hub module call in mc mesh blueprint * simplify gke hub module call and variables in multitenant blueprint * gke hub inventory * provide cluster and fleet examples in stage
This commit is contained in:
parent
d62012cebc
commit
11d7edac64
|
@ -63,12 +63,7 @@ module "hub" {
|
|||
project_id = module.fleet_project.project_id
|
||||
clusters = { for k, v in module.clusters : k => v.id }
|
||||
features = {
|
||||
appdevexperience = false
|
||||
configmanagement = false
|
||||
identityservice = false
|
||||
multiclusteringress = null
|
||||
servicemesh = true
|
||||
multiclusterservicediscovery = false
|
||||
servicemesh = true
|
||||
}
|
||||
depends_on = [
|
||||
module.fleet_project
|
||||
|
|
|
@ -175,7 +175,6 @@ module "gke" {
|
|||
}
|
||||
}
|
||||
fleet_features = {
|
||||
appdevexperience = false
|
||||
configmanagement = true
|
||||
identityservice = true
|
||||
multiclusteringress = "cluster-0"
|
||||
|
@ -188,15 +187,11 @@ module "gke" {
|
|||
binauthz = true
|
||||
config_sync = {
|
||||
git = {
|
||||
gcp_service_account_email = null
|
||||
https_proxy = null
|
||||
policy_dir = "configsync"
|
||||
secret_type = "none"
|
||||
source_format = "hierarchy"
|
||||
sync_branch = "main"
|
||||
sync_repo = "https://github.com/myorg/myrepo"
|
||||
sync_rev = null
|
||||
sync_wait_secs = null
|
||||
policy_dir = "configsync"
|
||||
secret_type = "none"
|
||||
source_format = "hierarchy"
|
||||
sync_branch = "main"
|
||||
sync_repo = "https://github.com/myorg/myrepo"
|
||||
}
|
||||
prevent_drift = true
|
||||
source_format = "hierarchy"
|
||||
|
@ -223,7 +218,6 @@ module "gke" {
|
|||
vpc_self_link = "projects/prj-host/global/networks/prod-0"
|
||||
}
|
||||
}
|
||||
|
||||
# tftest modules=8 resources=38
|
||||
```
|
||||
|
||||
|
@ -245,21 +239,21 @@ module "gke" {
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [billing_account_id](variables.tf#L17) | Billing account ID. | <code>string</code> | ✓ | |
|
||||
| [folder_id](variables.tf#L161) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L211) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L220) | ID of the project that will contain all the clusters. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L232) | Shared VPC project and VPC details. | <code title="object({ host_project_id = string vpc_self_link = string })">object({…})</code> | ✓ | |
|
||||
| [folder_id](variables.tf#L134) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L184) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L193) | ID of the project that will contain all the clusters. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L205) | Shared VPC project and VPC details. | <code title="object({ host_project_id = string vpc_self_link = string })">object({…})</code> | ✓ | |
|
||||
| [clusters](variables.tf#L22) | Clusters configuration. Refer to the gke-cluster module for type details. | <code title="map(object({ cluster_autoscaling = optional(any) description = optional(string) enable_addons = optional(any, { horizontal_pod_autoscaling = true, http_load_balancing = true }) enable_features = optional(any, { workload_identity = true }) issue_client_certificate = optional(bool, false) labels = optional(map(string)) location = string logging_config = optional(object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, true) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) }), {}) maintenance_config = optional(any, { daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }) max_pods_per_node = optional(number, 110) min_master_version = optional(string) monitoring_config = optional(object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) }), {}) node_locations = optional(list(string)) private_cluster_config = optional(any) release_channel = optional(string) vpc_config = object({ subnetwork = string network = optional(string) secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = string services = string }), { pods = "pods", services = "services" }) master_authorized_ranges = optional(map(string)) master_ipv4_cidr_block = optional(string) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L92) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | <code>bool</code> | | <code>false</code> |
|
||||
| [fleet_configmanagement_clusters](variables.tf#L99) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [fleet_configmanagement_templates](variables.tf#L106) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code title="map(object({ binauthz = bool config_sync = object({ git = object({ gcp_service_account_email = string https_proxy = string policy_dir = string secret_type = string sync_branch = string sync_repo = string sync_rev = string sync_wait_secs = number }) prevent_drift = string source_format = string }) hierarchy_controller = object({ enable_hierarchical_resource_quota = bool enable_pod_tree_labels = bool }) policy_controller = object({ audit_interval_seconds = number exemptable_namespaces = list(string) log_denies_enabled = bool referential_rules_enabled = bool template_library_installed = bool }) version = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [fleet_features](variables.tf#L141) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | <code title="object({ appdevexperience = bool configmanagement = bool identityservice = bool multiclusteringress = string multiclusterservicediscovery = bool servicemesh = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [fleet_workload_identity](variables.tf#L154) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | <code>bool</code> | | <code>false</code> |
|
||||
| [group_iam](variables.tf#L166) | Project-level IAM bindings for groups. Use group emails as keys, list of roles as values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L173) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L180) | Project-level labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [nodepools](variables.tf#L186) | Nodepools configuration. Refer to the gke-nodepool module for type details. | <code title="map(map(object({ gke_version = optional(string) labels = optional(map(string), {}) max_pods_per_node = optional(number) name = optional(string) node_config = optional(any, { disk_type = "pd-balanced" }) node_count = optional(map(number), { initial = 1 }) node_locations = optional(list(string)) nodepool_config = optional(any) pod_range = optional(any) reservation_affinity = optional(any) service_account = optional(any) sole_tenant_nodegroup = optional(string) tags = optional(list(string)) taints = optional(map(object({ value = string effect = string }))) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [project_services](variables.tf#L225) | Additional project services to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [fleet_configmanagement_templates](variables.tf#L106) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [fleet_features](variables.tf#L114) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | <code title="object({ appdevexperience = optional(bool, false) configmanagement = optional(bool, false) identityservice = optional(bool, false) multiclusteringress = optional(string, null) multiclusterservicediscovery = optional(bool, false) servicemesh = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [fleet_workload_identity](variables.tf#L127) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | <code>bool</code> | | <code>false</code> |
|
||||
| [group_iam](variables.tf#L139) | Project-level IAM bindings for groups. Use group emails as keys, list of roles as values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L146) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L153) | Project-level labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [nodepools](variables.tf#L159) | Nodepools configuration. Refer to the gke-nodepool module for type details. | <code title="map(map(object({ gke_version = optional(string) labels = optional(map(string), {}) max_pods_per_node = optional(number) name = optional(string) node_config = optional(any, { disk_type = "pd-balanced" }) node_count = optional(map(number), { initial = 1 }) node_locations = optional(list(string)) nodepool_config = optional(any) pod_range = optional(any) reservation_affinity = optional(any) service_account = optional(any) sole_tenant_nodegroup = optional(string) tags = optional(list(string)) taints = optional(map(object({ value = string effect = string }))) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [project_services](variables.tf#L198) | Additional project services to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -63,17 +63,6 @@ module "gke-project-0" {
|
|||
})
|
||||
}
|
||||
# specify project-level org policies here if you need them
|
||||
# policy_boolean = {
|
||||
# "compute.disableGuestAttributesAccess" = true
|
||||
# }
|
||||
# policy_list = {
|
||||
# "compute.trustedImageProjects" = {
|
||||
# inherit_from_parent = null
|
||||
# suggested_value = null
|
||||
# status = true
|
||||
# values = ["projects/fl01-prod-iac-core-0"]
|
||||
# }
|
||||
# }
|
||||
}
|
||||
|
||||
module "gke-dataset-resource-usage" {
|
||||
|
|
|
@ -105,35 +105,8 @@ variable "fleet_configmanagement_clusters" {
|
|||
|
||||
variable "fleet_configmanagement_templates" {
|
||||
description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format."
|
||||
type = map(object({
|
||||
binauthz = bool
|
||||
config_sync = object({
|
||||
git = object({
|
||||
gcp_service_account_email = string
|
||||
https_proxy = string
|
||||
policy_dir = string
|
||||
secret_type = string
|
||||
sync_branch = string
|
||||
sync_repo = string
|
||||
sync_rev = string
|
||||
sync_wait_secs = number
|
||||
})
|
||||
prevent_drift = string
|
||||
source_format = string
|
||||
})
|
||||
hierarchy_controller = object({
|
||||
enable_hierarchical_resource_quota = bool
|
||||
enable_pod_tree_labels = bool
|
||||
})
|
||||
policy_controller = object({
|
||||
audit_interval_seconds = number
|
||||
exemptable_namespaces = list(string)
|
||||
log_denies_enabled = bool
|
||||
referential_rules_enabled = bool
|
||||
template_library_installed = bool
|
||||
})
|
||||
version = string
|
||||
}))
|
||||
# refer to the gke-hub module for the full type
|
||||
type = map(any)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
@ -141,12 +114,12 @@ variable "fleet_configmanagement_templates" {
|
|||
variable "fleet_features" {
|
||||
description = "Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used."
|
||||
type = object({
|
||||
appdevexperience = bool
|
||||
configmanagement = bool
|
||||
identityservice = bool
|
||||
multiclusteringress = string
|
||||
multiclusterservicediscovery = bool
|
||||
servicemesh = bool
|
||||
appdevexperience = optional(bool, false)
|
||||
configmanagement = optional(bool, false)
|
||||
identityservice = optional(bool, false)
|
||||
multiclusteringress = optional(string, null)
|
||||
multiclusterservicediscovery = optional(bool, false)
|
||||
servicemesh = optional(bool, false)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
|
|
@ -8,13 +8,29 @@ The following diagram illustrates the high-level design of created resources, wh
|
|||
<img src="diagram.png" alt="GKE multitenant">
|
||||
</p>
|
||||
|
||||
<!-- BEGIN TOC -->
|
||||
- [Design overview and choices](#design-overview-and-choices)
|
||||
- [How to run this stage](#how-to-run-this-stage)
|
||||
- [Provider and Terraform variables](#provider-and-terraform-variables)
|
||||
- [Impersonating the automation service account](#impersonating-the-automation-service-account)
|
||||
- [Variable configuration](#variable-configuration)
|
||||
- [Running the stage](#running-the-stage)
|
||||
- [Running in isolation](#running-in-isolation)
|
||||
- [Customizations](#customizations)
|
||||
- [Clusters and node pools](#clusters-and-node-pools)
|
||||
- [Fleet management](#fleet-management)
|
||||
- [Files](#files)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
||||
## Design overview and choices
|
||||
|
||||
> The detailed architecture of the underlying resources is explained in the documentation of [GKE multitenant module](../../../../blueprints/gke/multitenant-fleet/README.md).
|
||||
> The detailed architecture of the underlying resources is explained in the documentation of the [GKE multitenant blueprint](../../../../blueprints/gke/multitenant-fleet/README.md).
|
||||
|
||||
This stage creates a project containing and as many clusters and node pools as requested by the user through the [variables](#variables) explained below. The GKE clusters are created with the with the following setup:
|
||||
This stage creates a project containing as many clusters and node pools as requested by the user, configured via the [variables](#variables) explained below. The GKE clusters are created with the following setup:
|
||||
|
||||
- All clusters are assumed to be [private](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), therefore only [VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips) are supported.
|
||||
- Even though public clusters are supported, this stage is designed with [private clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) in mind so it only supports [VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips).
|
||||
- Logging and monitoring configured to use Cloud Operations for system components and user workloads.
|
||||
- [GKE metering](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering) enabled by default and stored in a bigquery dataset created within the project.
|
||||
- Optional [GKE Fleet](https://cloud.google.com/kubernetes-engine/docs/fleets-overview) support with the possibility to enable any of the following features:
|
||||
|
@ -125,16 +141,41 @@ The VPC host project, VPC and subnets should already exist.
|
|||
|
||||
## Customizations
|
||||
|
||||
### Cluster and node pools
|
||||
This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables allow management of clusters, nodepools, and fleet registration and configurations.
|
||||
|
||||
This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables are designed to support this approach for both clusters and node pools:
|
||||
### Clusters and node pools
|
||||
|
||||
- the `cluster_default` variable allows defining common defaults for all clusters
|
||||
- the `clusters` variable is used to declare the actual GKE clusters and allows overriding defaults on a per-cluster basis
|
||||
- the `nodepool_defaults` variable allows defining common defaults for all node pools
|
||||
- the `nodepools` variable is used to declare cluster node pools and allows overriding defaults on a per-cluster basis
|
||||
This is an example of declaring a private cluster with one nodepool via `tfvars` file:
|
||||
|
||||
There are two additional variables that influence cluster configuration: `authenticator_security_group` to configure [Google Groups for RBAC](https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac), `dns_domain` to configure [Cloud DNS for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns).
|
||||
```hcl
|
||||
clusters = {
|
||||
test-00 = {
|
||||
description = "Cluster test 0"
|
||||
location = "europe-west8"
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = true
|
||||
master_global_access = true
|
||||
}
|
||||
vpc_config = {
|
||||
subnetwork = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke"
|
||||
master_ipv4_cidr_block = "172.16.20.0/28"
|
||||
master_authorized_ranges = {
|
||||
private = "10.0.0.0/8"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
nodepools = {
|
||||
test-00 = {
|
||||
00 = {
|
||||
node_count = { initial = 1 }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest skip
|
||||
```
|
||||
|
||||
If clusters share similar configurations, those can be centralized via `locals` blocks in this stage's `main.tf` file, and merged in with clusters via a simple `for_each` loop. One example of this approach is provided in the underlying [GKE multitenant blueprint](../../../../blueprints/gke/multitenant-fleet/).
|
||||
|
||||
### Fleet management
|
||||
|
||||
|
@ -145,7 +186,19 @@ Fleet management is entirely optional, and uses three separate variables:
|
|||
- `fleet_configmanagement_clusters`: specifies which clusters are managed by fleet features, and the optional Config Management template for each cluster
|
||||
- `fleet_workload_identity`: to enables optional centralized [Workload Identity](https://cloud.google.com/anthos/fleet-management/docs/use-workload-identity)
|
||||
|
||||
Leave all these variables unset (or set to `null`) to disable fleet management.
|
||||
Leave all these variables unset (or set to `null`) to disable fleet management. One example of a simple fleet configuration that integrates with the cluster example above:
|
||||
|
||||
```hcl
|
||||
fleet_features = {
|
||||
configmanagement = true
|
||||
identityservice = true
|
||||
multiclusteringress = "test-0"
|
||||
multiclusterservicediscovery = true
|
||||
servicemesh = true
|
||||
}
|
||||
|
||||
# tftest skip
|
||||
```
|
||||
|
||||
<!-- TFDOC OPTS files:1 show_extra:1 -->
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
|
|
@ -75,29 +75,17 @@ module "hub" {
|
|||
cluster-1 = module.cluster_1.id
|
||||
}
|
||||
features = {
|
||||
appdevexperience = false
|
||||
configmanagement = true
|
||||
identityservice = false
|
||||
multiclusteringress = null
|
||||
servicemesh = false
|
||||
multiclusterservicediscovery = false
|
||||
configmanagement = true
|
||||
}
|
||||
configmanagement_templates = {
|
||||
default = {
|
||||
binauthz = false
|
||||
config_sync = {
|
||||
git = {
|
||||
gcp_service_account_email = null
|
||||
https_proxy = null
|
||||
policy_dir = "configsync"
|
||||
secret_type = "none"
|
||||
source_format = "hierarchy"
|
||||
sync_branch = "main"
|
||||
sync_repo = "https://github.com/danielmarzini/configsync-platform-example"
|
||||
sync_rev = null
|
||||
sync_wait_secs = null
|
||||
policy_dir = "configsync"
|
||||
source_format = "hierarchy"
|
||||
sync_branch = "main"
|
||||
sync_repo = "https://github.com/danielmarzini/configsync-platform-example"
|
||||
}
|
||||
prevent_drift = false
|
||||
source_format = "hierarchy"
|
||||
}
|
||||
hierarchy_controller = {
|
||||
|
@ -106,7 +94,6 @@ module "hub" {
|
|||
}
|
||||
policy_controller = {
|
||||
audit_interval_seconds = 120
|
||||
exemptable_namespaces = []
|
||||
log_denies_enabled = true
|
||||
referential_rules_enabled = true
|
||||
template_library_installed = true
|
||||
|
@ -317,22 +304,20 @@ module "hub" {
|
|||
# tftest modules=8 resources=34
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [project_id](variables.tf#L87) | GKE hub project ID. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L80) | GKE hub project ID. | <code>string</code> | ✓ | |
|
||||
| [clusters](variables.tf#L17) | Clusters members of this GKE Hub in name => id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [configmanagement_clusters](variables.tf#L24) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [configmanagement_templates](variables.tf#L31) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code title="map(object({ binauthz = bool config_sync = object({ git = object({ gcp_service_account_email = string https_proxy = string policy_dir = string secret_type = string sync_branch = string sync_repo = string sync_rev = string sync_wait_secs = number }) prevent_drift = string source_format = string }) hierarchy_controller = object({ enable_hierarchical_resource_quota = bool enable_pod_tree_labels = bool }) policy_controller = object({ audit_interval_seconds = number exemptable_namespaces = list(string) log_denies_enabled = bool referential_rules_enabled = bool template_library_installed = bool }) version = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [features](variables.tf#L66) | Enable and configure fleet features. | <code title="object({ appdevexperience = optional(bool, false) configmanagement = optional(bool, false) identityservice = optional(bool, false) multiclusteringress = optional(string, null) multiclusterservicediscovery = optional(bool, false) servicemesh = optional(bool, false) })">object({…})</code> | | <code title="{ appdevexperience = false configmanagement = false identityservice = false multiclusteringress = null servicemesh = false multiclusterservicediscovery = false }">{…}</code> |
|
||||
| [workload_identity_clusters](variables.tf#L92) | Clusters that will use Fleet Workload Identity. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [configmanagement_templates](variables.tf#L31) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code title="map(object({ binauthz = optional(bool) version = optional(string) config_sync = object({ git = optional(object({ sync_repo = string policy_dir = string gcp_service_account_email = optional(string) https_proxy = optional(string) secret_type = optional(string, "none") sync_branch = optional(string) sync_rev = optional(string) sync_wait_secs = optional(number) })) prevent_drift = optional(bool) source_format = optional(string, "hierarchy") }) hierarchy_controller = optional(object({ enable_hierarchical_resource_quota = optional(bool) enable_pod_tree_labels = optional(bool) })) policy_controller = object({ audit_interval_seconds = optional(number) exemptable_namespaces = optional(list(string)) log_denies_enabled = optional(bool) referential_rules_enabled = optional(bool) template_library_installed = optional(bool) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [features](variables.tf#L66) | Enable and configure fleet features. | <code title="object({ appdevexperience = optional(bool, false) configmanagement = optional(bool, false) identityservice = optional(bool, false) multiclusteringress = optional(string, null) multiclusterservicediscovery = optional(bool, false) servicemesh = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [workload_identity_clusters](variables.tf#L85) | Clusters that will use Fleet Workload Identity. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [cluster_ids](outputs.tf#L17) | Fully qualified ids of all clusters. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -31,33 +31,33 @@ variable "configmanagement_clusters" {
|
|||
variable "configmanagement_templates" {
|
||||
description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format."
|
||||
type = map(object({
|
||||
binauthz = bool
|
||||
binauthz = optional(bool)
|
||||
version = optional(string)
|
||||
config_sync = object({
|
||||
git = object({
|
||||
gcp_service_account_email = string
|
||||
https_proxy = string
|
||||
policy_dir = string
|
||||
secret_type = string
|
||||
sync_branch = string
|
||||
git = optional(object({
|
||||
sync_repo = string
|
||||
sync_rev = string
|
||||
sync_wait_secs = number
|
||||
})
|
||||
prevent_drift = string
|
||||
source_format = string
|
||||
})
|
||||
hierarchy_controller = object({
|
||||
enable_hierarchical_resource_quota = bool
|
||||
enable_pod_tree_labels = bool
|
||||
policy_dir = string
|
||||
gcp_service_account_email = optional(string)
|
||||
https_proxy = optional(string)
|
||||
secret_type = optional(string, "none")
|
||||
sync_branch = optional(string)
|
||||
sync_rev = optional(string)
|
||||
sync_wait_secs = optional(number)
|
||||
}))
|
||||
prevent_drift = optional(bool)
|
||||
source_format = optional(string, "hierarchy")
|
||||
})
|
||||
hierarchy_controller = optional(object({
|
||||
enable_hierarchical_resource_quota = optional(bool)
|
||||
enable_pod_tree_labels = optional(bool)
|
||||
}))
|
||||
policy_controller = object({
|
||||
audit_interval_seconds = number
|
||||
exemptable_namespaces = list(string)
|
||||
log_denies_enabled = bool
|
||||
referential_rules_enabled = bool
|
||||
template_library_installed = bool
|
||||
audit_interval_seconds = optional(number)
|
||||
exemptable_namespaces = optional(list(string))
|
||||
log_denies_enabled = optional(bool)
|
||||
referential_rules_enabled = optional(bool)
|
||||
template_library_installed = optional(bool)
|
||||
})
|
||||
version = string
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
|
@ -73,14 +73,7 @@ variable "features" {
|
|||
multiclusterservicediscovery = optional(bool, false)
|
||||
servicemesh = optional(bool, false)
|
||||
})
|
||||
default = {
|
||||
appdevexperience = false
|
||||
configmanagement = false
|
||||
identityservice = false
|
||||
multiclusteringress = null
|
||||
servicemesh = false
|
||||
multiclusterservicediscovery = false
|
||||
}
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
|
|
|
@ -122,6 +122,7 @@ values:
|
|||
remove_default_node_pool: true
|
||||
resource_labels: null
|
||||
resource_usage_export_config: []
|
||||
timeouts: null
|
||||
workload_identity_config:
|
||||
- workload_pool: gkehub-test.svc.id.goog
|
||||
module.hub.google_gke_hub_feature.default["configmanagement"]:
|
||||
|
@ -131,6 +132,7 @@ values:
|
|||
name: configmanagement
|
||||
project: gkehub-test
|
||||
spec: []
|
||||
timeouts: null
|
||||
module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
|
||||
configmanagement:
|
||||
- config_sync:
|
||||
|
@ -145,7 +147,6 @@ values:
|
|||
sync_wait_secs: null
|
||||
metrics_gcp_service_account_email: null
|
||||
oci: []
|
||||
prevent_drift: false
|
||||
source_format: hierarchy
|
||||
hierarchy_controller:
|
||||
- enable_hierarchical_resource_quota: true
|
||||
|
@ -154,7 +155,7 @@ values:
|
|||
policy_controller:
|
||||
- audit_interval_seconds: '120'
|
||||
enabled: true
|
||||
exemptable_namespaces: []
|
||||
exemptable_namespaces: null
|
||||
log_denies_enabled: true
|
||||
mutation_enabled: null
|
||||
referential_rules_enabled: true
|
||||
|
@ -166,6 +167,7 @@ values:
|
|||
membership_location: null
|
||||
mesh: []
|
||||
project: gkehub-test
|
||||
timeouts: null
|
||||
module.hub.google_gke_hub_membership.default["cluster-1"]:
|
||||
authority: []
|
||||
description: null
|
||||
|
@ -176,6 +178,7 @@ values:
|
|||
location: global
|
||||
membership_id: cluster-1
|
||||
project: gkehub-test
|
||||
timeouts: null
|
||||
module.project.google_project.project[0]:
|
||||
auto_create_network: false
|
||||
billing_account: 123456-123456-123456
|
||||
|
@ -185,47 +188,57 @@ values:
|
|||
org_id: null
|
||||
project_id: gkehub-test
|
||||
skip_delete: false
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["anthosconfigmanagement.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: anthosconfigmanagement.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["container.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: container.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["gkeconnect.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: gkeconnect.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["gkehub.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: gkehub.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["mesh.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: mesh.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["multiclusteringress.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: multiclusteringress.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service.project_services["multiclusterservicediscovery.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: gkehub-test
|
||||
service: multiclusterservicediscovery.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service_identity.jit_si["gkehub.googleapis.com"]:
|
||||
project: gkehub-test
|
||||
service: gkehub.googleapis.com
|
||||
timeouts: null
|
||||
module.project.google_project_service_identity.jit_si["multiclusteringress.googleapis.com"]:
|
||||
project: gkehub-test
|
||||
service: multiclusteringress.googleapis.com
|
||||
timeouts: null
|
||||
module.vpc.google_compute_network.network[0]:
|
||||
auto_create_subnetworks: false
|
||||
delete_default_routes_on_create: false
|
||||
|
@ -235,6 +248,7 @@ values:
|
|||
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
|
||||
project: gkehub-test
|
||||
routing_mode: GLOBAL
|
||||
timeouts: null
|
||||
module.vpc.google_compute_route.gateway["private-googleapis"]:
|
||||
description: Terraform-managed.
|
||||
dest_range: 199.36.153.8/30
|
||||
|
@ -246,6 +260,7 @@ values:
|
|||
priority: 1000
|
||||
project: gkehub-test
|
||||
tags: null
|
||||
timeouts: null
|
||||
module.vpc.google_compute_route.gateway["restricted-googleapis"]:
|
||||
description: Terraform-managed.
|
||||
dest_range: 199.36.153.4/30
|
||||
|
@ -257,6 +272,7 @@ values:
|
|||
priority: 1000
|
||||
project: gkehub-test
|
||||
tags: null
|
||||
timeouts: null
|
||||
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/cluster-1"]:
|
||||
description: Terraform-managed.
|
||||
ip_cidr_range: 10.0.0.0/24
|
||||
|
@ -268,6 +284,7 @@ values:
|
|||
region: europe-west1
|
||||
role: null
|
||||
secondary_ip_range: []
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_compute_network: 1
|
||||
|
@ -282,3 +299,5 @@ counts:
|
|||
google_project_service_identity: 2
|
||||
modules: 4
|
||||
resources: 18
|
||||
|
||||
outputs: {}
|
||||
|
|
Loading…
Reference in New Issue