diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1013e67b..9527a9e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
### BLUEPRINTS
+- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo))
- [[#818](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/818)] Example wordpress ([skalolazka](https://github.com/skalolazka))
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc))
- [[#854](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/854)] Added an example of a Nginx reverse proxy cluster using RMIGs ([rosmo](https://github.com/rosmo))
@@ -27,6 +28,8 @@ All notable changes to this project will be documented in this file.
### FAST
+- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo))
+- [[#867](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/867)] FAST: Replace NVAs in 02-networking-nva with COS-based VMs ([sruffilli](https://github.com/sruffilli))
- [[#865](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/865)] Enable FAST 00-cicd provider test ([ludoo](https://github.com/ludoo))
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc))
- [[#858](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/858)] Default gcp-support to gcp-devops ([juliocc](https://github.com/juliocc))
@@ -38,6 +41,8 @@ All notable changes to this project will be documented in this file.
### MODULES
+- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo))
+- [[#866](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/866)] Update ipprefix_by_netmask.sh in nva module ([sruffilli](https://github.com/sruffilli))
- [[#860](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/860)] **incompatible change:** Refactor compute-vm for Terraform 1.3 ([ludoo](https://github.com/ludoo))
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc))
- [[#859](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/859)] Make project shared VPC fields optional ([juliocc](https://github.com/juliocc))
diff --git a/blueprints/gke/binauthz/main.tf b/blueprints/gke/binauthz/main.tf
index b9af6c41..92f75b2d 100644
--- a/blueprints/gke/binauthz/main.tf
+++ b/blueprints/gke/binauthz/main.tf
@@ -83,21 +83,19 @@ module "nat" {
}
module "cluster" {
- source = "../../../modules/gke-cluster"
- project_id = module.project.project_id
- name = "${local.prefix}cluster"
- location = var.zone
- network = module.vpc.self_link
- subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
+ source = "../../../modules/gke-cluster"
+ project_id = module.project.project_id
+ name = "${local.prefix}cluster"
+ location = var.zone
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
+ }
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = var.master_cidr_block
master_global_access = false
}
- workload_identity = true
}
module "cluster_nodepool" {
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
index 6e6a5c85..4e6742e1 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
@@ -133,30 +133,27 @@ module "mgmt_server" {
}
module "clusters" {
- for_each = var.clusters_config
- source = "../../../modules/gke-cluster"
- project_id = module.fleet_project.project_id
- name = each.key
- location = var.region
- network = module.svpc.self_link
- subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
+ for_each = var.clusters_config
+ source = "../../../modules/gke-cluster"
+ project_id = module.fleet_project.project_id
+ name = each.key
+ location = var.region
+ vpc_config = {
+ network = module.svpc.self_link
+ subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
+ master_authorized_ranges = merge({
+ mgmt : var.mgmt_subnet_cidr_block
+ },
+ { for key, config in var.clusters_config :
+ "pods-${key}" => config.pods_cidr_block if key != each.key
+ })
+ }
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = each.value.master_cidr_block
master_global_access = true
}
- master_authorized_ranges = merge({
- mgmt : var.mgmt_subnet_cidr_block
- },
- { for key, config in var.clusters_config :
- "pods-${key}" => config.pods_cidr_block if key != each.key
- })
- enable_autopilot = false
- release_channel = "REGULAR"
- workload_identity = true
+ release_channel = "REGULAR"
labels = {
mesh_id = "proj-${module.fleet_project.number}"
}
diff --git a/blueprints/gke/multitenant-fleet/gke-clusters.tf b/blueprints/gke/multitenant-fleet/gke-clusters.tf
index 8e04d780..d3dab082 100644
--- a/blueprints/gke/multitenant-fleet/gke-clusters.tf
+++ b/blueprints/gke/multitenant-fleet/gke-clusters.tf
@@ -24,93 +24,69 @@ locals {
}
module "gke-cluster" {
- source = "../../../modules/gke-cluster"
- for_each = local.clusters
- name = each.key
- project_id = module.gke-project-0.project_id
- description = each.value.description
- location = each.value.location
- network = var.vpc_config.vpc_self_link
- subnetwork = each.value.net.subnet
- secondary_range_pods = each.value.net.pods
- secondary_range_services = each.value.net.services
- labels = each.value.labels
- addons = {
- cloudrun_config = each.value.overrides.cloudrun_config
- dns_cache_config = true
- http_load_balancing = true
- gce_persistent_disk_csi_driver_config = true
- horizontal_pod_autoscaling = true
- config_connector_config = true
- kalm_config = false
- gcp_filestore_csi_driver_config = each.value.overrides.gcp_filestore_csi_driver_config
- gke_backup_agent_config = false
- # enable only if enable_dataplane_v2 is changed to false below
- network_policy_config = false
- istio_config = {
- enabled = false
- tls = false
+ source = "../../../modules/gke-cluster"
+ for_each = local.clusters
+ name = each.key
+ project_id = module.gke-project-0.project_id
+ description = each.value.description
+ location = each.value.location
+ vpc_config = {
+ network = var.vpc_config.vpc_self_link
+ subnetwork = each.value.net.subnet
+ secondary_range_names = {
+ pods = each.value.net.pods
+ services = each.value.net.services
}
+ master_authorized_ranges = each.value.overrides.master_authorized_ranges
+ }
+ labels = each.value.labels
+ enable_addons = {
+ cloudrun = each.value.overrides.cloudrun_config
+ config_connector = true
+ dns_cache = true
+ gce_persistent_disk_csi_driver = true
+ gcp_filestore_csi_driver = each.value.overrides.gcp_filestore_csi_driver_config
+ gke_backup_agent = false
+ horizontal_pod_autoscaling = true
+ http_load_balancing = true
+ }
+ enable_features = {
+ cloud_dns = var.dns_domain == null ? null : {
+ cluster_dns = "CLOUD_DNS"
+ cluster_dns_scope = "VPC_SCOPE"
+ cluster_dns_domain = "${each.key}.${var.dns_domain}"
+ }
+ database_encryption = (
+ each.value.overrides.database_encryption_key == null
+ ? null
+ : {
+ state = "ENCRYPTED"
+ key_name = each.value.overrides.database_encryption_key
+ }
+ )
+ dataplane_v2 = true
+ groups_for_rbac = var.authenticator_security_group
+ intranode_visibility = true
+ pod_security_policy = each.value.overrides.pod_security_policy
+ resource_usage_export = {
+ dataset = module.gke-dataset-resource-usage.dataset_id
+ }
+ shielded_nodes = true
+ vertical_pod_autoscaling = each.value.overrides.vertical_pod_autoscaling
+ workload_identity = true
}
- # change these here for all clusters if absolutely needed
- authenticator_security_group = var.authenticator_security_group
- enable_dataplane_v2 = true
- enable_l4_ilb_subsetting = false
- enable_intranode_visibility = true
- enable_shielded_nodes = true
- workload_identity = true
private_cluster_config = {
- enable_private_nodes = true
- enable_private_endpoint = false
+ enable_private_endpoint = true
master_ipv4_cidr_block = each.value.net.master_range
master_global_access = true
- }
- dns_config = each.value.dns_domain == null ? null : {
- cluster_dns = "CLOUD_DNS"
- cluster_dns_scope = "VPC_SCOPE"
- cluster_dns_domain = "${each.key}.${var.dns_domain}"
+ peering_config = var.peering_config == null ? null : {
+ export_routes = var.peering_config.export_routes
+ import_routes = var.peering_config.import_routes
+ project_id = var.vpc_config.host_project_id
+ }
}
logging_config = ["SYSTEM_COMPONENTS", "WORKLOADS"]
monitoring_config = ["SYSTEM_COMPONENTS", "WORKLOADS"]
-
- peering_config = var.peering_config == null ? null : {
- export_routes = var.peering_config.export_routes
- import_routes = var.peering_config.import_routes
- project_id = var.vpc_config.host_project_id
- }
- resource_usage_export_config = {
- enabled = true
- dataset = module.gke-dataset-resource-usage.dataset_id
- }
- # TODO: the attributes below are "primed" from project-level defaults
- # in locals, merge defaults with cluster-level stuff
- # TODO(jccb): change fabric module
- database_encryption = (
- each.value.overrides.database_encryption_key == null
- ? {
- enabled = false
- state = null
- key_name = null
- }
- : {
- enabled = true
- state = "ENCRYPTED"
- key_name = each.value.overrides.database_encryption_key
- }
- )
- default_max_pods_per_node = each.value.overrides.max_pods_per_node
- master_authorized_ranges = each.value.overrides.master_authorized_ranges
- pod_security_policy = each.value.overrides.pod_security_policy
- release_channel = each.value.overrides.release_channel
- vertical_pod_autoscaling = each.value.overrides.vertical_pod_autoscaling
- # dynamic "cluster_autoscaling" {
- # for_each = each.value.cluster_autoscaling == null ? {} : { 1 = 1 }
- # content {
- # enabled = true
- # cpu_min = each.value.cluster_autoscaling.cpu_min
- # cpu_max = each.value.cluster_autoscaling.cpu_max
- # memory_min = each.value.cluster_autoscaling.memory_min
- # memory_max = each.value.cluster_autoscaling.memory_max
- # }
- # }
+ max_pods_per_node = each.value.overrides.max_pods_per_node
+ release_channel = each.value.overrides.release_channel
}
diff --git a/blueprints/networking/hub-and-spoke-peering/main.tf b/blueprints/networking/hub-and-spoke-peering/main.tf
index eefc8049..a32eee34 100644
--- a/blueprints/networking/hub-and-spoke-peering/main.tf
+++ b/blueprints/networking/hub-and-spoke-peering/main.tf
@@ -237,31 +237,29 @@ module "service-account-gce" {
################################################################################
module "cluster-1" {
- source = "../../../modules/gke-cluster"
- name = "${local.prefix}cluster-1"
- project_id = module.project.project_id
- location = "${var.region}-b"
- network = module.vpc-spoke-2.self_link
- subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/${local.prefix}spoke-2-1"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
- default_max_pods_per_node = 32
+ source = "../../../modules/gke-cluster"
+ name = "${local.prefix}cluster-1"
+ project_id = module.project.project_id
+ location = "${var.region}-b"
+ vpc_config = {
+ network = module.vpc-spoke-2.self_link
+ subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/${local.prefix}spoke-2-1"]
+ master_authorized_ranges = {
+ for name, range in var.ip_ranges : name => range
+ }
+ }
+ max_pods_per_node = 32
labels = {
environment = "test"
}
- master_authorized_ranges = {
- for name, range in var.ip_ranges : name => range
- }
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = var.private_service_ranges.spoke-2-cluster-1
master_global_access = true
- }
- peering_config = {
- export_routes = true
- import_routes = false
- project_id = null
+ peering_config = {
+ export_routes = true
+ import_routes = false
+ }
}
}
diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf
index e4eb1a49..ef162db3 100644
--- a/blueprints/networking/shared-vpc-gke/main.tf
+++ b/blueprints/networking/shared-vpc-gke/main.tf
@@ -196,28 +196,27 @@ module "vm-bastion" {
################################################################################
module "cluster-1" {
- source = "../../../modules/gke-cluster"
- count = var.cluster_create ? 1 : 0
- name = "cluster-1"
- project_id = module.project-svc-gke.project_id
- location = "${var.region}-b"
- network = module.vpc-shared.self_link
- subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
- default_max_pods_per_node = 32
- labels = {
- environment = "test"
- }
- master_authorized_ranges = {
- internal-vms = var.ip_ranges.gce
+ source = "../../../modules/gke-cluster"
+ count = var.cluster_create ? 1 : 0
+ name = "cluster-1"
+ project_id = module.project-svc-gke.project_id
+ location = "${var.region}-b"
+ vpc_config = {
+ network = module.vpc-shared.self_link
+ subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
+ master_authorized_ranges = {
+ internal-vms = var.ip_ranges.gce
+ }
}
+ max_pods_per_node = 32
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = var.private_service_ranges.cluster-1
master_global_access = true
}
+ labels = {
+ environment = "test"
+ }
}
module "cluster-1-nodepool-1" {
diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster/README.md
index a34b72b9..d2b2d9b9 100644
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster/README.md
@@ -8,20 +8,23 @@ This module allows simplified creation and management of GKE clusters and should
```hcl
module "cluster-1" {
- source = "./fabric/modules/gke-cluster"
- project_id = "myproject"
- name = "cluster-1"
- location = "europe-west1-b"
- network = var.vpc.self_link
- subnetwork = var.subnet.self_link
- secondary_range_pods = "pods"
- secondary_range_services = "services"
- default_max_pods_per_node = 32
- master_authorized_ranges = {
- internal-vms = "10.0.0.0/8"
+ source = "./fabric/modules/gke-cluster"
+ project_id = "myproject"
+ name = "cluster-1"
+ location = "europe-west1-b"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = {
+ pods = "pods"
+ services = "services"
+ }
+ master_authorized_ranges = {
+ internal-vms = "10.0.0.0/8"
+ }
}
+ max_pods_per_node = 32
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = "192.168.0.0/28"
master_global_access = false
@@ -37,25 +40,30 @@ module "cluster-1" {
```hcl
module "cluster-1" {
- source = "./fabric/modules/gke-cluster"
- project_id = "myproject"
- name = "cluster-1"
- location = "europe-west1-b"
- network = var.vpc.self_link
- subnetwork = var.subnet.self_link
- secondary_range_pods = "pods"
- secondary_range_services = "services"
- default_max_pods_per_node = 32
- enable_dataplane_v2 = true
- master_authorized_ranges = {
- internal-vms = "10.0.0.0/8"
+ source = "./fabric/modules/gke-cluster"
+ project_id = "myproject"
+ name = "cluster-1"
+ location = "europe-west1-b"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = {
+ pods = "pods"
+ services = "services"
+ }
+ master_authorized_ranges = {
+ internal-vms = "10.0.0.0/8"
+ }
}
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = "192.168.0.0/28"
master_global_access = false
}
+ enable_features = {
+ dataplane_v2 = true
+ workload_identity = true
+ }
labels = {
environment = "dev"
}
@@ -68,44 +76,24 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [location](variables.tf#L161) | Cluster zone or region. | string | ✓ | |
-| [name](variables.tf#L228) | Cluster name. | string | ✓ | |
-| [network](variables.tf#L233) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | string | ✓ | |
-| [project_id](variables.tf#L277) | Cluster project id. | string | ✓ | |
-| [secondary_range_pods](variables.tf#L300) | Subnet secondary range name used for pods. | string | ✓ | |
-| [secondary_range_services](variables.tf#L305) | Subnet secondary range name used for services. | string | ✓ | |
-| [subnetwork](variables.tf#L310) | VPC subnetwork name or self link. | string | ✓ | |
-| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
-| [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | string | | null |
-| [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | {…} |
-| [database_encryption](variables.tf#L77) | Enable and configure GKE application-layer secrets encryption. | object({…}) | | {…} |
-| [default_max_pods_per_node](variables.tf#L91) | Maximum number of pods per node in this cluster. | number | | 110 |
-| [description](variables.tf#L97) | Cluster description. | string | | null |
-| [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | object({…}) | | null |
-| [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | bool | | false |
-| [enable_binary_authorization](variables.tf#L119) | Enable Google Binary Authorization. | bool | | false |
-| [enable_dataplane_v2](variables.tf#L125) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | bool | | false |
-| [enable_intranode_visibility](variables.tf#L131) | Enable intra-node visibility to make same node pod to pod traffic visible. | bool | | null |
-| [enable_l4_ilb_subsetting](variables.tf#L137) | Enable L4ILB Subsetting. | bool | | null |
-| [enable_shielded_nodes](variables.tf#L143) | Enable Shielded Nodes features on all nodes in this cluster. | bool | | null |
-| [enable_tpu](variables.tf#L149) | Enable Cloud TPU resources in this cluster. | bool | | null |
-| [labels](variables.tf#L155) | Cluster resource labels. | map(string) | | null |
-| [logging_config](variables.tf#L166) | Logging configuration (enabled components). | list(string) | | null |
-| [logging_service](variables.tf#L172) | Logging service (disable with an empty string). | string | | "logging.googleapis.com/kubernetes" |
-| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | object({…}) | | {…} |
-| [master_authorized_ranges](variables.tf#L204) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | map(string) | | {} |
-| [min_master_version](variables.tf#L210) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
-| [monitoring_config](variables.tf#L216) | Monitoring configuration (enabled components). | list(string) | | null |
-| [monitoring_service](variables.tf#L222) | Monitoring service (disable with an empty string). | string | | "monitoring.googleapis.com/kubernetes" |
-| [node_locations](variables.tf#L238) | Zones in which the cluster's nodes are located. | list(string) | | [] |
-| [notification_config](variables.tf#L244) | GKE Cluster upgrade notifications via PubSub. | bool | | false |
-| [peering_config](variables.tf#L250) | Configure peering with the master VPC for private clusters. | object({…}) | | null |
-| [pod_security_policy](variables.tf#L260) | Enable the PodSecurityPolicy feature. | bool | | null |
-| [private_cluster_config](variables.tf#L266) | Enable and configure private cluster, private nodes must be true if used. | object({…}) | | null |
-| [release_channel](variables.tf#L282) | Release channel for GKE upgrades. | string | | null |
-| [resource_usage_export_config](variables.tf#L288) | Configure the ResourceUsageExportConfig feature. | object({…}) | | {…} |
-| [vertical_pod_autoscaling](variables.tf#L315) | Enable the Vertical Pod Autoscaling feature. | bool | | null |
-| [workload_identity](variables.tf#L321) | Enable the Workload Identity feature. | bool | | true |
+| [location](variables.tf#L118) | Cluster zone or region. | string | ✓ | |
+| [name](variables.tf#L170) | Cluster name. | string | ✓ | |
+| [project_id](variables.tf#L197) | Cluster project id. | string | ✓ | |
+| [vpc_config](variables.tf#L208) | VPC-level configuration. | object({…}) | ✓ | |
+| [cluster_autoscaling](variables.tf#L17) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
+| [description](variables.tf#L38) | Cluster description. | string | | null |
+| [enable_addons](variables.tf#L44) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
+| [enable_features](variables.tf#L68) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {…} |
+| [issue_client_certificate](variables.tf#L106) | Enable issuing client certificate. | bool | | false |
+| [labels](variables.tf#L112) | Cluster resource labels. | map(string) | | null |
+| [logging_config](variables.tf#L123) | Logging configuration. | list(string) | | ["SYSTEM_COMPONENTS"] |
+| [maintenance_config](variables.tf#L129) | Maintenance window configuration. | object({…}) | | {…} |
+| [max_pods_per_node](variables.tf#L152) | Maximum number of pods per node in this cluster. | number | | 110 |
+| [min_master_version](variables.tf#L158) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [monitoring_config](variables.tf#L164) | Monitoring components. | list(string) | | ["SYSTEM_COMPONENTS"] |
+| [node_locations](variables.tf#L175) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [private_cluster_config](variables.tf#L182) | Private cluster configuration. | object({…}) | | null |
+| [release_channel](variables.tf#L202) | Release channel for GKE upgrades. | string | | null |
## Outputs
diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index e0b31a31..118a9987 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -14,159 +14,216 @@
* limitations under the License.
*/
-locals {
- # The Google provider is unable to validate certain configurations of
- # private_cluster_config when enable_private_nodes is false (provider docs)
- is_private = try(var.private_cluster_config.enable_private_nodes, false)
- peering = try(
- google_container_cluster.cluster.private_cluster_config.0.peering_name,
- null
- )
- peering_project_id = (
- try(var.peering_config.project_id, null) == null
- ? var.project_id
- : var.peering_config.project_id
- )
-}
-
resource "google_container_cluster" "cluster" {
- provider = google-beta
- project = var.project_id
- name = var.name
- description = var.description
- location = var.location
- node_locations = length(var.node_locations) == 0 ? null : var.node_locations
- min_master_version = var.min_master_version
- network = var.network
- subnetwork = var.subnetwork
- logging_service = var.monitoring_config != null ? null : var.logging_config == null ? var.logging_service : null
- monitoring_service = var.monitoring_config == null ? var.monitoring_service : null
- resource_labels = var.labels
- default_max_pods_per_node = var.enable_autopilot ? null : var.default_max_pods_per_node
- enable_intranode_visibility = var.enable_intranode_visibility
- enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
- enable_shielded_nodes = var.enable_shielded_nodes
- enable_tpu = var.enable_tpu
- initial_node_count = 1
- remove_default_node_pool = var.enable_autopilot ? null : true
- datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
- enable_autopilot = var.enable_autopilot == true ? true : null
+ provider = google-beta
+ project = var.project_id
+ name = var.name
+ description = var.description
+ location = var.location
+ node_locations = (
+ length(var.node_locations) == 0 ? null : var.node_locations
+ )
+ min_master_version = var.min_master_version
+ network = var.vpc_config.network
+ subnetwork = var.vpc_config.subnetwork
+ resource_labels = var.labels
+ default_max_pods_per_node = (
+ var.enable_features.autopilot ? null : var.max_pods_per_node
+ )
+ enable_intranode_visibility = (
+ var.enable_features.autopilot ? null : var.enable_features.intranode_visibility
+ )
+ enable_l4_ilb_subsetting = var.enable_features.l4_ilb_subsetting
+ enable_shielded_nodes = (
+ var.enable_features.autopilot ? null : var.enable_features.shielded_nodes
+ )
+ enable_tpu = var.enable_features.tpu
+ initial_node_count = 1
+ remove_default_node_pool = var.enable_features.autopilot ? null : true
+ datapath_provider = (
+ var.enable_features.dataplane_v2
+ ? "ADVANCED_DATAPATH"
+ : "DATAPATH_PROVIDER_UNSPECIFIED"
+ )
+ enable_autopilot = var.enable_features.autopilot ? true : null
+ # the default nodepool is deleted here, use the gke-nodepool module instead
# node_config {}
- # NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
- # Specify that node_config as an parameter to gke-nodepool module instead.
- # TODO(ludomagno): compute addons map in locals and use a single dynamic block
addons_config {
dynamic "dns_cache_config" {
- # Pass the user-provided value when autopilot is disabled. When
- # autopilot is enabled, pass the value only when the addon is
- # set to true. This will fail but warns the user that autopilot
- # doesn't support this option, instead of silently discarding
- # and hiding the error
- for_each = !var.enable_autopilot || (var.enable_autopilot && var.addons.dns_cache_config) ? [""] : []
+ for_each = !var.enable_features.autopilot ? [""] : []
content {
- enabled = var.addons.dns_cache_config
+ enabled = var.enable_addons.dns_cache
}
}
http_load_balancing {
- disabled = !var.addons.http_load_balancing
+ disabled = !var.enable_addons.http_load_balancing
}
horizontal_pod_autoscaling {
- disabled = !var.addons.horizontal_pod_autoscaling
+ disabled = !var.enable_addons.horizontal_pod_autoscaling
}
dynamic "network_policy_config" {
- for_each = !var.enable_autopilot ? [""] : []
+ for_each = !var.enable_features.autopilot ? [""] : []
content {
- disabled = !var.addons.network_policy_config
+ disabled = !var.enable_addons.network_policy
}
}
cloudrun_config {
- disabled = !var.addons.cloudrun_config
+ disabled = !var.enable_addons.cloudrun
}
istio_config {
- disabled = !var.addons.istio_config.enabled
- auth = var.addons.istio_config.tls ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
+ disabled = var.enable_addons.istio == null
+ auth = (
+ try(var.enable_addons.istio.enable_tls, false) ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
+ )
}
gce_persistent_disk_csi_driver_config {
- enabled = var.enable_autopilot || var.addons.gce_persistent_disk_csi_driver_config
+ enabled = var.enable_addons.gce_persistent_disk_csi_driver
}
dynamic "gcp_filestore_csi_driver_config" {
- # Pass the user-provided value when autopilot is disabled. When
- # autopilot is enabled, pass the value only when the addon is
- # set to true. This will fail but warns the user that autopilot
- # doesn't support this option, instead of silently discarding
- # and hiding the error
- for_each = var.enable_autopilot && !var.addons.gcp_filestore_csi_driver_config ? [] : [""]
+ for_each = !var.enable_features.autopilot ? [""] : []
content {
- enabled = var.addons.gcp_filestore_csi_driver_config
+ enabled = var.enable_addons.gcp_filestore_csi_driver
}
}
kalm_config {
- enabled = var.addons.kalm_config
+ enabled = var.enable_addons.kalm
}
config_connector_config {
- enabled = var.addons.config_connector_config
+ enabled = var.enable_addons.config_connector
}
gke_backup_agent_config {
- enabled = var.addons.gke_backup_agent_config
+ enabled = var.enable_addons.gke_backup_agent
}
}
- # TODO(ludomagno): support setting address ranges instead of range names
- # https://www.terraform.io/docs/providers/google/r/container_cluster.html#cluster_ipv4_cidr_block
- ip_allocation_policy {
- cluster_secondary_range_name = var.secondary_range_pods
- services_secondary_range_name = var.secondary_range_services
+ dynamic "authenticator_groups_config" {
+ for_each = var.enable_features.groups_for_rbac != null ? [""] : []
+ content {
+ security_group = var.enable_features.groups_for_rbac
+ }
+ }
+
+ dynamic "binary_authorization" {
+ for_each = var.enable_features.binary_authorization ? [""] : []
+ content {
+ evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+ }
+ }
+
+ dynamic "cluster_autoscaling" {
+ for_each = var.cluster_autoscaling == null ? [] : [""]
+ content {
+ enabled = true
+ dynamic "resource_limits" {
+ for_each = var.cluster_autoscaling.cpu_limits != null ? [""] : []
+ content {
+ resource_type = "cpu"
+ minimum = var.cluster_autoscaling.cpu_limits.min
+ maximum = var.cluster_autoscaling.cpu_limits.max
+ }
+ }
+ dynamic "resource_limits" {
+ for_each = var.cluster_autoscaling.mem_limits != null ? [""] : []
+ content {
+ resource_type = "cpu"
+ minimum = var.cluster_autoscaling.mem_limits.min
+ maximum = var.cluster_autoscaling.mem_limits.max
+ }
+ }
+ // TODO: support GPUs too
+ }
+ }
+
+ dynamic "database_encryption" {
+ for_each = var.enable_features.database_encryption != null ? [""] : []
+ content {
+ state = var.enable_features.database_encryption.state
+ key_name = var.enable_features.database_encryption.key_name
+ }
+ }
+
+ dynamic "dns_config" {
+ for_each = var.enable_features.cloud_dns != null ? [""] : []
+ content {
+ cluster_dns = enable_features.cloud_dns.cluster_dns
+ cluster_dns_scope = enable_features.cloud_dns.cluster_dns_scope
+ cluster_dns_domain = enable_features.cloud_dns.cluster_dns_domain
+ }
+ }
+
+ dynamic "ip_allocation_policy" {
+ for_each = var.vpc_config.secondary_range_blocks != null ? [""] : []
+ content {
+ cluster_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.pods
+ services_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.services
+ }
+ }
+ dynamic "ip_allocation_policy" {
+ for_each = var.vpc_config.secondary_range_names != null ? [""] : []
+ content {
+ cluster_secondary_range_name = var.vpc_config.secondary_range_names.pods
+ services_secondary_range_name = var.vpc_config.secondary_range_names.services
+ }
+ }
+
+ dynamic "logging_config" {
+ for_each = var.logging_config != null ? [""] : []
+ content {
+ enable_components = var.logging_config
+ }
}
- # https://www.terraform.io/docs/providers/google/r/container_cluster.html#daily_maintenance_window
maintenance_policy {
dynamic "daily_maintenance_window" {
- for_each = var.maintenance_config != null && lookup(var.maintenance_config, "daily_maintenance_window", null) != null ? [var.maintenance_config.daily_maintenance_window] : []
- iterator = config
+ for_each = (
+ try(var.maintenance_config.daily_window_start_time, null) != null
+ ? [""]
+ : []
+ )
content {
- start_time = config.value.start_time
+ start_time = var.maintenance_config.daily_window_start_time
}
}
-
dynamic "recurring_window" {
- for_each = var.maintenance_config != null && lookup(var.maintenance_config, "recurring_window", null) != null ? [var.maintenance_config.recurring_window] : []
- iterator = config
+ for_each = (
+ try(var.maintenance_config.recurring_window, null) != null
+ ? [""]
+ : []
+ )
content {
- start_time = config.value.start_time
- end_time = config.value.end_time
- recurrence = config.value.recurrence
+ start_time = var.maintenance_config.recurring_window.start_time
+ end_time = var.maintenance_config.recurring_window.end_time
+ recurrence = var.maintenance_config.recurring_window.recurrence
}
}
-
dynamic "maintenance_exclusion" {
- for_each = var.maintenance_config != null && lookup(var.maintenance_config, "maintenance_exclusion", null) != null ? var.maintenance_config.maintenance_exclusion : []
- iterator = config
+ for_each = (
+ try(var.maintenance_config.maintenance_exclusions, null) == null
+ ? []
+ : var.maintenance_config.maintenance_exclusions
+ )
+ iterator = exclusion
content {
- exclusion_name = config.value.exclusion_name
- start_time = config.value.start_time
- end_time = config.value.end_time
+ exclusion_name = exclusion.value.name
+ start_time = exclusion.value.start_time
+ end_time = exclusion.value.end_time
}
}
}
master_auth {
client_certificate_config {
- issue_client_certificate = false
+ issue_client_certificate = var.issue_client_certificate
}
}
dynamic "master_authorized_networks_config" {
- for_each = (
- length(var.master_authorized_ranges) == 0
- ? []
- : [var.master_authorized_ranges]
- )
- iterator = ranges
+ for_each = var.vpc_config.master_authorized_ranges != null ? [""] : []
content {
dynamic "cidr_blocks" {
- for_each = ranges.value
+ for_each = var.vpc_config.master_authorized_ranges
iterator = range
content {
cidr_block = range.value
@@ -176,69 +233,58 @@ resource "google_container_cluster" "cluster" {
}
}
- #the network_policy block is enabled if network_policy_config and network_dataplane_v2 is set to false. Dataplane V2 has built-in network policies.
- dynamic "network_policy" {
- for_each = var.addons.network_policy_config ? [""] : []
+ dynamic "monitoring_config" {
+ for_each = var.monitoring_config != null ? [""] : []
content {
- enabled = var.enable_dataplane_v2 ? false : true
- provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
+ enable_components = var.monitoring_config
+ }
+ }
+
+ # dataplane v2 has bult-in network policies
+ dynamic "network_policy" {
+ for_each = (
+ var.enable_addons.network_policy && !var.enable_features.dataplane_v2
+ ? [""]
+ : []
+ )
+ content {
+ enabled = true
+ provider = "CALICO"
+ }
+ }
+
+ dynamic "notification_config" {
+ for_each = var.enable_features.upgrade_notifications != null ? [""] : []
+ content {
+ pubsub {
+ enabled = true
+ topic = (
+ try(var.enable_features.upgrade_notifications.topic_id, null) != null
+ ? var.enable_features.upgrade_notifications.topic_id
+ : google_pubsub_topic.notifications[0].id
+ )
+ }
}
}
dynamic "private_cluster_config" {
- for_each = local.is_private ? [var.private_cluster_config] : []
- iterator = config
+ for_each = (
+ var.private_cluster_config != null ? [""] : []
+ )
content {
- enable_private_nodes = config.value.enable_private_nodes
- enable_private_endpoint = config.value.enable_private_endpoint
- master_ipv4_cidr_block = config.value.master_ipv4_cidr_block
+ enable_private_nodes = true
+ enable_private_endpoint = var.private_cluster_config.enable_private_endpoint
+ master_ipv4_cidr_block = var.private_cluster_config.master_ipv4_cidr_block
master_global_access_config {
- enabled = config.value.master_global_access
+ enabled = var.private_cluster_config.master_global_access
}
}
}
- # beta features
-
- dynamic "authenticator_groups_config" {
- for_each = var.authenticator_security_group == null ? [] : [""]
- content {
- security_group = var.authenticator_security_group
- }
- }
-
- dynamic "cluster_autoscaling" {
- for_each = var.cluster_autoscaling.enabled ? [var.cluster_autoscaling] : []
- iterator = config
- content {
- enabled = true
- resource_limits {
- resource_type = "cpu"
- minimum = config.value.cpu_min
- maximum = config.value.cpu_max
- }
- resource_limits {
- resource_type = "memory"
- minimum = config.value.memory_min
- maximum = config.value.memory_max
- }
- // TODO: support GPUs too
- }
- }
-
- dynamic "database_encryption" {
- for_each = var.database_encryption.enabled ? [var.database_encryption] : []
- iterator = config
- content {
- state = config.value.state
- key_name = config.value.key_name
- }
- }
-
dynamic "pod_security_policy_config" {
- for_each = var.pod_security_policy != null ? [""] : []
+ for_each = var.enable_features.pod_security_policy ? [""] : []
content {
- enabled = var.pod_security_policy
+ enabled = var.enable_features.pod_security_policy
}
}
@@ -251,86 +297,61 @@ resource "google_container_cluster" "cluster" {
dynamic "resource_usage_export_config" {
for_each = (
- var.resource_usage_export_config.enabled != null
- &&
- var.resource_usage_export_config.dataset != null
- ? [""] : []
+ try(var.enable_features.resource_usage_export.dataset, null) != null
+ ? [""]
+ : []
)
content {
- enable_network_egress_metering = var.resource_usage_export_config.enabled
+ enable_network_egress_metering = (
+ var.enable_features.resource_usage_export.enable_network_egress_metering
+ )
+ enable_resource_consumption_metering = (
+ var.enable_features.resource_usage_export.enable_resource_consumption_metering
+ )
bigquery_destination {
- dataset_id = var.resource_usage_export_config.dataset
+ dataset_id = var.enable_features.resource_usage_export.dataset
}
}
}
dynamic "vertical_pod_autoscaling" {
- for_each = var.vertical_pod_autoscaling == null ? [] : [""]
+ for_each = var.enable_features.vertical_pod_autoscaling ? [""] : []
content {
- enabled = var.vertical_pod_autoscaling
+ enabled = var.enable_features.vertical_pod_autoscaling
}
}
dynamic "workload_identity_config" {
- for_each = var.workload_identity && !var.enable_autopilot ? [""] : []
+ for_each = var.enable_features.workload_identity ? [""] : []
content {
workload_pool = "${var.project_id}.svc.id.goog"
}
}
-
- dynamic "monitoring_config" {
- for_each = var.monitoring_config != null ? [""] : []
- content {
- enable_components = var.monitoring_config
- }
- }
-
- dynamic "logging_config" {
- for_each = var.logging_config != null ? [""] : []
- content {
- enable_components = var.logging_config
- }
- }
-
- dynamic "binary_authorization" {
- for_each = var.enable_binary_authorization ? [""] : []
- content {
- evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
- }
- }
-
- dynamic "dns_config" {
- for_each = var.dns_config != null ? [""] : []
- content {
- cluster_dns = var.dns_config.cluster_dns
- cluster_dns_scope = var.dns_config.cluster_dns_scope
- cluster_dns_domain = var.dns_config.cluster_dns_domain
- }
- }
-
- dynamic "notification_config" {
- for_each = var.notification_config ? [""] : []
- content {
- pubsub {
- enabled = var.notification_config
- topic = var.notification_config ? google_pubsub_topic.notifications[0].id : null
- }
- }
- }
}
resource "google_compute_network_peering_routes_config" "gke_master" {
- count = local.is_private && var.peering_config != null ? 1 : 0
- project = local.peering_project_id
- peering = local.peering
- network = element(reverse(split("/", var.network)), 0)
- import_custom_routes = var.peering_config.import_routes
- export_custom_routes = var.peering_config.export_routes
+ count = (
+ try(var.private_cluster_config.peering_config, null) != null ? 1 : 0
+ )
+ project = (
+ try(var.private_cluster_config.peering_config, null) == null
+ ? var.project_id
+ : var.private_cluster_config.peering_config.project_id
+ )
+ peering = try(
+ google_container_cluster.cluster.private_cluster_config.0.peering_name,
+ null
+ )
+ network = element(reverse(split("/", var.vpc_config.network)), 0)
+ import_custom_routes = var.private_cluster_config.peering_config.import_routes
+ export_custom_routes = var.private_cluster_config.peering_config.export_routes
}
resource "google_pubsub_topic" "notifications" {
- count = var.notification_config ? 1 : 0
- name = "gke-pubsub-notifications"
+ count = (
+ try(var.enable_features.upgrade_notifications.topic_id, null) == null ? 0 : 1
+ )
+ name = "gke-pubsub-notifications"
labels = {
content = "gke-notifications"
}
diff --git a/modules/gke-cluster/outputs.tf b/modules/gke-cluster/outputs.tf
index 2a5fd551..f98f4f54 100644
--- a/modules/gke-cluster/outputs.tf
+++ b/modules/gke-cluster/outputs.tf
@@ -53,7 +53,7 @@ output "name" {
output "notifications" {
description = "GKE PubSub notifications topic."
- value = var.notification_config ? google_pubsub_topic.notifications[0].id : null
+ value = try(google_pubsub_topic.notifications[0].id, null)
}
output "self_link" {
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index 2c9fccbe..97332266 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -14,84 +14,25 @@
* limitations under the License.
*/
-variable "addons" {
- description = "Addons enabled in the cluster (true means enabled)."
- type = object({
- cloudrun_config = bool
- dns_cache_config = bool
- horizontal_pod_autoscaling = bool
- http_load_balancing = bool
- istio_config = object({
- enabled = bool
- tls = bool
- })
- network_policy_config = bool
- gce_persistent_disk_csi_driver_config = bool
- gcp_filestore_csi_driver_config = bool
- config_connector_config = bool
- kalm_config = bool
- gke_backup_agent_config = bool
- })
- default = {
- cloudrun_config = false
- dns_cache_config = false
- horizontal_pod_autoscaling = true
- http_load_balancing = true
- istio_config = {
- enabled = false
- tls = false
- }
- network_policy_config = false
- gce_persistent_disk_csi_driver_config = false
- gcp_filestore_csi_driver_config = false
- config_connector_config = false
- kalm_config = false
- gke_backup_agent_config = false
- }
-}
-
-variable "authenticator_security_group" {
- description = "RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com."
- type = string
- default = null
-}
-
variable "cluster_autoscaling" {
description = "Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler."
type = object({
- enabled = bool
- cpu_min = number
- cpu_max = number
- memory_min = number
- memory_max = number
+ auto_provisioning_defaults = optional(object({
+ boot_disk_kms_key = optional(string)
+ image_type = optional(string)
+ oauth_scopes = optional(list(string))
+ service_account = optional(string)
+ }))
+ cpu_limits = optional(object({
+ min = number
+ max = number
+ }))
+ mem_limits = optional(object({
+ min = number
+ max = number
+ }))
})
- default = {
- enabled = false
- cpu_min = 0
- cpu_max = 0
- memory_min = 0
- memory_max = 0
- }
-}
-
-variable "database_encryption" {
- description = "Enable and configure GKE application-layer secrets encryption."
- type = object({
- enabled = bool
- state = string
- key_name = string
- })
- default = {
- enabled = false
- state = "DECRYPTED"
- key_name = null
- }
-}
-
-variable "default_max_pods_per_node" {
- description = "Maximum number of pods per node in this cluster."
- type = number
- default = 110
+ default = null
}
variable "description" {
@@ -100,58 +41,74 @@ variable "description" {
default = null
}
-variable "dns_config" {
- description = "Configuration for Using Cloud DNS for GKE."
+variable "enable_addons" {
+ description = "Addons enabled in the cluster (true means enabled)."
type = object({
- cluster_dns = string
- cluster_dns_scope = string
- cluster_dns_domain = string
+ cloudrun = optional(bool, false)
+ config_connector = optional(bool, false)
+ dns_cache = optional(bool, false)
+ gce_persistent_disk_csi_driver = optional(bool, false)
+ gcp_filestore_csi_driver = optional(bool, false)
+ gke_backup_agent = optional(bool, false)
+ horizontal_pod_autoscaling = optional(bool, false)
+ http_load_balancing = optional(bool, false)
+ istio = optional(object({
+ enable_tls = bool
+ }))
+ kalm = optional(bool, false)
+ network_policy = optional(bool, false)
})
- default = null
+ default = {
+ horizontal_pod_autoscaling = true
+ http_load_balancing = true
+ }
+ nullable = false
}
-variable "enable_autopilot" {
- description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)."
+variable "enable_features" {
+ description = "Enable cluster-level features. Certain features allow configuration."
+ type = object({
+ autopilot = optional(bool, false)
+ binary_authorization = optional(bool, false)
+ cloud_dns = optional(object({
+ provider = optional(string)
+ scope = optional(string)
+ domain = optional(string)
+ }))
+ database_encryption = optional(object({
+ state = string
+ key_name = string
+ }))
+ dataplane_v2 = optional(bool, false)
+ groups_for_rbac = optional(string)
+ intranode_visibility = optional(bool, false)
+ l4_ilb_subsetting = optional(bool, false)
+ pod_security_policy = optional(bool, false)
+ resource_usage_export = optional(object({
+ dataset = optional(string)
+ enable_network_egress_metering = optional(bool, false)
+ enable_resource_consumption_metering = optional(bool, false)
+ }))
+ shielded_nodes = optional(bool, false)
+ tpu = optional(bool, false)
+ upgrade_notifications = optional(object({
+ topic_id = optional(string)
+ }))
+ vertical_pod_autoscaling = optional(bool, false)
+ workload_identity = optional(bool, false)
+ })
+ default = {
+ workload_identity = true
+ resource_usage_export = null
+ }
+}
+
+variable "issue_client_certificate" {
+ description = "Enable issuing client certificate."
type = bool
default = false
}
-variable "enable_binary_authorization" {
- description = "Enable Google Binary Authorization."
- type = bool
- default = false
-}
-
-variable "enable_dataplane_v2" {
- description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config."
- type = bool
- default = false
-}
-
-variable "enable_intranode_visibility" {
- description = "Enable intra-node visibility to make same node pod to pod traffic visible."
- type = bool
- default = null
-}
-
-variable "enable_l4_ilb_subsetting" {
- description = "Enable L4ILB Subsetting."
- type = bool
- default = null
-}
-
-variable "enable_shielded_nodes" {
- description = "Enable Shielded Nodes features on all nodes in this cluster."
- type = bool
- default = null
-}
-
-variable "enable_tpu" {
- description = "Enable Cloud TPU resources in this cluster."
- type = bool
- default = null
-}
-
variable "labels" {
description = "Cluster resource labels."
type = map(string)
@@ -164,47 +121,38 @@ variable "location" {
}
variable "logging_config" {
- description = "Logging configuration (enabled components)."
+ description = "Logging configuration."
type = list(string)
- default = null
-}
-
-variable "logging_service" {
- description = "Logging service (disable with an empty string)."
- type = string
- default = "logging.googleapis.com/kubernetes"
+ default = ["SYSTEM_COMPONENTS"]
}
variable "maintenance_config" {
description = "Maintenance window configuration."
type = object({
- daily_maintenance_window = object({
- start_time = string
- })
- recurring_window = object({
+ daily_window_start_time = optional(string)
+ recurring_window = optional(object({
start_time = string
end_time = string
recurrence = string
- })
- maintenance_exclusion = list(object({
- exclusion_name = string
- start_time = string
- end_time = string
}))
+ maintenance_exclusions = optional(list(object({
+ name = string
+ start_time = string
+ end_time = string
+ scope = optional(string)
+ })))
})
default = {
- daily_maintenance_window = {
- start_time = "03:00"
- }
- recurring_window = null
- maintenance_exclusion = []
+ daily_window_start_time = "03:00"
+ recurring_window = null
+ maintenance_exclusion = []
}
}
-variable "master_authorized_ranges" {
- description = "External Ip address ranges that can access the Kubernetes cluster master through HTTPS."
- type = map(string)
- default = {}
+variable "max_pods_per_node" {
+ description = "Maximum number of pods per node in this cluster."
+ type = number
+ default = 110
}
variable "min_master_version" {
@@ -214,15 +162,9 @@ variable "min_master_version" {
}
variable "monitoring_config" {
- description = "Monitoring configuration (enabled components)."
+ description = "Monitoring components."
type = list(string)
- default = null
-}
-
-variable "monitoring_service" {
- description = "Monitoring service (disable with an empty string)."
- type = string
- default = "monitoring.googleapis.com/kubernetes"
+ default = ["SYSTEM_COMPONENTS"]
}
variable "name" {
@@ -230,46 +172,24 @@ variable "name" {
type = string
}
-variable "network" {
- description = "Name or self link of the VPC used for the cluster. Use the self link for Shared VPC."
- type = string
-}
-
variable "node_locations" {
description = "Zones in which the cluster's nodes are located."
type = list(string)
default = []
-}
-
-variable "notification_config" {
- description = "GKE Cluster upgrade notifications via PubSub."
- type = bool
- default = false
-}
-
-variable "peering_config" {
- description = "Configure peering with the master VPC for private clusters."
- type = object({
- export_routes = bool
- import_routes = bool
- project_id = string
- })
- default = null
-}
-
-variable "pod_security_policy" {
- description = "Enable the PodSecurityPolicy feature."
- type = bool
- default = null
+ nullable = false
}
variable "private_cluster_config" {
- description = "Enable and configure private cluster, private nodes must be true if used."
+ description = "Private cluster configuration."
type = object({
- enable_private_nodes = bool
- enable_private_endpoint = bool
- master_ipv4_cidr_block = string
- master_global_access = bool
+ enable_private_endpoint = optional(bool)
+ master_ipv4_cidr_block = optional(string)
+ master_global_access = optional(bool)
+ peering_config = optional(object({
+ export_routes = optional(bool)
+ import_routes = optional(bool)
+ project_id = optional(string)
+ }))
})
default = null
}
@@ -285,41 +205,20 @@ variable "release_channel" {
default = null
}
-variable "resource_usage_export_config" {
- description = "Configure the ResourceUsageExportConfig feature."
+variable "vpc_config" {
+ description = "VPC-level configuration."
type = object({
- enabled = bool
- dataset = string
+ network = string
+ subnetwork = string
+ secondary_range_blocks = optional(object({
+ pods = string
+ services = string
+ }), )
+ secondary_range_names = optional(object({
+ pods = string
+ services = string
+ }), { pods = "pods", services = "services" })
+ master_authorized_ranges = optional(map(string))
})
- default = {
- enabled = null
- dataset = null
- }
-}
-
-variable "secondary_range_pods" {
- description = "Subnet secondary range name used for pods."
- type = string
-}
-
-variable "secondary_range_services" {
- description = "Subnet secondary range name used for services."
- type = string
-}
-
-variable "subnetwork" {
- description = "VPC subnetwork name or self link."
- type = string
-}
-
-variable "vertical_pod_autoscaling" {
- description = "Enable the Vertical Pod Autoscaling feature."
- type = bool
- default = null
-}
-
-variable "workload_identity" {
- description = "Enable the Workload Identity feature."
- type = bool
- default = true
+ nullable = false
}
diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md
index cd05eac1..e00c6bfc 100644
--- a/modules/gke-hub/README.md
+++ b/modules/gke-hub/README.md
@@ -48,18 +48,20 @@ module "vpc" {
}
module "cluster_1" {
- source = "./fabric/modules/gke-cluster"
- project_id = module.project.project_id
- name = "cluster-1"
- location = "europe-west1-b"
- network = module.vpc.self_link
- subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
- enable_dataplane_v2 = true
- master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
+ source = "./fabric/modules/gke-cluster"
+ project_id = module.project.project_id
+ name = "cluster-1"
+ location = "europe-west1"
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
+ master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
+ }
+ enable_features = {
+ dataplane_v2 = true
+ workload_identity = true
+ }
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = "192.168.0.0/28"
master_global_access = false
@@ -225,27 +227,24 @@ module "firewall" {
}
module "cluster_1" {
- source = "./fabric/modules/gke-cluster"
- project_id = module.project.project_id
- name = "cluster-1"
- location = "europe-wes1"
- network = module.vpc.self_link
- subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
+ source = "./fabric/modules/gke-cluster"
+ project_id = module.project.project_id
+ name = "cluster-1"
+ location = "europe-west1"
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
+ master_authorized_ranges = {
+ mgmt = "10.0.0.0/28"
+ pods-cluster-1 = "10.3.0.0/16"
+ }
+ }
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = "192.168.1.0/28"
master_global_access = true
}
- master_authorized_ranges = {
- mgmt = "10.0.0.0/28"
- pods-cluster-1 = "10.3.0.0/16"
- }
- enable_autopilot = false
- release_channel = "REGULAR"
- workload_identity = true
+ release_channel = "REGULAR"
labels = {
mesh_id = "proj-${module.project.number}"
}
@@ -266,25 +265,22 @@ module "cluster_1_nodepool" {
module "cluster_2" {
source = "./fabric/modules/gke-cluster"
project_id = module.project.project_id
- name = "cluster-1"
- location = "europe-wes1"
- network = module.vpc.self_link
- subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
- secondary_range_pods = "pods"
- secondary_range_services = "services"
+ name = "cluster-2"
+ location = "europe-west4"
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
+ master_authorized_ranges = {
+ mgmt = "10.0.0.0/28"
+ pods-cluster-1 = "10.3.0.0/16"
+ }
+ }
private_cluster_config = {
- enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = "192.168.2.0/28"
master_global_access = true
}
- master_authorized_ranges = {
- mgmt = "10.0.0.0/28"
- pods-cluster-1 = "10.1.0.0/16"
- }
- enable_autopilot = false
- release_channel = "REGULAR"
- workload_identity = true
+ release_channel = "REGULAR"
labels = {
mesh_id = "proj-${module.project.number}"
}
diff --git a/tests/blueprints/networking/shared_vpc_gke/__init__.py b/tests/blueprints/gke/shared_vpc_gke/__init__.py
similarity index 100%
rename from tests/blueprints/networking/shared_vpc_gke/__init__.py
rename to tests/blueprints/gke/shared_vpc_gke/__init__.py
diff --git a/tests/blueprints/networking/shared_vpc_gke/fixture/main.tf b/tests/blueprints/gke/shared_vpc_gke/fixture/main.tf
similarity index 90%
rename from tests/blueprints/networking/shared_vpc_gke/fixture/main.tf
rename to tests/blueprints/gke/shared_vpc_gke/fixture/main.tf
index 6eca0175..ac4e647a 100644
--- a/tests/blueprints/networking/shared_vpc_gke/fixture/main.tf
+++ b/tests/blueprints/gke/shared_vpc_gke/fixture/main.tf
@@ -15,7 +15,7 @@
*/
module "test" {
- source = "../../../../../blueprints/networking/shared-vpc-gke"
+ source = "../../../../../blueprints/gke/shared-vpc-gke"
billing_account_id = var.billing_account_id
prefix = var.prefix
root_node = var.root_node
diff --git a/tests/blueprints/networking/shared_vpc_gke/fixture/variables.tf b/tests/blueprints/gke/shared_vpc_gke/fixture/variables.tf
similarity index 100%
rename from tests/blueprints/networking/shared_vpc_gke/fixture/variables.tf
rename to tests/blueprints/gke/shared_vpc_gke/fixture/variables.tf
diff --git a/tests/blueprints/networking/shared_vpc_gke/test_plan.py b/tests/blueprints/gke/shared_vpc_gke/test_plan.py
similarity index 100%
rename from tests/blueprints/networking/shared_vpc_gke/test_plan.py
rename to tests/blueprints/gke/shared_vpc_gke/test_plan.py
diff --git a/tests/modules/gke_cluster/fixture/main.tf b/tests/modules/gke_cluster/fixture/main.tf
index 078d470c..4ac38e16 100644
--- a/tests/modules/gke_cluster/fixture/main.tf
+++ b/tests/modules/gke_cluster/fixture/main.tf
@@ -15,14 +15,14 @@
*/
module "test" {
- source = "../../../../modules/gke-cluster"
- project_id = "my-project"
- name = "cluster-1"
- location = "europe-west1-b"
- network = "mynetwork"
- subnetwork = "mysubnet"
- secondary_range_pods = "pods"
- secondary_range_services = "services"
- enable_autopilot = var.enable_autopilot
- addons = var.addons
+ source = "../../../../modules/gke-cluster"
+ project_id = "my-project"
+ name = "cluster-1"
+ location = "europe-west1-b"
+ vpc_config = {
+ network = "mynetwork"
+ subnetwork = "mysubnet"
+ }
+ enable_addons = var.enable_addons
+ enable_features = var.enable_features
}
diff --git a/tests/modules/gke_cluster/fixture/variables.tf b/tests/modules/gke_cluster/fixture/variables.tf
index 104054df..1b539d20 100644
--- a/tests/modules/gke_cluster/fixture/variables.tf
+++ b/tests/modules/gke_cluster/fixture/variables.tf
@@ -14,25 +14,17 @@
* limitations under the License.
*/
-variable "enable_autopilot" {
- default = false
-}
-
-variable "addons" {
+variable "enable_addons" {
+ type = any
default = {
- cloudrun_config = false
- dns_cache_config = false
horizontal_pod_autoscaling = true
http_load_balancing = true
- istio_config = {
- enabled = false
- tls = false
- }
- network_policy_config = false
- gce_persistent_disk_csi_driver_config = false
- gcp_filestore_csi_driver_config = false
- config_connector_config = false
- kalm_config = false
- gke_backup_agent_config = false
+ }
+}
+
+variable "enable_features" {
+ type = any
+ default = {
+ workload_identity = true
}
}
diff --git a/tests/modules/gke_cluster/test_plan.py b/tests/modules/gke_cluster/test_plan.py
index 947448c1..acd97bed 100644
--- a/tests/modules/gke_cluster/test_plan.py
+++ b/tests/modules/gke_cluster/test_plan.py
@@ -28,9 +28,8 @@ def test_standard(plan_runner):
def test_autopilot(plan_runner):
"Test resources created with variable defaults."
- _, resources = plan_runner(enable_autopilot="true")
+ _, resources = plan_runner(enable_features='{ autopilot=true }')
assert len(resources) == 1
-
cluster_config = resources[0]['values']
assert cluster_config['name'] == "cluster-1"
assert cluster_config['network'] == "mynetwork"