diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1be2a8cb..e523456d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,15 +3,16 @@
All notable changes to this project will be documented in this file.
## [Unreleased]
-- Create `pubsub` service identity if service is enabled
+- create `pubsub` service identity if service is enabled
+- support for creation of GKE Autopilot clusters
- Add support for CMEK keys in Data Foundation end to end example
## [5.0.0] - 2021-06-17
-- Fix `message_retention_duration` variable type in `pubsub` module
-- Move `bq` robot service account into the robot service account project output
-- Add IAM cryptDecrypt role to robot service account on specified keys
-- Add Service Identity creation on `project` module if secretmanager enabled
+- fix `message_retention_duration` variable type in `pubsub` module
+- move `bq` robot service account into the robot service account project output
+- add IAM cryptDecrypt role to robot service account on specified keys
+- add Service Identity creation on `project` module if secretmanager enabled
- add Data Foundation end to end example
## [4.9.0] - 2021-06-04
diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster/README.md
index 1cd25413..82861310 100644
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster/README.md
@@ -75,12 +75,13 @@ module "cluster-1" {
| secondary_range_pods | Subnet secondary range name used for pods. | string
| ✓ | |
| secondary_range_services | Subnet secondary range name used for services. | string
| ✓ | |
| subnetwork | VPC subnetwork name or self link. | string
| ✓ | |
-| *addons* | Addons enabled in the cluster (true means enabled). | object({...})
| | ...
|
+| *addons* | Addons enabled in the cluster (true means enabled). | object({...})
| | ...
|
| *authenticator_security_group* | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | string
| | null
|
| *cluster_autoscaling* | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({...})
| | ...
|
| *database_encryption* | Enable and configure GKE application-layer secrets encryption. | object({...})
| | ...
|
| *default_max_pods_per_node* | Maximum number of pods per node in this cluster. | number
| | 110
|
| *description* | Cluster description. | string
| | null
|
+| *enable_autopilot* | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node) | bool
| | false
|
| *enable_binary_authorization* | Enable Google Binary Authorization. | bool
| | null
|
| *enable_dataplane_v2* | Enable Dataplane V2 on the cluster, will disable network_policy addons config | bool
| | false
|
| *enable_intranode_visibility* | Enable intra-node visibility to make same node pod to pod traffic visible. | bool
| | null
|
diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index 37988790..90259fad 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -42,15 +42,16 @@ resource "google_container_cluster" "cluster" {
logging_service = var.logging_service
monitoring_service = var.monitoring_service
resource_labels = var.labels
- default_max_pods_per_node = var.default_max_pods_per_node
+ default_max_pods_per_node = var.enable_autopilot ? null : var.default_max_pods_per_node
enable_binary_authorization = var.enable_binary_authorization
enable_intranode_visibility = var.enable_intranode_visibility
enable_shielded_nodes = var.enable_shielded_nodes
enable_tpu = var.enable_tpu
initial_node_count = 1
- remove_default_node_pool = true
+ remove_default_node_pool = var.enable_autopilot ? null : true
datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
-
+ enable_autopilot = var.enable_autopilot == true ? true : null
+
# node_config {}
# NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
# Specify that node_config as an parameter to gke-nodepool module instead.
@@ -66,8 +67,11 @@ resource "google_container_cluster" "cluster" {
horizontal_pod_autoscaling {
disabled = !var.addons.horizontal_pod_autoscaling
}
- network_policy_config {
- disabled = !var.addons.network_policy_config
+ dynamic "network_policy_config" {
+ for_each = !var.enable_autopilot ? [""] : []
+ content {
+ disabled = !var.addons.network_policy_config
+ }
}
cloudrun_config {
disabled = !var.addons.cloudrun_config
@@ -125,7 +129,7 @@ resource "google_container_cluster" "cluster" {
dynamic "network_policy" {
for_each = var.addons.network_policy_config ? [""] : []
content {
- enabled = var.enable_dataplane_v2 ? false : true
+ enabled = var.enable_dataplane_v2 ? false : true
provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
}
}
@@ -217,7 +221,7 @@ resource "google_container_cluster" "cluster" {
}
dynamic "workload_identity_config" {
- for_each = var.workload_identity ? [""] : []
+ for_each = var.workload_identity && !var.enable_autopilot ? [""] : []
content {
identity_namespace = "${var.project_id}.svc.id.goog"
}
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index 8999946f..83e383cb 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -25,9 +25,7 @@ variable "addons" {
enabled = bool
tls = bool
})
-
- network_policy_config = bool
-
+ network_policy_config = bool
gce_persistent_disk_csi_driver_config = bool
})
default = {
@@ -39,15 +37,15 @@ variable "addons" {
enabled = false
tls = false
}
- network_policy_config = false
+ network_policy_config = false
gce_persistent_disk_csi_driver_config = false
}
}
variable "enable_dataplane_v2" {
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config"
- type = bool
- default = false
+ type = bool
+ default = false
}
variable "authenticator_security_group" {
@@ -257,3 +255,10 @@ variable "workload_identity" {
type = bool
default = true
}
+
+variable "enable_autopilot" {
+ description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)"
+ type = bool
+ default = false
+}
+