From 46e83d3b5968c8cea1825145da241dc6587f8032 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Mon, 28 Jun 2021 00:54:14 +0200
Subject: [PATCH 1/2] Autopilot support

---
 modules/gke-cluster/README.md    |  3 ++-
 modules/gke-cluster/main.tf      | 18 +++++++++++-------
 modules/gke-cluster/variables.tf | 17 +++++++++++------
 3 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster/README.md
index 1cd25413..82861310 100644
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster/README.md
@@ -75,12 +75,13 @@ module "cluster-1" {
 | secondary_range_pods | Subnet secondary range name used for pods. | <code title="">string</code> | ✓ |  |
 | secondary_range_services | Subnet secondary range name used for services. | <code title="">string</code> | ✓ |  |
 | subnetwork | VPC subnetwork name or self link. | <code title="">string</code> | ✓ |  |
-| *addons* | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;cloudrun_config            &#61; bool&#10;dns_cache_config           &#61; bool&#10;horizontal_pod_autoscaling &#61; bool&#10;http_load_balancing        &#61; bool&#10;istio_config &#61; object&#40;&#123;&#10;enabled &#61; bool&#10;tls     &#61; bool&#10;&#125;&#41;&#10;network_policy_config &#61; bool&#10;gce_persistent_disk_csi_driver_config &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;cloudrun_config            &#61; false&#10;dns_cache_config           &#61; false&#10;horizontal_pod_autoscaling &#61; true&#10;http_load_balancing        &#61; true&#10;istio_config &#61; &#123;&#10;enabled &#61; false&#10;tls     &#61; false&#10;&#125;&#10;network_policy_config &#61; false&#10;gce_persistent_disk_csi_driver_config &#61; false&#10;&#125;">...</code> |
+| *addons* | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;cloudrun_config            &#61; bool&#10;dns_cache_config           &#61; bool&#10;horizontal_pod_autoscaling &#61; bool&#10;http_load_balancing        &#61; bool&#10;istio_config &#61; object&#40;&#123;&#10;enabled &#61; bool&#10;tls     &#61; bool&#10;&#125;&#41;&#10;network_policy_config                 &#61; bool&#10;gce_persistent_disk_csi_driver_config &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;cloudrun_config            &#61; false&#10;dns_cache_config           &#61; false&#10;horizontal_pod_autoscaling &#61; true&#10;http_load_balancing        &#61; true&#10;istio_config &#61; &#123;&#10;enabled &#61; false&#10;tls     &#61; false&#10;&#125;&#10;network_policy_config                 &#61; false&#10;gce_persistent_disk_csi_driver_config &#61; false&#10;&#125;">...</code> |
 | *authenticator_security_group* | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code title="">string</code> |  | <code title="">null</code> |
 | *cluster_autoscaling* | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;enabled    &#61; bool&#10;cpu_min    &#61; number&#10;cpu_max    &#61; number&#10;memory_min &#61; number&#10;memory_max &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;enabled    &#61; false&#10;cpu_min    &#61; 0&#10;cpu_max    &#61; 0&#10;memory_min &#61; 0&#10;memory_max &#61; 0&#10;&#125;">...</code> |
 | *database_encryption* | Enable and configure GKE application-layer secrets encryption. | <code title="object&#40;&#123;&#10;enabled  &#61; bool&#10;state    &#61; string&#10;key_name &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;enabled  &#61; false&#10;state    &#61; &#34;DECRYPTED&#34;&#10;key_name &#61; null&#10;&#125;">...</code> |
 | *default_max_pods_per_node* | Maximum number of pods per node in this cluster. | <code title="">number</code> |  | <code title="">110</code> |
 | *description* | Cluster description. | <code title="">string</code> |  | <code title="">null</code> |
+| *enable_autopilot* | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node) | <code title="">bool</code> |  | <code title="">false</code> |
 | *enable_binary_authorization* | Enable Google Binary Authorization. | <code title="">bool</code> |  | <code title="">null</code> |
 | *enable_dataplane_v2* | Enable Dataplane V2 on the cluster, will disable network_policy addons config | <code title="">bool</code> |  | <code title="">false</code> |
 | *enable_intranode_visibility* | Enable intra-node visibility to make same node pod to pod traffic visible. | <code title="">bool</code> |  | <code title="">null</code> |
diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index 37988790..90259fad 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -42,15 +42,16 @@ resource "google_container_cluster" "cluster" {
   logging_service             = var.logging_service
   monitoring_service          = var.monitoring_service
   resource_labels             = var.labels
-  default_max_pods_per_node   = var.default_max_pods_per_node
+  default_max_pods_per_node   = var.enable_autopilot ? null : var.default_max_pods_per_node
   enable_binary_authorization = var.enable_binary_authorization
   enable_intranode_visibility = var.enable_intranode_visibility
   enable_shielded_nodes       = var.enable_shielded_nodes
   enable_tpu                  = var.enable_tpu
   initial_node_count          = 1
-  remove_default_node_pool    = true
+  remove_default_node_pool    = var.enable_autopilot ? null : true
   datapath_provider           = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
-  
+  enable_autopilot            = var.enable_autopilot == true ? true : null
+
   # node_config {}
   # NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
   # Specify that node_config as an parameter to gke-nodepool module instead.
@@ -66,8 +67,11 @@ resource "google_container_cluster" "cluster" {
     horizontal_pod_autoscaling {
       disabled = !var.addons.horizontal_pod_autoscaling
     }
-    network_policy_config {
-      disabled = !var.addons.network_policy_config
+    dynamic "network_policy_config" {
+      for_each = !var.enable_autopilot ? [""] : []
+      content {
+        disabled = !var.addons.network_policy_config
+      }
     }
     cloudrun_config {
       disabled = !var.addons.cloudrun_config
@@ -125,7 +129,7 @@ resource "google_container_cluster" "cluster" {
   dynamic "network_policy" {
     for_each = var.addons.network_policy_config ? [""] : []
     content {
-      enabled  = var.enable_dataplane_v2 ? false : true                       
+      enabled  = var.enable_dataplane_v2 ? false : true
       provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
     }
   }
@@ -217,7 +221,7 @@ resource "google_container_cluster" "cluster" {
   }
 
   dynamic "workload_identity_config" {
-    for_each = var.workload_identity ? [""] : []
+    for_each = var.workload_identity && !var.enable_autopilot ? [""] : []
     content {
       identity_namespace = "${var.project_id}.svc.id.goog"
     }
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index 8999946f..83e383cb 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -25,9 +25,7 @@ variable "addons" {
       enabled = bool
       tls     = bool
     })
-   
-    network_policy_config = bool
-
+    network_policy_config                 = bool
     gce_persistent_disk_csi_driver_config = bool
   })
   default = {
@@ -39,15 +37,15 @@ variable "addons" {
       enabled = false
       tls     = false
     }
-    network_policy_config = false
+    network_policy_config                 = false
     gce_persistent_disk_csi_driver_config = false
   }
 }
 
 variable "enable_dataplane_v2" {
   description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config"
-  type = bool
-  default = false
+  type        = bool
+  default     = false
 }
 
 variable "authenticator_security_group" {
@@ -257,3 +255,10 @@ variable "workload_identity" {
   type        = bool
   default     = true
 }
+
+variable "enable_autopilot" {
+  description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)"
+  type        = bool
+  default     = false
+}
+

From 1cf565c63bd71dfa45730246fa79ebe567ae4a67 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Mon, 28 Jun 2021 08:46:10 +0200
Subject: [PATCH 2/2] Update CHANGELOG.md

---
 CHANGELOG.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76be0561..f488cfa2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,14 +3,15 @@
 All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
-- Create `pubsub` service identity if service is enabled 
+- create `pubsub` service identity if service is enabled
+- support for creation of GKE Autopilot clusters
 
 ## [5.0.0] - 2021-06-17
 
-- Fix `message_retention_duration` variable type in `pubsub` module
-- Move `bq` robot service account into the robot service account project output
-- Add IAM cryptDecrypt role to robot service account on specified keys
-- Add Service Identity creation on `project` module if secretmanager enabled
+- fix `message_retention_duration` variable type in `pubsub` module
+- move `bq` robot service account into the robot service account project output
+- add IAM cryptDecrypt role to robot service account on specified keys
+- add Service Identity creation on `project` module if secretmanager enabled
 - add Data Foundation end to end example
 
 ## [4.9.0] - 2021-06-04