From 489acfdb32405b9e689f35c0453444849cdf5917 Mon Sep 17 00:00:00 2001 From: Arindam Sirohia Date: Tue, 20 Sep 2022 00:09:59 +0530 Subject: [PATCH 1/4] Added new binary_authorization argument in gke-cluster module --- modules/gke-cluster/README.md | 59 ++++++++++++++++---------------- modules/gke-cluster/main.tf | 7 ++++ modules/gke-cluster/variables.tf | 6 ++++ 3 files changed, 43 insertions(+), 29 deletions(-) diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster/README.md index 20a3f2fc..a34b72b9 100644 --- a/modules/gke-cluster/README.md +++ b/modules/gke-cluster/README.md @@ -68,13 +68,13 @@ module "cluster-1" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [location](variables.tf#L155) | Cluster zone or region. | string | ✓ | | -| [name](variables.tf#L222) | Cluster name. | string | ✓ | | -| [network](variables.tf#L227) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | string | ✓ | | -| [project_id](variables.tf#L271) | Cluster project id. | string | ✓ | | -| [secondary_range_pods](variables.tf#L294) | Subnet secondary range name used for pods. | string | ✓ | | -| [secondary_range_services](variables.tf#L299) | Subnet secondary range name used for services. | string | ✓ | | -| [subnetwork](variables.tf#L304) | VPC subnetwork name or self link. | string | ✓ | | +| [location](variables.tf#L161) | Cluster zone or region. | string | ✓ | | +| [name](variables.tf#L228) | Cluster name. | string | ✓ | | +| [network](variables.tf#L233) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | string | ✓ | | +| [project_id](variables.tf#L277) | Cluster project id. | string | ✓ | | +| [secondary_range_pods](variables.tf#L300) | Subnet secondary range name used for pods. | string | ✓ | | +| [secondary_range_services](variables.tf#L305) | Subnet secondary range name used for services. | string | ✓ | | +| [subnetwork](variables.tf#L310) | VPC subnetwork name or self link. | string | ✓ | | | [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} | | [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | string | | null | | [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | {…} | @@ -83,28 +83,29 @@ module "cluster-1" { | [description](variables.tf#L97) | Cluster description. | string | | null | | [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | object({…}) | | null | | [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | bool | | false | -| [enable_dataplane_v2](variables.tf#L119) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | bool | | false | -| [enable_intranode_visibility](variables.tf#L125) | Enable intra-node visibility to make same node pod to pod traffic visible. | bool | | null | -| [enable_l4_ilb_subsetting](variables.tf#L131) | Enable L4ILB Subsetting. | bool | | null | -| [enable_shielded_nodes](variables.tf#L137) | Enable Shielded Nodes features on all nodes in this cluster. | bool | | null | -| [enable_tpu](variables.tf#L143) | Enable Cloud TPU resources in this cluster. | bool | | null | -| [labels](variables.tf#L149) | Cluster resource labels. | map(string) | | null | -| [logging_config](variables.tf#L160) | Logging configuration (enabled components). | list(string) | | null | -| [logging_service](variables.tf#L166) | Logging service (disable with an empty string). | string | | "logging.googleapis.com/kubernetes" | -| [maintenance_config](variables.tf#L172) | Maintenance window configuration. | object({…}) | | {…} | -| [master_authorized_ranges](variables.tf#L198) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | map(string) | | {} | -| [min_master_version](variables.tf#L204) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null | -| [monitoring_config](variables.tf#L210) | Monitoring configuration (enabled components). | list(string) | | null | -| [monitoring_service](variables.tf#L216) | Monitoring service (disable with an empty string). | string | | "monitoring.googleapis.com/kubernetes" | -| [node_locations](variables.tf#L232) | Zones in which the cluster's nodes are located. | list(string) | | [] | -| [notification_config](variables.tf#L238) | GKE Cluster upgrade notifications via PubSub. | bool | | false | -| [peering_config](variables.tf#L244) | Configure peering with the master VPC for private clusters. | object({…}) | | null | -| [pod_security_policy](variables.tf#L254) | Enable the PodSecurityPolicy feature. | bool | | null | -| [private_cluster_config](variables.tf#L260) | Enable and configure private cluster, private nodes must be true if used. | object({…}) | | null | -| [release_channel](variables.tf#L276) | Release channel for GKE upgrades. | string | | null | -| [resource_usage_export_config](variables.tf#L282) | Configure the ResourceUsageExportConfig feature. | object({…}) | | {…} | -| [vertical_pod_autoscaling](variables.tf#L309) | Enable the Vertical Pod Autoscaling feature. | bool | | null | -| [workload_identity](variables.tf#L315) | Enable the Workload Identity feature. | bool | | true | +| [enable_binary_authorization](variables.tf#L119) | Enable Google Binary Authorization. | bool | | false | +| [enable_dataplane_v2](variables.tf#L125) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | bool | | false | +| [enable_intranode_visibility](variables.tf#L131) | Enable intra-node visibility to make same node pod to pod traffic visible. | bool | | null | +| [enable_l4_ilb_subsetting](variables.tf#L137) | Enable L4ILB Subsetting. | bool | | null | +| [enable_shielded_nodes](variables.tf#L143) | Enable Shielded Nodes features on all nodes in this cluster. | bool | | null | +| [enable_tpu](variables.tf#L149) | Enable Cloud TPU resources in this cluster. | bool | | null | +| [labels](variables.tf#L155) | Cluster resource labels. | map(string) | | null | +| [logging_config](variables.tf#L166) | Logging configuration (enabled components). | list(string) | | null | +| [logging_service](variables.tf#L172) | Logging service (disable with an empty string). | string | | "logging.googleapis.com/kubernetes" | +| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | object({…}) | | {…} | +| [master_authorized_ranges](variables.tf#L204) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | map(string) | | {} | +| [min_master_version](variables.tf#L210) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null | +| [monitoring_config](variables.tf#L216) | Monitoring configuration (enabled components). | list(string) | | null | +| [monitoring_service](variables.tf#L222) | Monitoring service (disable with an empty string). | string | | "monitoring.googleapis.com/kubernetes" | +| [node_locations](variables.tf#L238) | Zones in which the cluster's nodes are located. | list(string) | | [] | +| [notification_config](variables.tf#L244) | GKE Cluster upgrade notifications via PubSub. | bool | | false | +| [peering_config](variables.tf#L250) | Configure peering with the master VPC for private clusters. | object({…}) | | null | +| [pod_security_policy](variables.tf#L260) | Enable the PodSecurityPolicy feature. | bool | | null | +| [private_cluster_config](variables.tf#L266) | Enable and configure private cluster, private nodes must be true if used. | object({…}) | | null | +| [release_channel](variables.tf#L282) | Release channel for GKE upgrades. | string | | null | +| [resource_usage_export_config](variables.tf#L288) | Configure the ResourceUsageExportConfig feature. | object({…}) | | {…} | +| [vertical_pod_autoscaling](variables.tf#L315) | Enable the Vertical Pod Autoscaling feature. | bool | | null | +| [workload_identity](variables.tf#L321) | Enable the Workload Identity feature. | bool | | true | ## Outputs diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index 56f7ea75..decb55a0 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -292,6 +292,13 @@ resource "google_container_cluster" "cluster" { } } + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization == true ? [""] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "dns_config" { for_each = var.dns_config != null ? [""] : [] content { diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf index 58be03c9..2c9fccbe 100644 --- a/modules/gke-cluster/variables.tf +++ b/modules/gke-cluster/variables.tf @@ -116,6 +116,12 @@ variable "enable_autopilot" { default = false } +variable "enable_binary_authorization" { + description = "Enable Google Binary Authorization." + type = bool + default = false +} + variable "enable_dataplane_v2" { description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config." type = bool From eb73e13b670b007e584adf623e60cb1f1573bd3a Mon Sep 17 00:00:00 2001 From: Arindam Sirohia Date: Tue, 20 Sep 2022 00:35:06 +0530 Subject: [PATCH 2/4] Updated for each condition of binary authorization in gke-cluster module --- modules/gke-cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index decb55a0..e0b31a31 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -293,7 +293,7 @@ resource "google_container_cluster" "cluster" { } dynamic "binary_authorization" { - for_each = var.enable_binary_authorization == true ? [""] : [] + for_each = var.enable_binary_authorization ? [""] : [] content { evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" } From 495a5bbfffa87e1dca3eb530c31f655f380cfa5e Mon Sep 17 00:00:00 2001 From: lcaggio Date: Tue, 20 Sep 2022 10:36:12 +0200 Subject: [PATCH 3/4] Add Artifact registry Service Identity SA creation. --- modules/project/service-accounts.tf | 1 + tests/blueprints/gke/binauthz/test_plan.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index 7d584fa7..4bb73062 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -67,6 +67,7 @@ locals { } ) service_accounts_jit_services = [ + "artifactregistry.googleapis.com", "cloudasset.googleapis.com", "gkehub.googleapis.com", "pubsub.googleapis.com", diff --git a/tests/blueprints/gke/binauthz/test_plan.py b/tests/blueprints/gke/binauthz/test_plan.py index 6e176b1c..cf012c06 100644 --- a/tests/blueprints/gke/binauthz/test_plan.py +++ b/tests/blueprints/gke/binauthz/test_plan.py @@ -16,4 +16,4 @@ def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." modules, resources = e2e_plan_runner() assert len(modules) == 13 - assert len(resources) == 42 + assert len(resources) == 43 From f28dc5cb04002f04359e436d16552ae59ef2cb0a Mon Sep 17 00:00:00 2001 From: lcaggio Date: Tue, 20 Sep 2022 10:51:11 +0200 Subject: [PATCH 4/4] Fix tests --- blueprints/data-solutions/data-platform-foundations/README.md | 2 +- .../data_solutions/data_platform_foundations/test_plan.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md index 76810f54..d2b88550 100644 --- a/blueprints/data-solutions/data-platform-foundations/README.md +++ b/blueprints/data-solutions/data-platform-foundations/README.md @@ -222,7 +222,7 @@ module "data-platform" { prefix = "myprefix" } -# tftest modules=42 resources=314 +# tftest modules=42 resources=315 ``` ## Customizations diff --git a/tests/blueprints/data_solutions/data_platform_foundations/test_plan.py b/tests/blueprints/data_solutions/data_platform_foundations/test_plan.py index e5db6ffc..0e4b77f5 100644 --- a/tests/blueprints/data_solutions/data_platform_foundations/test_plan.py +++ b/tests/blueprints/data_solutions/data_platform_foundations/test_plan.py @@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." modules, resources = e2e_plan_runner(FIXTURES_DIR) assert len(modules) == 41 - assert len(resources) == 313 + assert len(resources) == 314