From e881537f87c0a58906f6291a3ea63eb8dd494d23 Mon Sep 17 00:00:00 2001
From: Avinash Jha <39315791+avinashkumar1289@users.noreply.github.com>
Date: Fri, 21 Apr 2023 17:38:13 +0530
Subject: [PATCH] Separating GKE Standard and Autopilot Modules (#1330)
* separating GKE Standard and Autopilot Modules
* Changes for Updating the terraform and provide versions
* Changes for Autopilot Readme
* Changes for Autopilot Variable
* Changes for Autopilot Readme
* Changes for Autopilot Readme
* Changes for Blueprint
* Changes for Blueprint ReadMe
* Changes for gke-standard-cluster dependency
* Changes for gke-standard-cluster in gke-fleet
* Changes for gke-standard-cluster in cluster-mesh-gke-fleet-api
* python formatting
* python formatting
* python formatting
* GKE module naming convention
* Readme Changes
* test module
* Removing comment code from Autopilot
---
FABRIC-AND-CFT.md | 2 +-
README.md | 2 +-
blueprints/apigee/hybrid-gke/gke.tf | 2 +-
.../network-dashboard/src/main.py | 5 +-
blueprints/gke/autopilot/cluster.tf | 26 +-
blueprints/gke/binauthz/main.tf | 2 +-
.../README.md | 3 +-
.../multi-cluster-mesh-gke-fleet-api/gke.tf | 2 +-
blueprints/gke/multitenant-fleet/README.md | 2 +-
.../gke/multitenant-fleet/gke-clusters.tf | 2 +-
.../networking/hub-and-spoke-peering/main.tf | 2 +-
blueprints/networking/shared-vpc-gke/main.tf | 2 +-
modules/README.md | 3 +-
modules/gke-cluster-autopilot/README.md | 132 ++++++++
modules/gke-cluster-autopilot/main.tf | 306 ++++++++++++++++++
.../outputs.tf | 0
modules/gke-cluster-autopilot/variables.tf | 207 ++++++++++++
.../versions.tf | 1 +
.../README.md | 70 ++--
.../main.tf | 97 +++---
modules/gke-cluster-standard/outputs.tf | 71 ++++
.../variables.tf | 1 -
modules/gke-cluster-standard/versions.tf | 31 ++
modules/gke-hub/README.md | 6 +-
.../examples/backup.yaml | 38 +++
.../gke_cluster_autopilot/examples/basic.yaml | 28 ++
.../examples/dns.yaml | 0
.../examples/backup.yaml | 0
.../examples/basic.yaml | 0
.../examples/dataplane-v2.yaml | 0
.../examples/dns.yaml} | 7 +-
31 files changed, 908 insertions(+), 142 deletions(-)
create mode 100644 modules/gke-cluster-autopilot/README.md
create mode 100644 modules/gke-cluster-autopilot/main.tf
rename modules/{gke-cluster => gke-cluster-autopilot}/outputs.tf (100%)
create mode 100644 modules/gke-cluster-autopilot/variables.tf
rename modules/{gke-cluster => gke-cluster-autopilot}/versions.tf (99%)
rename modules/{gke-cluster => gke-cluster-standard}/README.md (71%)
rename modules/{gke-cluster => gke-cluster-standard}/main.tf (83%)
create mode 100644 modules/gke-cluster-standard/outputs.tf
rename modules/{gke-cluster => gke-cluster-standard}/variables.tf (99%)
create mode 100644 modules/gke-cluster-standard/versions.tf
create mode 100644 tests/modules/gke_cluster_autopilot/examples/backup.yaml
create mode 100644 tests/modules/gke_cluster_autopilot/examples/basic.yaml
rename tests/modules/{gke_cluster => gke_cluster_autopilot}/examples/dns.yaml (100%)
rename tests/modules/{gke_cluster => gke_cluster_standard}/examples/backup.yaml (100%)
rename tests/modules/{gke_cluster => gke_cluster_standard}/examples/basic.yaml (100%)
rename tests/modules/{gke_cluster => gke_cluster_standard}/examples/dataplane-v2.yaml (100%)
rename tests/modules/{gke_cluster/examples/autopilot.yaml => gke_cluster_standard/examples/dns.yaml} (78%)
diff --git a/FABRIC-AND-CFT.md b/FABRIC-AND-CFT.md
index 7d4f1678..9d716a47 100644
--- a/FABRIC-AND-CFT.md
+++ b/FABRIC-AND-CFT.md
@@ -161,4 +161,4 @@ Even with all the above points, it may be hard to make a decision. While the mod
* Since modules work well together within their ecosystem, select logical boundaries for using Fabric or CFT. For example use CFT for deploying resources within projects but use Fabric for managing project creation and IAM.
* Use strengths of each collection of modules to your advantage. Empower application teams to define their infrastructure as code using off the shelf CFT modules. Using Fabric, bootstrap your platform team with a collection of tailor built modules for your organization.
-* Lean into module composition and dependency inversion that both Fabric and CFT modules follow. For example, you can create a GKE cluster using either [Fabric](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/modules/gke-cluster#gke-cluster-module) or [CFT](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine) GKE module and then use either [Fabric](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/modules/gke-hub#variables) or [CFT](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/fleet-membership) for setting up GKE Hub by passing in outputs from the GKE module.
+* Lean into module composition and dependency inversion that both Fabric and CFT modules follow. For example, you can create a GKE cluster using either [Fabric](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/modules/gke-cluster-standard#gke-cluster-module) or [CFT](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine) GKE module and then use either [Fabric](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/modules/gke-hub#variables) or [CFT](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/fleet-membership) for setting up GKE Hub by passing in outputs from the GKE module.
diff --git a/README.md b/README.md
index 1a26ecd4..c8961e82 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Currently available modules:
- **foundational** - [billing budget](./modules/billing-budget), [Cloud Identity group](./modules/cloud-identity-group/), [folder](./modules/folder), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [organization](./modules/organization), [project](./modules/project), [projects-data-source](./modules/projects-data-source)
- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [Global Load Balancer (classic)](./modules/net-glb/), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC firewall policy](./modules/net-vpc-firewall-policy), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory)
-- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool)
+- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool)
- **data** - [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
diff --git a/blueprints/apigee/hybrid-gke/gke.tf b/blueprints/apigee/hybrid-gke/gke.tf
index 22cf06fa..6ae38433 100644
--- a/blueprints/apigee/hybrid-gke/gke.tf
+++ b/blueprints/apigee/hybrid-gke/gke.tf
@@ -15,7 +15,7 @@
*/
module "cluster" {
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-standard"
project_id = module.project.project_id
name = "cluster"
location = var.region
diff --git a/blueprints/cloud-operations/network-dashboard/src/main.py b/blueprints/cloud-operations/network-dashboard/src/main.py
index ec5e5c6e..3d0568b6 100755
--- a/blueprints/cloud-operations/network-dashboard/src/main.py
+++ b/blueprints/cloud-operations/network-dashboard/src/main.py
@@ -80,8 +80,9 @@ def do_discovery(resources):
resources[result.type][result.id][result.key] = result.data
else:
resources[result.type][result.id] = result.data
- LOGGER.info('discovery end {}'.format(
- {k: len(v) for k, v in resources.items() if not isinstance(v, str)}))
+ LOGGER.info('discovery end {}'.format({
+ k: len(v) for k, v in resources.items() if not isinstance(v, str)
+ }))
def do_init(resources, discovery_root, monitoring_project, folders=None,
diff --git a/blueprints/gke/autopilot/cluster.tf b/blueprints/gke/autopilot/cluster.tf
index 2ded1f63..ed6fa661 100644
--- a/blueprints/gke/autopilot/cluster.tf
+++ b/blueprints/gke/autopilot/cluster.tf
@@ -15,7 +15,7 @@
*/
module "cluster" {
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-autopilot"
project_id = module.project.project_id
name = "cluster"
location = var.region
@@ -29,18 +29,18 @@ module "cluster" {
master_authorized_ranges = var.cluster_network_config.master_authorized_cidr_blocks
master_ipv4_cidr_block = var.cluster_network_config.master_cidr_block
}
- enable_features = {
- autopilot = true
- }
- monitoring_config = {
- enenable_components = ["SYSTEM_COMPONENTS"]
- managed_prometheus = true
- }
- cluster_autoscaling = {
- auto_provisioning_defaults = {
- service_account = module.node_sa.email
- }
- }
+ # enable_features = {
+ # autopilot = true
+ # }
+ # monitoring_config = {
+ # enenable_components = ["SYSTEM_COMPONENTS"]
+ # managed_prometheus = true
+ # }
+ # cluster_autoscaling = {
+ # auto_provisioning_defaults = {
+ # service_account = module.node_sa.email
+ # }
+ # }
release_channel = "RAPID"
depends_on = [
module.project
diff --git a/blueprints/gke/binauthz/main.tf b/blueprints/gke/binauthz/main.tf
index 2592266d..3aa8eea6 100644
--- a/blueprints/gke/binauthz/main.tf
+++ b/blueprints/gke/binauthz/main.tf
@@ -83,7 +83,7 @@ module "nat" {
}
module "cluster" {
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-standard"
project_id = module.project.project_id
name = "${var.prefix}-cluster"
location = var.zone
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
index f381327a..8237f92c 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
@@ -53,7 +53,7 @@ Once done testing, you can clean up resources by running `terraform destroy`.
| name | description | modules | resources |
|---|---|---|---|
| [ansible.tf](./ansible.tf) | Ansible generated files. | | local_file |
-| [gke.tf](./gke.tf) | GKE cluster and hub resources. | gke-cluster · gke-hub · gke-nodepool | |
+| [gke.tf](./gke.tf) | GKE cluster and hub resources. | gke-cluster-standard · gke-hub · gke-nodepool | |
| [main.tf](./main.tf) | Project resources. | project | |
| [variables.tf](./variables.tf) | Module variables. | | |
| [vm.tf](./vm.tf) | Management server. | compute-vm | |
@@ -75,7 +75,6 @@ Once done testing, you can clean up resources by running `terraform destroy`.
| [region](variables.tf#L99) | Region. | string | | "europe-west1" |
-
## Test
```hcl
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf
index 6c769d92..d17ae312 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf
@@ -18,7 +18,7 @@
module "clusters" {
for_each = var.clusters_config
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-standard"
project_id = module.fleet_project.project_id
name = each.key
location = var.region
diff --git a/blueprints/gke/multitenant-fleet/README.md b/blueprints/gke/multitenant-fleet/README.md
index cadcf410..c263317b 100644
--- a/blueprints/gke/multitenant-fleet/README.md
+++ b/blueprints/gke/multitenant-fleet/README.md
@@ -234,7 +234,7 @@ module "gke" {
| name | description | modules |
|---|---|---|
-| [gke-clusters.tf](./gke-clusters.tf) | GKE clusters. | gke-cluster |
+| [gke-clusters.tf](./gke-clusters.tf) | GKE clusters. | gke-cluster-standard |
| [gke-hub.tf](./gke-hub.tf) | GKE hub configuration. | gke-hub |
| [gke-nodepools.tf](./gke-nodepools.tf) | GKE nodepools. | gke-nodepool |
| [main.tf](./main.tf) | Project and usage dataset. | bigquery-dataset · project |
diff --git a/blueprints/gke/multitenant-fleet/gke-clusters.tf b/blueprints/gke/multitenant-fleet/gke-clusters.tf
index 9ef2133c..a487f367 100644
--- a/blueprints/gke/multitenant-fleet/gke-clusters.tf
+++ b/blueprints/gke/multitenant-fleet/gke-clusters.tf
@@ -17,7 +17,7 @@
# tfdoc:file:description GKE clusters.
module "gke-cluster" {
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-standard"
for_each = var.clusters
name = each.key
project_id = module.gke-project-0.project_id
diff --git a/blueprints/networking/hub-and-spoke-peering/main.tf b/blueprints/networking/hub-and-spoke-peering/main.tf
index 99985894..004a9cf4 100644
--- a/blueprints/networking/hub-and-spoke-peering/main.tf
+++ b/blueprints/networking/hub-and-spoke-peering/main.tf
@@ -240,7 +240,7 @@ module "service-account-gce" {
################################################################################
module "cluster-1" {
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-standard"
name = "${var.prefix}-cluster-1"
project_id = module.project.project_id
location = "${var.region}-b"
diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf
index 97bf45d2..3d7577b4 100644
--- a/blueprints/networking/shared-vpc-gke/main.tf
+++ b/blueprints/networking/shared-vpc-gke/main.tf
@@ -197,7 +197,7 @@ module "vm-bastion" {
################################################################################
module "cluster-1" {
- source = "../../../modules/gke-cluster"
+ source = "../../../modules/gke-cluster-standard"
count = var.cluster_create ? 1 : 0
name = "cluster-1"
project_id = module.project-svc-gke.project_id
diff --git a/modules/README.md b/modules/README.md
index 84bc4bee..667e73dd 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -63,7 +63,8 @@ These modules are used in the examples included in this repository. If you are u
- [VM/VM group](./compute-vm)
- [MIG](./compute-mig)
- [COS container](./cloud-config-container/cos-generic-metadata/) (coredns/mysql/nva/onprem/squid)
-- [GKE cluster](./gke-cluster)
+- [GKE autopilot cluster](./gke-cluster-autopilot)
+- [GKE standard cluster](./gke-cluster-standard)
- [GKE hub](./gke-hub)
- [GKE nodepool](./gke-nodepool)
diff --git a/modules/gke-cluster-autopilot/README.md b/modules/gke-cluster-autopilot/README.md
new file mode 100644
index 00000000..be9a4021
--- /dev/null
+++ b/modules/gke-cluster-autopilot/README.md
@@ -0,0 +1,132 @@
+# GKE cluster Autopilot module
+
+This module allows simplified creation and management of GKE Autopilot clusters. Some sensible defaults are set initially, in order to allow less verbose usage for most use cases.
+
+## Example
+
+### GKE Cluster
+
+```hcl
+module "cluster-1" {
+ source = "./fabric/modules/gke-cluster-autopilot"
+ project_id = "myproject"
+ name = "cluster-1"
+ location = "europe-west1"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = {
+ pods = "pods"
+ services = "services"
+ }
+ master_authorized_ranges = {
+ internal-vms = "10.0.0.0/8"
+ }
+ master_ipv4_cidr_block = "192.168.0.0/28"
+ }
+ private_cluster_config = {
+ enable_private_endpoint = true
+ master_global_access = false
+ }
+ labels = {
+ environment = "dev"
+ }
+}
+# tftest modules=1 resources=1 inventory=basic.yaml
+```
+
+
+### Cloud DNS
+
+This example shows how to [use Cloud DNS as a Kubernetes DNS provider](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns) for GKE Standard clusters.
+
+```hcl
+module "cluster-1" {
+ source = "./fabric/modules/gke-cluster-autopilot"
+ project_id = var.project_id
+ name = "cluster-1"
+ location = "europe-west1"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = { pods = "pods", services = "services" }
+ }
+ enable_features = {
+ dns = {
+ provider = "CLOUD_DNS"
+ scope = "CLUSTER_SCOPE"
+ domain = "gke.local"
+ }
+ }
+}
+# tftest modules=1 resources=1 inventory=dns.yaml
+```
+
+
+### Backup for GKE
+
+This example shows how to [enable the Backup for GKE agent and configure a Backup Plan](https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/concepts/backup-for-gke) for GKE Standard clusters.
+
+```hcl
+module "cluster-1" {
+ source = "./fabric/modules/gke-cluster-autopilot"
+ project_id = var.project_id
+ name = "cluster-1"
+ location = "europe-west1"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = { pods = "pods", services = "services" }
+ }
+ backup_configs = {
+ enable_backup_agent = true
+ backup_plans = {
+ "backup-1" = {
+ region = "europe-west-2"
+ schedule = "0 9 * * 1"
+ }
+ }
+ }
+}
+# tftest modules=1 resources=2 inventory=backup.yaml
+```
+
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [location](variables.tf#L106) | Autopilot cluster are always regional. | string | ✓ | |
+| [name](variables.tf#L141) | Cluster name. | string | ✓ | |
+| [project_id](variables.tf#L167) | Cluster project id. | string | ✓ | |
+| [vpc_config](variables.tf#L190) | VPC-level configuration. | object({…}) | ✓ | |
+| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | object({…}) | | {} |
+| [description](variables.tf#L33) | Cluster description. | string | | null |
+| [enable_addons](variables.tf#L39) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
+| [enable_features](variables.tf#L60) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {…} |
+| [issue_client_certificate](variables.tf#L94) | Enable issuing client certificate. | bool | | false |
+| [labels](variables.tf#L100) | Cluster resource labels. | map(string) | | null |
+| [maintenance_config](variables.tf#L112) | Maintenance window configuration. | object({…}) | | {…} |
+| [min_master_version](variables.tf#L135) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [node_locations](variables.tf#L146) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [private_cluster_config](variables.tf#L153) | Private cluster configuration. | object({…}) | | null |
+| [release_channel](variables.tf#L172) | Release channel for GKE upgrades. | string | | null |
+| [service_account](variables.tf#L178) | The Google Cloud Platform Service Account to be used by the node VMs created by GKE Autopilot. | string | | null |
+| [tags](variables.tf#L184) | Network tags applied to nodes. | list(string) | | null |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [ca_certificate](outputs.tf#L17) | Public certificate of the cluster (base64-encoded). | ✓ |
+| [cluster](outputs.tf#L23) | Cluster resource. | ✓ |
+| [endpoint](outputs.tf#L29) | Cluster endpoint. | |
+| [id](outputs.tf#L34) | Cluster ID. | |
+| [location](outputs.tf#L39) | Cluster location. | |
+| [master_version](outputs.tf#L44) | Master version. | |
+| [name](outputs.tf#L49) | Cluster name. | |
+| [notifications](outputs.tf#L54) | GKE PubSub notifications topic. | |
+| [self_link](outputs.tf#L59) | Cluster self link. | ✓ |
+| [workload_identity_pool](outputs.tf#L65) | Workload identity pool. | |
+
+
diff --git a/modules/gke-cluster-autopilot/main.tf b/modules/gke-cluster-autopilot/main.tf
new file mode 100644
index 00000000..bd071a17
--- /dev/null
+++ b/modules/gke-cluster-autopilot/main.tf
@@ -0,0 +1,306 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_container_cluster" "cluster" {
+ provider = google-beta
+ project = var.project_id
+ name = var.name
+ description = var.description
+ location = var.location
+ node_locations = (
+ length(var.node_locations) == 0 ? null : var.node_locations
+ )
+ min_master_version = var.min_master_version
+ network = var.vpc_config.network
+ subnetwork = var.vpc_config.subnetwork
+ resource_labels = var.labels
+ enable_l4_ilb_subsetting = var.enable_features.l4_ilb_subsetting
+ enable_tpu = var.enable_features.tpu
+ initial_node_count = 1
+
+ enable_autopilot = true
+
+ addons_config {
+ http_load_balancing {
+ disabled = !var.enable_addons.http_load_balancing
+ }
+ horizontal_pod_autoscaling {
+ disabled = !var.enable_addons.horizontal_pod_autoscaling
+ }
+ cloudrun_config {
+ disabled = !var.enable_addons.cloudrun
+ }
+
+ kalm_config {
+ enabled = var.enable_addons.kalm
+ }
+ config_connector_config {
+ enabled = var.enable_addons.config_connector
+ }
+ gke_backup_agent_config {
+ enabled = var.backup_configs.enable_backup_agent
+ }
+ }
+
+ dynamic "authenticator_groups_config" {
+ for_each = var.enable_features.groups_for_rbac != null ? [""] : []
+ content {
+ security_group = var.enable_features.groups_for_rbac
+ }
+ }
+
+ dynamic "binary_authorization" {
+ for_each = var.enable_features.binary_authorization ? [""] : []
+ content {
+ evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+ }
+ }
+
+ cluster_autoscaling {
+ dynamic "auto_provisioning_defaults" {
+ for_each = var.service_account != null ? [""] : []
+ content {
+ service_account = var.service_account
+ }
+ }
+ }
+
+ dynamic "database_encryption" {
+ for_each = var.enable_features.database_encryption != null ? [""] : []
+ content {
+ state = var.enable_features.database_encryption.state
+ key_name = var.enable_features.database_encryption.key_name
+ }
+ }
+
+ dynamic "dns_config" {
+ for_each = var.enable_features.dns != null ? [""] : []
+ content {
+ cluster_dns = var.enable_features.dns.provider
+ cluster_dns_scope = var.enable_features.dns.scope
+ cluster_dns_domain = var.enable_features.dns.domain
+ }
+ }
+
+ dynamic "ip_allocation_policy" {
+ for_each = var.vpc_config.secondary_range_blocks != null ? [""] : []
+ content {
+ cluster_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.pods
+ services_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.services
+ }
+ }
+
+ dynamic "ip_allocation_policy" {
+ for_each = var.vpc_config.secondary_range_names != null ? [""] : []
+ content {
+ cluster_secondary_range_name = var.vpc_config.secondary_range_names.pods
+ services_secondary_range_name = var.vpc_config.secondary_range_names.services
+ }
+ }
+
+ dynamic "gateway_api_config" {
+ for_each = var.enable_features.gateway_api ? [""] : []
+ content {
+ channel = "CHANNEL_STANDARD"
+ }
+ }
+
+ maintenance_policy {
+ dynamic "daily_maintenance_window" {
+ for_each = (
+ try(var.maintenance_config.daily_window_start_time, null) != null
+ ? [""]
+ : []
+ )
+ content {
+ start_time = var.maintenance_config.daily_window_start_time
+ }
+ }
+ dynamic "recurring_window" {
+ for_each = (
+ try(var.maintenance_config.recurring_window, null) != null
+ ? [""]
+ : []
+ )
+ content {
+ start_time = var.maintenance_config.recurring_window.start_time
+ end_time = var.maintenance_config.recurring_window.end_time
+ recurrence = var.maintenance_config.recurring_window.recurrence
+ }
+ }
+ dynamic "maintenance_exclusion" {
+ for_each = (
+ try(var.maintenance_config.maintenance_exclusions, null) == null
+ ? []
+ : var.maintenance_config.maintenance_exclusions
+ )
+ iterator = exclusion
+ content {
+ exclusion_name = exclusion.value.name
+ start_time = exclusion.value.start_time
+ end_time = exclusion.value.end_time
+ }
+ }
+ }
+
+ master_auth {
+ client_certificate_config {
+ issue_client_certificate = var.issue_client_certificate
+ }
+ }
+
+ dynamic "master_authorized_networks_config" {
+ for_each = var.vpc_config.master_authorized_ranges != null ? [""] : []
+ content {
+ dynamic "cidr_blocks" {
+ for_each = var.vpc_config.master_authorized_ranges
+ iterator = range
+ content {
+ cidr_block = range.value
+ display_name = range.key
+ }
+ }
+ }
+ }
+
+ dynamic "mesh_certificates" {
+ for_each = var.enable_features.mesh_certificates != null ? [""] : []
+ content {
+ enable_certificates = var.enable_features.mesh_certificates
+ }
+ }
+
+ dynamic "notification_config" {
+ for_each = var.enable_features.upgrade_notifications != null ? [""] : []
+ content {
+ pubsub {
+ enabled = true
+ topic = (
+ try(var.enable_features.upgrade_notifications.topic_id, null) != null
+ ? var.enable_features.upgrade_notifications.topic_id
+ : google_pubsub_topic.notifications[0].id
+ )
+ }
+ }
+ }
+
+ dynamic "private_cluster_config" {
+ for_each = (
+ var.private_cluster_config != null ? [""] : []
+ )
+ content {
+ enable_private_nodes = true
+ enable_private_endpoint = var.private_cluster_config.enable_private_endpoint
+ master_ipv4_cidr_block = try(var.vpc_config.master_ipv4_cidr_block, null)
+ master_global_access_config {
+ enabled = var.private_cluster_config.master_global_access
+ }
+ }
+ }
+
+ dynamic "pod_security_policy_config" {
+ for_each = var.enable_features.pod_security_policy ? [""] : []
+ content {
+ enabled = var.enable_features.pod_security_policy
+ }
+ }
+
+ dynamic "release_channel" {
+ for_each = var.release_channel != null ? [""] : []
+ content {
+ channel = var.release_channel
+ }
+ }
+
+ dynamic "resource_usage_export_config" {
+ for_each = (
+ try(var.enable_features.resource_usage_export.dataset, null) != null
+ ? [""]
+ : []
+ )
+ content {
+ enable_network_egress_metering = (
+ var.enable_features.resource_usage_export.enable_network_egress_metering
+ )
+ enable_resource_consumption_metering = (
+ var.enable_features.resource_usage_export.enable_resource_consumption_metering
+ )
+ bigquery_destination {
+ dataset_id = var.enable_features.resource_usage_export.dataset
+ }
+ }
+ }
+
+ dynamic "vertical_pod_autoscaling" {
+ for_each = var.enable_features.vertical_pod_autoscaling ? [""] : []
+ content {
+ enabled = var.enable_features.vertical_pod_autoscaling
+ }
+ }
+}
+
+resource "google_gke_backup_backup_plan" "backup_plan" {
+ for_each = var.backup_configs.enable_backup_agent ? var.backup_configs.backup_plans : {}
+ name = each.key
+ cluster = google_container_cluster.cluster.id
+ location = each.value.region
+ project = var.project_id
+ retention_policy {
+ backup_delete_lock_days = try(each.value.retention_policy_delete_lock_days)
+ backup_retain_days = try(each.value.retention_policy_days)
+ locked = try(each.value.retention_policy_lock)
+ }
+ backup_schedule {
+ cron_schedule = each.value.schedule
+ }
+ #TODO add support for configs
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ }
+}
+
+
+resource "google_compute_network_peering_routes_config" "gke_master" {
+ count = (
+ try(var.private_cluster_config.peering_config, null) != null ? 1 : 0
+ )
+ project = (
+ try(var.private_cluster_config.peering_config, null) == null
+ ? var.project_id
+ : var.private_cluster_config.peering_config.project_id
+ )
+ peering = try(
+ google_container_cluster.cluster.private_cluster_config.0.peering_name,
+ null
+ )
+ network = element(reverse(split("/", var.vpc_config.network)), 0)
+ import_custom_routes = var.private_cluster_config.peering_config.import_routes
+ export_custom_routes = var.private_cluster_config.peering_config.export_routes
+}
+
+resource "google_pubsub_topic" "notifications" {
+ count = (
+ try(var.enable_features.upgrade_notifications, null) != null &&
+ try(var.enable_features.upgrade_notifications.topic_id, null) == null ? 1 : 0
+ )
+ project = var.project_id
+ name = "gke-pubsub-notifications"
+ labels = {
+ content = "gke-notifications"
+ }
+}
diff --git a/modules/gke-cluster/outputs.tf b/modules/gke-cluster-autopilot/outputs.tf
similarity index 100%
rename from modules/gke-cluster/outputs.tf
rename to modules/gke-cluster-autopilot/outputs.tf
diff --git a/modules/gke-cluster-autopilot/variables.tf b/modules/gke-cluster-autopilot/variables.tf
new file mode 100644
index 00000000..40877ff6
--- /dev/null
+++ b/modules/gke-cluster-autopilot/variables.tf
@@ -0,0 +1,207 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "backup_configs" {
+ description = "Configuration for Backup for GKE."
+ type = object({
+ enable_backup_agent = optional(bool, false)
+ backup_plans = optional(map(object({
+ region = string
+ schedule = string
+ retention_policy_days = optional(string)
+ retention_policy_lock = optional(bool, false)
+ retention_policy_delete_lock_days = optional(string)
+ })), {})
+ })
+ default = {}
+ nullable = false
+}
+
+variable "description" {
+ description = "Cluster description."
+ type = string
+ default = null
+}
+
+variable "enable_addons" {
+ description = "Addons enabled in the cluster (true means enabled)."
+ type = object({
+ cloudrun = optional(bool, false)
+ config_connector = optional(bool, false)
+ dns_cache = optional(bool, false)
+ horizontal_pod_autoscaling = optional(bool, false)
+ http_load_balancing = optional(bool, false)
+ istio = optional(object({
+ enable_tls = bool
+ }))
+ kalm = optional(bool, false)
+ network_policy = optional(bool, false)
+ })
+ default = {
+ horizontal_pod_autoscaling = true
+ http_load_balancing = true
+ }
+ nullable = false
+}
+
+variable "enable_features" {
+ description = "Enable cluster-level features. Certain features allow configuration."
+ type = object({
+ binary_authorization = optional(bool, false)
+ dns = optional(object({
+ provider = optional(string)
+ scope = optional(string)
+ domain = optional(string)
+ }))
+ database_encryption = optional(object({
+ state = string
+ key_name = string
+ }))
+ gateway_api = optional(bool, false)
+ groups_for_rbac = optional(string)
+ l4_ilb_subsetting = optional(bool, false)
+ mesh_certificates = optional(bool)
+ pod_security_policy = optional(bool, false)
+ resource_usage_export = optional(object({
+ dataset = string
+ enable_network_egress_metering = optional(bool)
+ enable_resource_consumption_metering = optional(bool)
+ }))
+ tpu = optional(bool, false)
+ upgrade_notifications = optional(object({
+ topic_id = optional(string)
+ }))
+ vertical_pod_autoscaling = optional(bool, false)
+ })
+ default = {
+
+ }
+}
+
+variable "issue_client_certificate" {
+ description = "Enable issuing client certificate."
+ type = bool
+ default = false
+}
+
+variable "labels" {
+ description = "Cluster resource labels."
+ type = map(string)
+ default = null
+}
+
+variable "location" {
+ description = "Autopilot cluster are always regional."
+ type = string
+}
+
+
+variable "maintenance_config" {
+ description = "Maintenance window configuration."
+ type = object({
+ daily_window_start_time = optional(string)
+ recurring_window = optional(object({
+ start_time = string
+ end_time = string
+ recurrence = string
+ }))
+ maintenance_exclusions = optional(list(object({
+ name = string
+ start_time = string
+ end_time = string
+ scope = optional(string)
+ })))
+ })
+ default = {
+ daily_window_start_time = "03:00"
+ recurring_window = null
+ maintenance_exclusion = []
+ }
+}
+
+variable "min_master_version" {
+ description = "Minimum version of the master, defaults to the version of the most recent official release."
+ type = string
+ default = null
+}
+
+variable "name" {
+ description = "Cluster name."
+ type = string
+}
+
+variable "node_locations" {
+ description = "Zones in which the cluster's nodes are located."
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "private_cluster_config" {
+ description = "Private cluster configuration."
+ type = object({
+ enable_private_endpoint = optional(bool)
+ master_global_access = optional(bool)
+ peering_config = optional(object({
+ export_routes = optional(bool)
+ import_routes = optional(bool)
+ project_id = optional(string)
+ }))
+ })
+ default = null
+}
+
+variable "project_id" {
+ description = "Cluster project id."
+ type = string
+}
+
+variable "release_channel" {
+ description = "Release channel for GKE upgrades."
+ type = string
+ default = null
+}
+
+variable "service_account" {
+ description = "The Google Cloud Platform Service Account to be used by the node VMs created by GKE Autopilot."
+ type = string
+ default = null
+}
+
+variable "tags" {
+ description = "Network tags applied to nodes."
+ type = list(string)
+ default = null
+}
+
+variable "vpc_config" {
+ description = "VPC-level configuration."
+ type = object({
+ network = string
+ subnetwork = string
+ master_ipv4_cidr_block = optional(string)
+ secondary_range_blocks = optional(object({
+ pods = string
+ services = string
+ }))
+ secondary_range_names = optional(object({
+ pods = string
+ services = string
+ }), { pods = "pods", services = "services" })
+ master_authorized_ranges = optional(map(string))
+ })
+ nullable = false
+}
diff --git a/modules/gke-cluster/versions.tf b/modules/gke-cluster-autopilot/versions.tf
similarity index 99%
rename from modules/gke-cluster/versions.tf
rename to modules/gke-cluster-autopilot/versions.tf
index 77ccb0e7..4da9879b 100644
--- a/modules/gke-cluster/versions.tf
+++ b/modules/gke-cluster-autopilot/versions.tf
@@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+
terraform {
required_version = ">= 1.4.4"
required_providers {
diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster-standard/README.md
similarity index 71%
rename from modules/gke-cluster/README.md
rename to modules/gke-cluster-standard/README.md
index d5b93928..6430333a 100644
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -1,6 +1,6 @@
-# GKE cluster module
+# GKE cluster Standard module
-This module allows simplified creation and management of GKE clusters and should be used together with the GKE nodepool module, as the default nodepool is turned off here and cannot be re-enabled. Some sensible defaults are set initially, in order to allow less verbose usage for most use cases.
+This module allows simplified creation and management of GKE Standard clusters and should be used together with the GKE nodepool module, as the default nodepool is turned off here and cannot be re-enabled. Some sensible defaults are set initially, in order to allow less verbose usage for most use cases.
## Example
@@ -8,7 +8,7 @@ This module allows simplified creation and management of GKE clusters and should
```hcl
module "cluster-1" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1-b"
@@ -40,7 +40,7 @@ module "cluster-1" {
```hcl
module "cluster-1" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = "myproject"
name = "cluster-dataplane-v2"
location = "europe-west1-b"
@@ -70,32 +70,6 @@ module "cluster-1" {
}
# tftest modules=1 resources=1 inventory=dataplane-v2.yaml
```
-### Autopilot Cluster
-
-```hcl
-module "cluster-autopilot" {
- source = "./fabric/modules/gke-cluster"
- project_id = "myproject"
- name = "cluster-autopilot"
- location = "europe-west1-b"
- vpc_config = {
- network = var.vpc.self_link
- subnetwork = var.subnet.self_link
- secondary_range_names = {
- pods = "pods"
- services = "services"
- }
- master_authorized_ranges = {
- internal-vms = "10.0.0.0/8"
- }
- master_ipv4_cidr_block = "192.168.0.0/28"
- }
- enable_features = {
- autopilot = true
- }
-}
-# tftest modules=1 resources=1 inventory=autopilot.yaml
-```
### Cloud DNS
@@ -103,7 +77,7 @@ This example shows how to [use Cloud DNS as a Kubernetes DNS provider](https://c
```hcl
module "cluster-1" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = var.project_id
name = "cluster-1"
location = "europe-west1-b"
@@ -130,7 +104,7 @@ This example shows how to [enable the Backup for GKE agent and configure a Backu
```hcl
module "cluster-1" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = var.project_id
name = "cluster-1"
location = "europe-west1-b"
@@ -157,26 +131,26 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [location](variables.tf#L134) | Cluster zone or region. | string | ✓ | |
-| [name](variables.tf#L191) | Cluster name. | string | ✓ | |
-| [project_id](variables.tf#L217) | Cluster project id. | string | ✓ | |
-| [vpc_config](variables.tf#L234) | VPC-level configuration. | object({…}) | ✓ | |
+| [location](variables.tf#L133) | Cluster zone or region. | string | ✓ | |
+| [name](variables.tf#L190) | Cluster name. | string | ✓ | |
+| [project_id](variables.tf#L216) | Cluster project id. | string | ✓ | |
+| [vpc_config](variables.tf#L233) | VPC-level configuration. | object({…}) | ✓ | |
| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | object({…}) | | {} |
| [cluster_autoscaling](variables.tf#L33) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
| [description](variables.tf#L54) | Cluster description. | string | | null |
| [enable_addons](variables.tf#L60) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
-| [enable_features](variables.tf#L83) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {…} |
-| [issue_client_certificate](variables.tf#L122) | Enable issuing client certificate. | bool | | false |
-| [labels](variables.tf#L128) | Cluster resource labels. | map(string) | | null |
-| [logging_config](variables.tf#L139) | Logging configuration. | list(string) | | ["SYSTEM_COMPONENTS"] |
-| [maintenance_config](variables.tf#L145) | Maintenance window configuration. | object({…}) | | {…} |
-| [max_pods_per_node](variables.tf#L168) | Maximum number of pods per node in this cluster. | number | | 110 |
-| [min_master_version](variables.tf#L174) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
-| [monitoring_config](variables.tf#L180) | Monitoring components. | object({…}) | | {…} |
-| [node_locations](variables.tf#L196) | Zones in which the cluster's nodes are located. | list(string) | | [] |
-| [private_cluster_config](variables.tf#L203) | Private cluster configuration. | object({…}) | | null |
-| [release_channel](variables.tf#L222) | Release channel for GKE upgrades. | string | | null |
-| [tags](variables.tf#L228) | Network tags applied to nodes. | list(string) | | null |
+| [enable_features](variables.tf#L83) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {…} |
+| [issue_client_certificate](variables.tf#L121) | Enable issuing client certificate. | bool | | false |
+| [labels](variables.tf#L127) | Cluster resource labels. | map(string) | | null |
+| [logging_config](variables.tf#L138) | Logging configuration. | list(string) | | ["SYSTEM_COMPONENTS"] |
+| [maintenance_config](variables.tf#L144) | Maintenance window configuration. | object({…}) | | {…} |
+| [max_pods_per_node](variables.tf#L167) | Maximum number of pods per node in this cluster. | number | | 110 |
+| [min_master_version](variables.tf#L173) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [monitoring_config](variables.tf#L179) | Monitoring components. | object({…}) | | {…} |
+| [node_locations](variables.tf#L195) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [private_cluster_config](variables.tf#L202) | Private cluster configuration. | object({…}) | | null |
+| [release_channel](variables.tf#L221) | Release channel for GKE upgrades. | string | | null |
+| [tags](variables.tf#L227) | Network tags applied to nodes. | list(string) | | null |
## Outputs
diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster-standard/main.tf
similarity index 83%
rename from modules/gke-cluster/main.tf
rename to modules/gke-cluster-standard/main.tf
index 814ae26b..82f885aa 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -15,12 +15,6 @@
*/
resource "google_container_cluster" "cluster" {
- lifecycle {
- ignore_changes = [
- node_config[0].boot_disk_kms_key,
- node_config[0].spot
- ]
- }
provider = google-beta
project = var.project_id
name = var.name
@@ -29,54 +23,39 @@ resource "google_container_cluster" "cluster" {
node_locations = (
length(var.node_locations) == 0 ? null : var.node_locations
)
- min_master_version = var.min_master_version
- network = var.vpc_config.network
- subnetwork = var.vpc_config.subnetwork
- resource_labels = var.labels
- default_max_pods_per_node = (
- var.enable_features.autopilot ? null : var.max_pods_per_node
- )
- enable_intranode_visibility = (
- var.enable_features.autopilot ? null : var.enable_features.intranode_visibility
- )
- enable_l4_ilb_subsetting = var.enable_features.l4_ilb_subsetting
- enable_shielded_nodes = (
- var.enable_features.autopilot ? null : var.enable_features.shielded_nodes
- )
- enable_tpu = var.enable_features.tpu
- initial_node_count = 1
- remove_default_node_pool = var.enable_features.autopilot ? null : true
+ min_master_version = var.min_master_version
+ network = var.vpc_config.network
+ subnetwork = var.vpc_config.subnetwork
+ resource_labels = var.labels
+ default_max_pods_per_node = var.max_pods_per_node
+ enable_intranode_visibility = var.enable_features.intranode_visibility
+ enable_l4_ilb_subsetting = var.enable_features.l4_ilb_subsetting
+ enable_shielded_nodes = var.enable_features.shielded_nodes
+ enable_tpu = var.enable_features.tpu
+ initial_node_count = 1
+ remove_default_node_pool = true
datapath_provider = (
- var.enable_features.dataplane_v2 || var.enable_features.autopilot
+ var.enable_features.dataplane_v2
? "ADVANCED_DATAPATH"
: "DATAPATH_PROVIDER_UNSPECIFIED"
)
- enable_autopilot = var.enable_features.autopilot ? true : null
# the default nodepool is deleted here, use the gke-nodepool module instead
# default nodepool configuration based on a shielded_nodes variable
- dynamic "node_config" {
- for_each = var.enable_features.autopilot ? [] : [""]
- content {
- dynamic "shielded_instance_config" {
- for_each = var.enable_features.shielded_nodes ? [""] : []
- content {
- enable_secure_boot = true
- enable_integrity_monitoring = true
- }
+ node_config {
+ dynamic "shielded_instance_config" {
+ for_each = var.enable_features.shielded_nodes ? [""] : []
+ content {
+ enable_secure_boot = true
+ enable_integrity_monitoring = true
}
- tags = var.tags
}
+ tags = var.tags
}
-
-
addons_config {
- dynamic "dns_cache_config" {
- for_each = !var.enable_features.autopilot ? [""] : []
- content {
- enabled = var.enable_addons.dns_cache
- }
+ dns_cache_config {
+ enabled = var.enable_addons.dns_cache
}
http_load_balancing {
disabled = !var.enable_addons.http_load_balancing
@@ -84,11 +63,8 @@ resource "google_container_cluster" "cluster" {
horizontal_pod_autoscaling {
disabled = !var.enable_addons.horizontal_pod_autoscaling
}
- dynamic "network_policy_config" {
- for_each = !var.enable_features.autopilot ? [""] : []
- content {
- disabled = !var.enable_addons.network_policy
- }
+ network_policy_config {
+ disabled = !var.enable_addons.network_policy
}
cloudrun_config {
disabled = !var.enable_addons.cloudrun
@@ -100,17 +76,10 @@ resource "google_container_cluster" "cluster" {
)
}
gce_persistent_disk_csi_driver_config {
- enabled = (
- var.enable_features.autopilot
- ? true
- : var.enable_addons.gce_persistent_disk_csi_driver
- )
+ enabled = var.enable_addons.gce_persistent_disk_csi_driver
}
- dynamic "gcp_filestore_csi_driver_config" {
- for_each = !var.enable_features.autopilot ? [""] : []
- content {
- enabled = var.enable_addons.gcp_filestore_csi_driver
- }
+ gcp_filestore_csi_driver_config {
+ enabled = var.enable_addons.gcp_filestore_csi_driver
}
kalm_config {
enabled = var.enable_addons.kalm
@@ -140,7 +109,7 @@ resource "google_container_cluster" "cluster" {
dynamic "cluster_autoscaling" {
for_each = var.cluster_autoscaling == null ? [] : [""]
content {
- enabled = var.enable_features.autopilot ? null : true
+ enabled = true
dynamic "auto_provisioning_defaults" {
for_each = var.cluster_autoscaling.auto_provisioning_defaults != null ? [""] : []
@@ -204,7 +173,7 @@ resource "google_container_cluster" "cluster" {
}
dynamic "logging_config" {
- for_each = var.logging_config != null && !var.enable_features.autopilot ? [""] : []
+ for_each = var.logging_config != null ? [""] : []
content {
enable_components = var.logging_config
}
@@ -283,7 +252,7 @@ resource "google_container_cluster" "cluster" {
}
dynamic "monitoring_config" {
- for_each = var.monitoring_config != null && !var.enable_features.autopilot ? [""] : []
+ for_each = var.monitoring_config != null ? [""] : []
content {
enable_components = var.monitoring_config.enable_components
dynamic "managed_prometheus" {
@@ -379,11 +348,17 @@ resource "google_container_cluster" "cluster" {
}
dynamic "workload_identity_config" {
- for_each = (var.enable_features.workload_identity && !var.enable_features.autopilot) ? [""] : []
+ for_each = var.enable_features.workload_identity ? [""] : []
content {
workload_pool = "${var.project_id}.svc.id.goog"
}
}
+ lifecycle {
+ ignore_changes = [
+ node_config[0].boot_disk_kms_key,
+ node_config[0].spot
+ ]
+ }
}
resource "google_gke_backup_backup_plan" "backup_plan" {
diff --git a/modules/gke-cluster-standard/outputs.tf b/modules/gke-cluster-standard/outputs.tf
new file mode 100644
index 00000000..c02c9be2
--- /dev/null
+++ b/modules/gke-cluster-standard/outputs.tf
@@ -0,0 +1,71 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "ca_certificate" {
+ description = "Public certificate of the cluster (base64-encoded)."
+ value = google_container_cluster.cluster.master_auth.0.cluster_ca_certificate
+ sensitive = true
+}
+
+output "cluster" {
+ description = "Cluster resource."
+ sensitive = true
+ value = google_container_cluster.cluster
+}
+
+output "endpoint" {
+ description = "Cluster endpoint."
+ value = google_container_cluster.cluster.endpoint
+}
+
+output "id" {
+ description = "Cluster ID."
+ value = google_container_cluster.cluster.id
+}
+
+output "location" {
+ description = "Cluster location."
+ value = google_container_cluster.cluster.location
+}
+
+output "master_version" {
+ description = "Master version."
+ value = google_container_cluster.cluster.master_version
+}
+
+output "name" {
+ description = "Cluster name."
+ value = google_container_cluster.cluster.name
+}
+
+output "notifications" {
+ description = "GKE PubSub notifications topic."
+ value = try(google_pubsub_topic.notifications[0].id, null)
+}
+
+output "self_link" {
+ description = "Cluster self link."
+ sensitive = true
+ value = google_container_cluster.cluster.self_link
+}
+
+output "workload_identity_pool" {
+ description = "Workload identity pool."
+ value = "${var.project_id}.svc.id.goog"
+ depends_on = [
+ google_container_cluster.cluster
+ ]
+}
\ No newline at end of file
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster-standard/variables.tf
similarity index 99%
rename from modules/gke-cluster/variables.tf
rename to modules/gke-cluster-standard/variables.tf
index 321e0516..260afc75 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -83,7 +83,6 @@ variable "enable_addons" {
variable "enable_features" {
description = "Enable cluster-level features. Certain features allow configuration."
type = object({
- autopilot = optional(bool, false)
binary_authorization = optional(bool, false)
dns = optional(object({
provider = optional(string)
diff --git a/modules/gke-cluster-standard/versions.tf b/modules/gke-cluster-standard/versions.tf
new file mode 100644
index 00000000..ada52a4e
--- /dev/null
+++ b/modules/gke-cluster-standard/versions.tf
@@ -0,0 +1,31 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+terraform {
+ required_version = ">= 1.4.4"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = ">= 4.60.0" # tftest
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = ">= 4.60.0" # tftest
+ }
+ }
+}
+
+
+
diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md
index ed80af55..f895f013 100644
--- a/modules/gke-hub/README.md
+++ b/modules/gke-hub/README.md
@@ -46,7 +46,7 @@ module "vpc" {
}
module "cluster_1" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1"
@@ -212,7 +212,7 @@ module "firewall" {
}
module "cluster_1" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1"
@@ -253,7 +253,7 @@ module "cluster_1_nodepool" {
}
module "cluster_2" {
- source = "./fabric/modules/gke-cluster"
+ source = "./fabric/modules/gke-cluster-standard"
project_id = module.project.project_id
name = "cluster-2"
location = "europe-west4"
diff --git a/tests/modules/gke_cluster_autopilot/examples/backup.yaml b/tests/modules/gke_cluster_autopilot/examples/backup.yaml
new file mode 100644
index 00000000..a7967c6f
--- /dev/null
+++ b/tests/modules/gke_cluster_autopilot/examples/backup.yaml
@@ -0,0 +1,38 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.cluster-1.google_container_cluster.cluster:
+ location: europe-west1
+ name: cluster-1
+
+ module.cluster-1.google_gke_backup_backup_plan.backup_plan["backup-1"]:
+ backup_config:
+ - all_namespaces: true
+ encryption_key: []
+ include_secrets: true
+ include_volume_data: true
+ selected_applications: []
+ selected_namespaces: []
+ backup_schedule:
+ - cron_schedule: 0 9 * * 1
+ location: europe-west-2
+ name: backup-1
+ project: project-id
+ retention_policy:
+ - locked: false
+
+counts:
+ google_container_cluster: 1
+ google_gke_backup_backup_plan: 1
diff --git a/tests/modules/gke_cluster_autopilot/examples/basic.yaml b/tests/modules/gke_cluster_autopilot/examples/basic.yaml
new file mode 100644
index 00000000..decbb042
--- /dev/null
+++ b/tests/modules/gke_cluster_autopilot/examples/basic.yaml
@@ -0,0 +1,28 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.cluster-1.google_container_cluster.cluster:
+ private_cluster_config:
+ - enable_private_endpoint: true
+ enable_private_nodes: true
+ master_global_access_config:
+ - enabled: false
+ master_ipv4_cidr_block: 192.168.0.0/28
+ private_endpoint_subnetwork: null
+ resource_labels:
+ environment: dev
+
+counts:
+ google_container_cluster: 1
diff --git a/tests/modules/gke_cluster/examples/dns.yaml b/tests/modules/gke_cluster_autopilot/examples/dns.yaml
similarity index 100%
rename from tests/modules/gke_cluster/examples/dns.yaml
rename to tests/modules/gke_cluster_autopilot/examples/dns.yaml
diff --git a/tests/modules/gke_cluster/examples/backup.yaml b/tests/modules/gke_cluster_standard/examples/backup.yaml
similarity index 100%
rename from tests/modules/gke_cluster/examples/backup.yaml
rename to tests/modules/gke_cluster_standard/examples/backup.yaml
diff --git a/tests/modules/gke_cluster/examples/basic.yaml b/tests/modules/gke_cluster_standard/examples/basic.yaml
similarity index 100%
rename from tests/modules/gke_cluster/examples/basic.yaml
rename to tests/modules/gke_cluster_standard/examples/basic.yaml
diff --git a/tests/modules/gke_cluster/examples/dataplane-v2.yaml b/tests/modules/gke_cluster_standard/examples/dataplane-v2.yaml
similarity index 100%
rename from tests/modules/gke_cluster/examples/dataplane-v2.yaml
rename to tests/modules/gke_cluster_standard/examples/dataplane-v2.yaml
diff --git a/tests/modules/gke_cluster/examples/autopilot.yaml b/tests/modules/gke_cluster_standard/examples/dns.yaml
similarity index 78%
rename from tests/modules/gke_cluster/examples/autopilot.yaml
rename to tests/modules/gke_cluster_standard/examples/dns.yaml
index de9b1d51..b2600b95 100644
--- a/tests/modules/gke_cluster/examples/autopilot.yaml
+++ b/tests/modules/gke_cluster_standard/examples/dns.yaml
@@ -13,8 +13,11 @@
# limitations under the License.
values:
- module.cluster-autopilot.google_container_cluster.cluster:
- enable_autopilot: true
+ module.cluster-1.google_container_cluster.cluster:
+ dns_config:
+ - cluster_dns: CLOUD_DNS
+ cluster_dns_domain: gke.local
+ cluster_dns_scope: CLUSTER_SCOPE
counts:
google_container_cluster: 1