From 549856a344ec254eaa9a9f09f4d2a2671d7f1755 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 19:06:39 +0530 Subject: [PATCH 01/54] feat: updated attributes --- README.yaml | 83 +++++++++----- _example/example.tf | 81 -------------- _example/versions.tf | 10 -- example/managed-node-pools/example.tf | 102 ++++++++++++++++++ .../managed-node-pools}/outputs.tf | 0 .../managed-node-pools}/variables.tf | 0 example/managed-node-pools/versions.tf | 22 ++++ example/self-hosted-node-pools/example.tf | 102 ++++++++++++++++++ example/self-hosted-node-pools/outputs.tf | 7 ++ example/self-hosted-node-pools/variables.tf | 58 ++++++++++ example/self-hosted-node-pools/versions.tf | 22 ++++ main.tf | 51 +++++++-- variables.tf | 95 +++++++++++++++- 13 files changed, 509 insertions(+), 124 deletions(-) delete mode 100644 _example/example.tf delete mode 100644 _example/versions.tf create mode 100644 example/managed-node-pools/example.tf rename {_example => example/managed-node-pools}/outputs.tf (100%) rename {_example => example/managed-node-pools}/variables.tf (100%) create mode 100644 example/managed-node-pools/versions.tf create mode 100644 example/self-hosted-node-pools/example.tf create mode 100644 example/self-hosted-node-pools/outputs.tf create mode 100644 example/self-hosted-node-pools/variables.tf create mode 100644 example/self-hosted-node-pools/versions.tf diff --git a/README.yaml b/README.yaml index 71cc455..a0e84b3 100644 --- a/README.yaml +++ b/README.yaml @@ -13,20 +13,29 @@ license: "APACHE" # Canonical GitHub repo github_repo: clouddrove/terraform-gcp-gke -# Badges to display badges: - - name: "Terraform" - image: "https://img.shields.io/badge/Terraform-v1.1.7-green" - url: "https://www.terraform.io" - - name: "Licence" - image: "https://img.shields.io/badge/License-APACHE-blue.svg" - url: "LICENSE.md" + - name: "Latest Release" + image: "https://img.shields.io/github/release/clouddrove/terraform-gcp-gke.svg" + url: "https://github.com/clouddrove/terraform-gcp-gke/releases/latest" - name: "tfsec" image: "https://github.com/clouddrove/terraform-gcp-gke/actions/workflows/tfsec.yml/badge.svg" url: "https://github.com/clouddrove/terraform-gcp-gke/actions/workflows/tfsec.yml" - - name: "static-checks" - image: "https://github.com/clouddrove/terraform-gcp-gke/actions/workflows/terraform.yml/badge.svg" - url: "https://github.com/clouddrove/terraform-gcp-gke/actions/workflows/terraform.yml" + - name: "Licence" + image: "https://img.shields.io/badge/License-APACHE-blue.svg" + url: "LICENSE.md" + - name: "Changelog" + image: "https://img.shields.io/badge/Changelog-blue" + url: "CHANGELOG.md" + +prerequesties: + - name: Terraform + url: https://learn.hashicorp.com/terraform/getting-started/install.html + version: ">= 1.4.6" + +providers: + - name: gcp + url: https://cloud.google.com/ + version: ">= 5.22.0" # description of this project description: |- @@ -42,21 +51,43 @@ usage: |- ### Default gke ```hcl module "gke" { - source = "clouddrove/gke/google" - version = "1.0.0" - - name = "test-gke" - module_enabled = true - google_container_cluster_enabled = true - location = "europe-west3" - remove_default_node_pool = true - initial_node_count = 1 - google_container_node_pool_enabled = true - node_count = 1 - cluster_name = "test-gke" - project_id = var.gcp_project_id - region = var.gcp_region - service_account = "" - + source = "../../" + + name = "gke" + environment = var.environment + label_order = var.label_order + + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.29.1-gke.1589017" + module_enabled = true + remove_default_node_pool = true + service_account = "" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + managed_node_pool = [ + { + name = "critical" + initial_node_count = 1 + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + }, + { + name = "general" + initial_node_count = 1 + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + } + ] } ``` \ No newline at end of file diff --git a/_example/example.tf b/_example/example.tf deleted file mode 100644 index ab77e5b..0000000 --- a/_example/example.tf +++ /dev/null @@ -1,81 +0,0 @@ -provider "google" { - project = var.gcp_project_id - region = var.gcp_region - zone = var.gcp_zone -} - -module "vpc" { - source = "clouddrove/vpc/gcp" - version = "1.0.0" - - name = "vpc" - environment = var.environment - label_order = var.label_order - google_compute_network_enabled = true - enable_ula_internal_ipv6 = true - internal_ipv6_range = "fd20:222:dd14:0:0:0:0:0/48" -} - -module "subnet" { - source = "clouddrove/subnet/gcp" - version = "1.0.1" - - name = "subnet" - environment = var.environment - label_order = var.label_order - - google_compute_subnetwork_enabled = true - google_compute_firewall_enabled = true - google_compute_router_nat_enabled = true - module_enabled = true - ipv6_access_type = "EXTERNAL" - network = module.vpc.vpc_id - project_id = "clouddrove" - private_ip_google_access = true - allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] - source_ranges = ["10.10.0.0/16"] - asn = 64514 - nat_ip_allocate_option = "MANUAL_ONLY" - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" - filter = "ERRORS_ONLY" - dest_range = "0.0.0.0/0" - next_hop_gateway = "default-internet-gateway" - priority = 1000 - secondary_ip_ranges = [{ "range_name" : "services", "ip_cidr_range" : "10.1.0.0/16" }, { "range_name" : "pods", "ip_cidr_range" : "10.3.0.0/16" }] -} - -module "Service-account" { - source = "clouddrove/Service-account/gcp" - version = "1.0.0" - - - name = "Service-account" - environment = var.environment - label_order = var.label_order - - service_account_enabled = true -} - -module "gke" { - source = "../" - - name = "gke" - environment = var.environment - label_order = var.label_order - - network = module.vpc.vpc_id - subnetwork = module.subnet.id - module_enabled = true - google_container_cluster_enabled = true - location = "europe-west3" - remove_default_node_pool = false - gke_version = "1.25.6-gke.1000" - initial_node_count = 1 - google_container_node_pool_enabled = true - node_count = 1 - cluster_name = "test-gke" - project_id = var.gcp_project_id - region = var.gcp_region - service_account = "" - -} \ No newline at end of file diff --git a/_example/versions.tf b/_example/versions.tf deleted file mode 100644 index cf0d55e..0000000 --- a/_example/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.14, < 2.0" - - required_providers { - google = { - source = "hashicorp/google" - version = ">= 3.50, < 5.0" - } - } -} \ No newline at end of file diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf new file mode 100644 index 0000000..0f10f0d --- /dev/null +++ b/example/managed-node-pools/example.tf @@ -0,0 +1,102 @@ +provider "google" { + project = var.gcp_project_id + region = var.gcp_region + zone = var.gcp_zone +} + +module "vpc" { + source = "clouddrove/vpc/gcp" + version = "1.0.0" + + name = "test-vpc" + environment = var.environment + label_order = var.label_order + google_compute_network_enabled = true + enable_ula_internal_ipv6 = false +} + +module "subnet" { + source = "clouddrove/subnet/gcp" + + name = "dev-test" + environment = var.environment + label_order = var.label_order + gcp_region = "us-central1" + + google_compute_subnetwork_enabled = true + google_compute_firewall_enabled = true + google_compute_router_nat_enabled = true + module_enabled = true + ipv6_access_type = "EXTERNAL" + network = module.vpc.vpc_id + project_id = "clouddrove" + private_ip_google_access = true + allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] + source_ranges = ["10.10.0.0/16"] + asn = 64514 + nat_ip_allocate_option = "MANUAL_ONLY" + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + filter = "ERRORS_ONLY" + dest_range = "0.0.0.0/0" + next_hop_gateway = "default-internet-gateway" + priority = 1000 + secondary_ip_ranges = [ + { + "range_name" : "services", + "ip_cidr_range" : "10.1.0.0/16" + }, + + { + "range_name" : "pods", + "ip_cidr_range" : "10.3.0.0/16" + } + ] +} + + +module "gke" { + source = "../../" + + name = "gke" + environment = var.environment + label_order = var.label_order + + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.29.1-gke.1589017" + module_enabled = true + remove_default_node_pool = true + service_account = "" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + master_authorized_networks = [ + { + cidr_block = "10.0.0.7/32" + display_name = "net1" + } + ] + managed_node_pool = [ + { + name = "critical" + initial_node_count = 1 + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + }, + { + name = "general" + initial_node_count = 1 + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + } + ] +} \ No newline at end of file diff --git a/_example/outputs.tf b/example/managed-node-pools/outputs.tf similarity index 100% rename from _example/outputs.tf rename to example/managed-node-pools/outputs.tf diff --git a/_example/variables.tf b/example/managed-node-pools/variables.tf similarity index 100% rename from _example/variables.tf rename to example/managed-node-pools/variables.tf diff --git a/example/managed-node-pools/versions.tf b/example/managed-node-pools/versions.tf new file mode 100644 index 0000000..b5b9386 --- /dev/null +++ b/example/managed-node-pools/versions.tf @@ -0,0 +1,22 @@ +terraform { + required_version = ">=1.3" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.9.0, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 5.9.0, < 6" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + } +} \ No newline at end of file diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf new file mode 100644 index 0000000..cfd2983 --- /dev/null +++ b/example/self-hosted-node-pools/example.tf @@ -0,0 +1,102 @@ +provider "google" { + project = var.gcp_project_id + region = var.gcp_region + zone = var.gcp_zone +} + +module "vpc" { + source = "clouddrove/vpc/gcp" + version = "1.0.0" + + name = "test-vpc" + environment = var.environment + label_order = var.label_order + google_compute_network_enabled = true + enable_ula_internal_ipv6 = false +} + +module "subnet" { + source = "clouddrove/subnet/gcp" + + name = "dev-test" + environment = var.environment + label_order = var.label_order + gcp_region = "us-central1" + + google_compute_subnetwork_enabled = true + google_compute_firewall_enabled = true + google_compute_router_nat_enabled = true + module_enabled = true + ipv6_access_type = "EXTERNAL" + network = module.vpc.vpc_id + project_id = "clouddrove" + private_ip_google_access = true + allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] + source_ranges = ["10.10.0.0/16"] + asn = 64514 + nat_ip_allocate_option = "MANUAL_ONLY" + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + filter = "ERRORS_ONLY" + dest_range = "0.0.0.0/0" + next_hop_gateway = "default-internet-gateway" + priority = 1000 + secondary_ip_ranges = [ + { + "range_name" : "services", + "ip_cidr_range" : "10.1.0.0/16" + }, + + { + "range_name" : "pods", + "ip_cidr_range" : "10.3.0.0/16" + } + ] +} + + +module "gke" { + source = "../../" + + name = "gke" + environment = var.environment + label_order = var.label_order + + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.29.1-gke.1589017" + module_enabled = true + remove_default_node_pool = true + service_account = "" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + master_authorized_networks = [ + { + cidr_block = "10.0.0.7/32" + display_name = "net1" + } + ] + self_node_pools = [ + { + name = "critical" + initial_node_count = 1 + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + }, + { + name = "general" + initial_node_count = 1 + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + } + ] +} \ No newline at end of file diff --git a/example/self-hosted-node-pools/outputs.tf b/example/self-hosted-node-pools/outputs.tf new file mode 100644 index 0000000..1c0ad6d --- /dev/null +++ b/example/self-hosted-node-pools/outputs.tf @@ -0,0 +1,7 @@ +output "name" { + value = module.gke.*.name +} + +output "id" { + value = module.gke.*.id +} \ No newline at end of file diff --git a/example/self-hosted-node-pools/variables.tf b/example/self-hosted-node-pools/variables.tf new file mode 100644 index 0000000..8289192 --- /dev/null +++ b/example/self-hosted-node-pools/variables.tf @@ -0,0 +1,58 @@ +variable "environment" { + type = string + default = "account" + description = "Environment name" +} + +variable "label_order" { + type = list(any) + default = ["name", "environment"] + description = "Label order, e.g. `name`,`application`." +} + +variable "gcp_project_id" { + type = string + default = "clouddrove" + description = "Google Cloud project ID" +} + +variable "gcp_region" { + type = string + default = "europe-west3" + description = "Google Cloud region" +} + +variable "gcp_zone" { + type = string + default = "Europe-west3-c" + description = "Google Cloud zone" +} + +variable "gcp_credentials" { + type = string + default = "" + sensitive = true + description = "Google Cloud service account credentials" +} + +variable "ip_cidr_range" { + type = string + default = "10.11.0.0/16" + description = "(Required) The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported." +} + +variable "location" { + description = "The location (region or zone) of the GKE cluster." + default = "europe-west3" + type = string +} + +variable "vpc_id" { + type = string + default = "" +} + +variable "subnet_id" { + type = string + default = "" +} \ No newline at end of file diff --git a/example/self-hosted-node-pools/versions.tf b/example/self-hosted-node-pools/versions.tf new file mode 100644 index 0000000..b5b9386 --- /dev/null +++ b/example/self-hosted-node-pools/versions.tf @@ -0,0 +1,22 @@ +terraform { + required_version = ">=1.3" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.9.0, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 5.9.0, < 6" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + } +} \ No newline at end of file diff --git a/main.tf b/main.tf index e861da8..34575bc 100644 --- a/main.tf +++ b/main.tf @@ -8,22 +8,60 @@ module "labels" { } resource "google_container_cluster" "primary" { - count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0 - - name = module.labels.id - location = var.location + count = var.google_container_cluster_enabled ? 1 : 0 + name = module.labels.id + location = var.location network = var.network subnetwork = var.subnetwork remove_default_node_pool = var.remove_default_node_pool - initial_node_count = var.initial_node_count min_master_version = var.gke_version + deletion_protection = var.deletion_protection + cluster_ipv4_cidr = var.cluster_ipv4_cidr + initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 + + cluster_autoscaling { + enabled = var.cluster_autoscaling + } + + addons_config { + http_load_balancing { + disabled = !var.http_load_balancing + } + + horizontal_pod_autoscaling { + disabled = !var.horizontal_pod_autoscaling + } + } + dynamic "node_pool" { + for_each = { for k, v in var.managed_node_pool : k => v if var.enabled } + content { + name = node_pool.value.name + initial_node_count = node_pool.value.initial_node_count + node_config { + machine_type = node_pool.value.machine_type + disk_size_gb = node_pool.value.disk_size_gb + disk_type = node_pool.value.disk_type + preemptible = node_pool.value.preemptible + } + } + } + dynamic "master_authorized_networks_config" { + for_each = var.master_authorized_networks + content { + cidr_blocks { + cidr_block = master_authorized_networks_config.value["cidr_block"] + display_name = master_authorized_networks_config.value["display_name"] + } + } + } } resource "google_container_node_pool" "node_pool" { + for_each = { for k, v in var.self_node_pools : k => v if var.enabled } provider = google-beta - name = module.labels.id + name = each.value.name project = var.project_id location = var.location cluster = join("", google_container_cluster.primary.*.id) @@ -59,6 +97,7 @@ resource "google_container_node_pool" "node_pool" { update = var.cluster_update_timeouts delete = var.cluster_delete_timeouts } + } resource "null_resource" "configure_kubectl" { diff --git a/variables.tf b/variables.tf index 6cdbe7d..ae29cf4 100644 --- a/variables.tf +++ b/variables.tf @@ -22,6 +22,12 @@ variable "module_enabled" { description = "Flag to control the service_account_enabled creation." } +variable "enabled" { + type = bool + default = true + description = "Whether to create the resources. Set to `false` to prevent the module from creating any resources." +} + variable "google_container_cluster_enabled" { type = bool default = true @@ -58,6 +64,26 @@ variable "node_count" { description = "The number of nodes to create in this cluster's default node pool." } +variable "master_authorized_networks" { + type = list(object({ + cidr_block = string + display_name = string + })) + description = "List of master authorized networks" +} + +variable "managed_node_pool" { + type = any + default = {} + description = "Map of self-managed node pools definitions to create" +} + +variable "self_node_pools" { + type = any + default = {} + description = "Map of self-managed node pools definitions to create" +} + variable "service_account" { type = string default = "" @@ -75,7 +101,6 @@ variable "cluster" { type = string default = "" description = "The cluster to create the node pool for." - } ######################### Autoscaling ########################### @@ -105,6 +130,12 @@ variable "auto_upgrade" { default = true } +variable "deletion_protection" { + type = bool + default = true + description = "Environment (e.g. `prod`, `dev`, `staging`)." +} + ######################### node_config ########################### variable "image_type" { type = string @@ -186,5 +217,67 @@ variable "gke_version" { type = string default = "" description = "The minimum version of the master. " +} +variable "cluster_ipv4_cidr" { + type = string + default = "" + description = "The IP address range of the Kubernetes pods in this cluster in CIDR notation (e.g. 10.96.0.0/14)." +} + +variable "cluster_autoscaling" { + type = bool + default = false + description = "Node Auto-Provisioning with Cluster Autoscaler to automatically adjust the size of the cluster" +} + +variable "ip_allocation_policy" { + type = bool + default = false + description = "Configuration of cluster IP allocation for VPC-native clusters. If this block is unset during creation, it will be set by the GKE backend." +} + +variable "networking_mode" { + type = bool + default = false + description = "Determines whether alias IPs or routes will be used for pod IPs in the cluster. Options are VPC_NATIVE or ROUTES." +} + +variable "logging_config" { + type = bool + default = false + description = "Logging configuration for the cluster" + +} + +########## Addons Config ########## + +variable "http_load_balancing" { + type = bool + default = true + description = "Set it false you if want to enable http load balancing" +} + +variable "horizontal_pod_autoscaling" { + type = bool + default = true + description = "Set it false you if want to enable horizontal pod autoscaling" +} + +variable "network_policy" { + type = bool + default = true + description = "Set it false you if want to enable network policy" +} + +variable "dns_cache" { + type = bool + default = false + description = "Set it true you if want to dns cache" +} + +variable "filestore_csi_driver" { + type = bool + default = false + description = "Set it true you if want to enable filestore csi driver" } \ No newline at end of file From 74a78bf83a80e2e62792acc7dddcfe1ad1148c92 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 19:11:38 +0530 Subject: [PATCH 02/54] feat: updated attributes --- .github/CODEOWNERS | 2 + .github/PULL_REQUEST_TEMPLATE.md | 12 +++++ .github/dependabot.yml | 27 ++++++++-- .github/workflows/auto_assignee.yml | 14 +++++ .github/workflows/automerge.yml | 12 +++++ .github/workflows/changelog.yml | 2 +- .github/workflows/readme.yml | 24 ++++----- .github/workflows/terraform.yml | 79 ---------------------------- .github/workflows/terratest.yml | 81 ----------------------------- .github/workflows/tf-checks.yml | 15 ++++++ .github/workflows/tflint.yml | 11 ++++ .github/workflows/tfsec.yml | 2 +- 12 files changed, 103 insertions(+), 178 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/auto_assignee.yml create mode 100644 .github/workflows/automerge.yml delete mode 100644 .github/workflows/terraform.yml delete mode 100644 .github/workflows/terratest.yml create mode 100644 .github/workflows/tf-checks.yml create mode 100644 .github/workflows/tflint.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..dd6c908 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# These owners will be the default owners for everything in the repo. +* @anmolnagpal @clouddrove/approvers @clouddrove-ci \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..23e0d41 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,12 @@ +## what +* Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) +* Use bullet points to be concise and to the point. + +## why +* Provide the justifications for the changes (e.g. business case). +* Describe why these changes were made (e.g. why do these commits fix the problem?) +* Use bullet points to be concise and to the point. + +## references +* Link to any supporting jira issues or helpful documentation to add some context (e.g. stackoverflow). +* Use `closes #123`, if this PR closes a Jira issue `#123` \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c064a2e..fdf32a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,16 +2,35 @@ # package ecosystems to update and where the package manifests are located. # Please see the documentation for all configuration options: # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - version: 2 updates: - package-ecosystem: "terraform" # See documentation for possible values directory: "/" # Location of package manifests schedule: interval: "weekly" + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" - package-ecosystem: "terraform" # See documentation for possible values - directory: "_example/" # Location of package manifests + directory: "./example/self-hosted-node-pools" # Location of package manifests schedule: interval: "weekly" - - + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/example/managed-node-pools" # Location of package manifests + schedule: + interval: "weekly" + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" \ No newline at end of file diff --git a/.github/workflows/auto_assignee.yml b/.github/workflows/auto_assignee.yml new file mode 100644 index 0000000..0aa2cbd --- /dev/null +++ b/.github/workflows/auto_assignee.yml @@ -0,0 +1,14 @@ +name: Auto Assign PRs + +on: + pull_request: + types: [opened, reopened] + + workflow_dispatch: +jobs: + assignee: + uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@1.0.9 + secrets: + GITHUB: ${{ secrets.GITHUB }} + with: + assignees: 'clouddrove-ci' \ No newline at end of file diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml new file mode 100644 index 0000000..6ec1b8e --- /dev/null +++ b/.github/workflows/automerge.yml @@ -0,0 +1,12 @@ +--- +name: Auto merge +on: + pull_request: +jobs: + auto-merge: + uses: clouddrove/github-shared-workflows/.github/workflows/auto_merge.yml@1.0.9 + secrets: + GITHUB: ${{ secrets.GITHUB }} + with: + tfcheck: 'tf-checks-aws-managed-example / Check code format' +... \ No newline at end of file diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 4b735f5..2d1b73e 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: jobs: changelog: - uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@master + uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@1.0.9 secrets: inherit with: branch: 'master' \ No newline at end of file diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml index d46a8c5..9513782 100644 --- a/.github/workflows/readme.yml +++ b/.github/workflows/readme.yml @@ -10,36 +10,36 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout' - uses: actions/checkout@v2.3.4 + uses: actions/checkout@master - - name: Set up Python 3.7. - uses: actions/setup-python@v2 + - name: 'Set up Python 3.7' + uses: actions/setup-python@v5 with: python-version: '3.x' - name: 'create readme' - uses: 'clouddrove/github-actions@v9.0.2' + uses: 'clouddrove/github-actions@9.0.3' with: actions_subcommand: 'readme' - github_token: '${{ secrets.GITHUB}}' + github_token: '${{ secrets.GITHUB }}' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: pre-commit check errors - uses: pre-commit/action@v2.0.0 + - name: 'pre-commit check errors' + uses: pre-commit/action@v3.0.0 continue-on-error: true - - name: pre-commit fix erros - uses: pre-commit/action@v2.0.0 + - name: 'pre-commit fix erros' + uses: pre-commit/action@v3.0.0 continue-on-error: true - name: 'push readme' - uses: 'clouddrove/github-actions@v9.0.2' + uses: 'clouddrove/github-actions@9.0.3' continue-on-error: true with: actions_subcommand: 'push' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: 'Slack Notification' uses: clouddrove/action-slack@v2 diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml deleted file mode 100644 index de7cc2f..0000000 --- a/.github/workflows/terraform.yml +++ /dev/null @@ -1,79 +0,0 @@ -name: static-checks - -on: - pull_request: - -jobs: - versionExtract: - name: Get min/max versions - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@main - outputs: - minVersion: ${{ steps.minMax.outputs.minVersion }} - maxVersion: ${{ steps.minMax.outputs.maxVersion }} - - - versionEvaluate: - name: Evaluate Terraform versions - runs-on: ubuntu-latest - needs: versionExtract - strategy: - fail-fast: false - matrix: - version: - - ${{ needs.versionExtract.outputs.minVersion }} - - ${{ needs.versionExtract.outputs.maxVersion }} - directory: - - _example/ - - steps: - - name: Checkout Repo - uses: actions/checkout@master - - - name: Auth Gcp - uses: google-github-actions/auth@v1 - with: - credentials_json: ${{ secrets.GKE_KEY }} - - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v1 - - - name: Init & validate v${{ matrix.version }} - run: | - cd ${{ matrix.directory }} - terraform init - terraform validate - - - name: tflint - uses: reviewdog/action-tflint@master - with: - tflint_version: v0.29.0 - github_token: ${{ secrets.GITHUB }} - working_directory: ${{ matrix.directory }} - fail_on_error: 'true' - filter_mode: 'nofilter' - flags: '--module' - - format: - name: Check code format - runs-on: ubuntu-latest - needs: versionExtract - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }} - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: ${{ needs.versionExtract.outputs.maxVersion }} - - - name: Check Terraform format changes - run: terraform fmt --recursive diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml deleted file mode 100644 index ab87bb5..0000000 --- a/.github/workflows/terratest.yml +++ /dev/null @@ -1,81 +0,0 @@ -name: 'Terratest GitHub Actions' -on: - pull_request: - branches: - - master - types: [labeled] - -jobs: - DNS: - name: 'Terratest for DNS' - runs-on: ubuntu-latest - steps: - - - name: Checkout Repo - uses: actions/checkout@master - # Setup gcloud CLI - - - name: Auth Gcp - uses: google-github-actions/auth@v1 - with: - credentials_json: ${{ secrets.GKE_KEY }} - - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v1 - - - name: 'Terratest Generate Certificate DNS' - if: ${{ github.event.label.name == 'terratest' }} - uses: 'clouddrove/github-actions@v9.0.2' - with: - actions_subcommand: 'terratest' - tf_actions_working_dir: _test/generate-certificate-dns - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: 'Slack Notification' - uses: clouddrove/action-slack@v2 - with: - status: ${{ job.status }} - fields: repo,author - author_name: 'CloudDrove' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() - - Email: - name: 'Terratest for Email' - runs-on: ubuntu-latest - steps: - - - name: Checkout Repo - uses: actions/checkout@master - # Setup gcloud CLI - - - name: Auth Gcp - uses: google-github-actions/auth@v1 - with: - credentials_json: ${{ secrets.GKE_KEY }} - - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v1 - - - name: 'Terratest Generate Certificate Email' - if: ${{ github.event.label.name == 'terratest' }} - uses: 'clouddrove/github-actions@v9.0.1' - with: - actions_subcommand: 'terratest' - tf_actions_working_dir: _test/generate-certificate-email - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: 'Slack Notification' - uses: clouddrove/action-slack@v2 - with: - status: ${{ job.status }} - fields: repo,author - author_name: 'CloudDrove' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() \ No newline at end of file diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml new file mode 100644 index 0000000..e3f9ec1 --- /dev/null +++ b/.github/workflows/tf-checks.yml @@ -0,0 +1,15 @@ +name: tf-checks +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + tf-checks-aws-managed-example: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.9 + with: + working_directory: './example/managed-node-pools/' + tf-checks-complete-example: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.9 + with: + working_directory: './example/self-hosted-node-pools/' \ No newline at end of file diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml new file mode 100644 index 0000000..a467f87 --- /dev/null +++ b/.github/workflows/tflint.yml @@ -0,0 +1,11 @@ +name: tf-lint +on: + push: + branches: [ master ] + pull_request: + workflow_dispatch: +jobs: + tf-lint: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@1.0.9 + secrets: + GITHUB: ${{ secrets.GITHUB }} \ No newline at end of file diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 9aaf588..6044183 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: jobs: tfsec: - uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@master + uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@1.0.9 secrets: inherit with: working_directory: '.' \ No newline at end of file From 3c5bc24e9cfc4f85ba87b419ca55d74ac9e4006a Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:05:43 +0530 Subject: [PATCH 03/54] feat: updated attributes --- example/managed-node-pools/example.tf | 1 + example/self-hosted-node-pools/example.tf | 1 + main.tf | 14 +++++++++++++- variables.tf | 16 +++++++++++++++- 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index 0f10f0d..66c139d 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -75,6 +75,7 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false + network_policy = false master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index cfd2983..d1923d9 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -75,6 +75,7 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false + network_policy = false master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/main.tf b/main.tf index 34575bc..58e063a 100644 --- a/main.tf +++ b/main.tf @@ -32,6 +32,10 @@ resource "google_container_cluster" "primary" { horizontal_pod_autoscaling { disabled = !var.horizontal_pod_autoscaling } + + network_policy_config { + disabled = !var.network_policy + } } dynamic "node_pool" { for_each = { for k, v in var.managed_node_pool : k => v if var.enabled } @@ -55,6 +59,14 @@ resource "google_container_cluster" "primary" { } } } + dynamic "network_policy" { + for_each = var.cluster_network_policy + + content { + enabled = network_policy.value.enabled + provider = network_policy.value.provider + } + } } resource "google_container_node_pool" "node_pool" { @@ -109,4 +121,4 @@ resource "null_resource" "configure_kubectl" { } } depends_on = [google_container_node_pool.node_pool] -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index ae29cf4..bbf2380 100644 --- a/variables.tf +++ b/variables.tf @@ -72,6 +72,20 @@ variable "master_authorized_networks" { description = "List of master authorized networks" } +variable "cluster_network_policy" { + type = list(object({ + cidr_block = string + display_name = string + })) + description = "List of master authorized networks" +} + +variable "network_policy" { + type = bool + description = "Enable network policy addon" + default = false +} + variable "managed_node_pool" { type = any default = {} @@ -280,4 +294,4 @@ variable "filestore_csi_driver" { type = bool default = false description = "Set it true you if want to enable filestore csi driver" -} \ No newline at end of file +} From f342d7dd5786cb4b5dd46643b0800e03bca731c0 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:07:40 +0530 Subject: [PATCH 04/54] feat: added network policy --- example/managed-node-pools/example.tf | 2 +- example/self-hosted-node-pools/example.tf | 2 +- main.tf | 2 +- variables.tf | 6 ------ 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index 66c139d..b0e82c3 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -75,7 +75,7 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false - network_policy = false + network_policy = false master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index d1923d9..bd7a081 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -75,7 +75,7 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false - network_policy = false + network_policy = false master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/main.tf b/main.tf index 58e063a..d4d40bf 100644 --- a/main.tf +++ b/main.tf @@ -18,7 +18,7 @@ resource "google_container_cluster" "primary" { min_master_version = var.gke_version deletion_protection = var.deletion_protection cluster_ipv4_cidr = var.cluster_ipv4_cidr - initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 + initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 cluster_autoscaling { enabled = var.cluster_autoscaling diff --git a/variables.tf b/variables.tf index bbf2380..01317dd 100644 --- a/variables.tf +++ b/variables.tf @@ -80,12 +80,6 @@ variable "cluster_network_policy" { description = "List of master authorized networks" } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - variable "managed_node_pool" { type = any default = {} From c3baa64023fcae30b311a8b7173a0bcaecc1cc31 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:10:40 +0530 Subject: [PATCH 05/54] feat: removed unused variables --- main.tf | 16 ++++++++-------- variables.tf | 14 +++++++------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/main.tf b/main.tf index d4d40bf..781a405 100644 --- a/main.tf +++ b/main.tf @@ -59,14 +59,14 @@ resource "google_container_cluster" "primary" { } } } - dynamic "network_policy" { - for_each = var.cluster_network_policy - - content { - enabled = network_policy.value.enabled - provider = network_policy.value.provider - } - } + # dynamic "network_policy" { + # for_each = var.cluster_network_policy + + # content { + # enabled = network_policy.value.enabled + # provider = network_policy.value.provider + # } + # } } resource "google_container_node_pool" "node_pool" { diff --git a/variables.tf b/variables.tf index 01317dd..e4541e8 100644 --- a/variables.tf +++ b/variables.tf @@ -72,13 +72,13 @@ variable "master_authorized_networks" { description = "List of master authorized networks" } -variable "cluster_network_policy" { - type = list(object({ - cidr_block = string - display_name = string - })) - description = "List of master authorized networks" -} +# variable "cluster_network_policy" { +# type = list(object({ +# cidr_block = string +# display_name = string +# })) +# description = "List of master authorized networks" +# } variable "managed_node_pool" { type = any From 1f6c7be9eb7e4a546155ddb99324fd232607ebbb Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:12:48 +0530 Subject: [PATCH 06/54] feat: removed unused variables --- example/managed-node-pools/example.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index b0e82c3..0f9a06b 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -75,7 +75,7 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false - network_policy = false + network_policy = true master_authorized_networks = [ { cidr_block = "10.0.0.7/32" From cae0fd5c43fe5cb27f0d4304b9e30ff493f3ac1d Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:13:23 +0530 Subject: [PATCH 07/54] feat: removed unused variables --- example/self-hosted-node-pools/example.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index bd7a081..3a5edea 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -75,7 +75,7 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false - network_policy = false + network_policy = true master_authorized_networks = [ { cidr_block = "10.0.0.7/32" From 8331a774c048446eab1c85090ae834fa3786c500 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:26:20 +0530 Subject: [PATCH 08/54] feat: Added pod security policy --- example/managed-node-pools/example.tf | 1 + example/self-hosted-node-pools/example.tf | 1 + main.tf | 3 +++ variables.tf | 6 ++++++ 4 files changed, 11 insertions(+) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index 0f9a06b..c0c6627 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -76,6 +76,7 @@ module "gke" { http_load_balancing = false horizontal_pod_autoscaling = false network_policy = true + pod_security_policy = true master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 3a5edea..db6e03d 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -76,6 +76,7 @@ module "gke" { http_load_balancing = false horizontal_pod_autoscaling = false network_policy = true + pod_security_policy = true master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/main.tf b/main.tf index 781a405..19af0f6 100644 --- a/main.tf +++ b/main.tf @@ -36,6 +36,9 @@ resource "google_container_cluster" "primary" { network_policy_config { disabled = !var.network_policy } + pod_security_policy_config { + disabled = !var.pod_security_policy + } } dynamic "node_pool" { for_each = { for k, v in var.managed_node_pool : k => v if var.enabled } diff --git a/variables.tf b/variables.tf index e4541e8..fdc47c6 100644 --- a/variables.tf +++ b/variables.tf @@ -278,6 +278,12 @@ variable "network_policy" { description = "Set it false you if want to enable network policy" } +variable "pod_security_policy" { + type = bool + default = true + description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." +} + variable "dns_cache" { type = bool default = false From d04766423870ea19fe275e6ed840247dd9481e88 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:28:03 +0530 Subject: [PATCH 09/54] feat: Added pod security policy --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 19af0f6..7022e20 100644 --- a/main.tf +++ b/main.tf @@ -23,6 +23,9 @@ resource "google_container_cluster" "primary" { cluster_autoscaling { enabled = var.cluster_autoscaling } + pod_security_policy_config { + disabled = !var.pod_security_policy + } addons_config { http_load_balancing { @@ -36,9 +39,6 @@ resource "google_container_cluster" "primary" { network_policy_config { disabled = !var.network_policy } - pod_security_policy_config { - disabled = !var.pod_security_policy - } } dynamic "node_pool" { for_each = { for k, v in var.managed_node_pool : k => v if var.enabled } From 1ab0802aaf40cf1a5e19a973079d816a9bfdc227 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:29:51 +0530 Subject: [PATCH 10/54] feat: Added pod security policy --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7022e20..80f590c 100644 --- a/main.tf +++ b/main.tf @@ -24,7 +24,7 @@ resource "google_container_cluster" "primary" { enabled = var.cluster_autoscaling } pod_security_policy_config { - disabled = !var.pod_security_policy + enabled = var.pod_security_policy } addons_config { From 62844cd99b68789b18540831d9c9298e5ee64962 Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:37:04 +0530 Subject: [PATCH 11/54] feat: Added pod security policy --- example/managed-node-pools/versions.tf | 10 ++++----- example/managed-node-pools/versions.tf.crswap | 22 +++++++++++++++++++ 2 files changed, 27 insertions(+), 5 deletions(-) create mode 100644 example/managed-node-pools/versions.tf.crswap diff --git a/example/managed-node-pools/versions.tf b/example/managed-node-pools/versions.tf index b5b9386..de5b6d5 100644 --- a/example/managed-node-pools/versions.tf +++ b/example/managed-node-pools/versions.tf @@ -1,22 +1,22 @@ terraform { - required_version = ">=1.3" + required_version = ">= 1.4.6" required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = "5.22.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10" + version = "~> 2.29" } random = { source = "hashicorp/random" - version = ">= 2.1" + version = ">= 3.6" } } } \ No newline at end of file diff --git a/example/managed-node-pools/versions.tf.crswap b/example/managed-node-pools/versions.tf.crswap new file mode 100644 index 0000000..de5b6d5 --- /dev/null +++ b/example/managed-node-pools/versions.tf.crswap @@ -0,0 +1,22 @@ +terraform { + required_version = ">= 1.4.6" + + required_providers { + google = { + source = "hashicorp/google" + version = "5.22.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 5.25" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.29" + } + random = { + source = "hashicorp/random" + version = ">= 3.6" + } + } +} \ No newline at end of file From 950d3eb9536e3dc87cfd6ad7e5bd9c154bfc011e Mon Sep 17 00:00:00 2001 From: AshutoshAM2002 Date: Thu, 18 Apr 2024 22:39:20 +0530 Subject: [PATCH 12/54] feat: updated versions --- example/managed-node-pools/versions.tf.crswap | 22 ------------------- example/self-hosted-node-pools/versions.tf | 22 ------------------- .../versions.tf => versions.tf | 0 3 files changed, 44 deletions(-) delete mode 100644 example/managed-node-pools/versions.tf.crswap delete mode 100644 example/self-hosted-node-pools/versions.tf rename example/managed-node-pools/versions.tf => versions.tf (100%) diff --git a/example/managed-node-pools/versions.tf.crswap b/example/managed-node-pools/versions.tf.crswap deleted file mode 100644 index de5b6d5..0000000 --- a/example/managed-node-pools/versions.tf.crswap +++ /dev/null @@ -1,22 +0,0 @@ -terraform { - required_version = ">= 1.4.6" - - required_providers { - google = { - source = "hashicorp/google" - version = "5.22.0" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 5.25" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.29" - } - random = { - source = "hashicorp/random" - version = ">= 3.6" - } - } -} \ No newline at end of file diff --git a/example/self-hosted-node-pools/versions.tf b/example/self-hosted-node-pools/versions.tf deleted file mode 100644 index b5b9386..0000000 --- a/example/self-hosted-node-pools/versions.tf +++ /dev/null @@ -1,22 +0,0 @@ -terraform { - required_version = ">=1.3" - - required_providers { - google = { - source = "hashicorp/google" - version = ">= 5.9.0, < 6" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.10" - } - random = { - source = "hashicorp/random" - version = ">= 2.1" - } - } -} \ No newline at end of file diff --git a/example/managed-node-pools/versions.tf b/versions.tf similarity index 100% rename from example/managed-node-pools/versions.tf rename to versions.tf From 301d9c146a71932f41829918d7ea753f8ceb16c5 Mon Sep 17 00:00:00 2001 From: Ashutosh Mahajan <78293616+AshutoshAM2002@users.noreply.github.com> Date: Mon, 22 Apr 2024 16:17:13 +0530 Subject: [PATCH 13/54] feat: testing pod secutity policy --- main.tf | 6 +++--- variables.tf | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/main.tf b/main.tf index 80f590c..f044be4 100644 --- a/main.tf +++ b/main.tf @@ -23,9 +23,9 @@ resource "google_container_cluster" "primary" { cluster_autoscaling { enabled = var.cluster_autoscaling } - pod_security_policy_config { - enabled = var.pod_security_policy - } +# pod_security_policy_config { +# enabled = var.pod_security_policy +# } addons_config { http_load_balancing { diff --git a/variables.tf b/variables.tf index fdc47c6..7e6ddac 100644 --- a/variables.tf +++ b/variables.tf @@ -278,11 +278,11 @@ variable "network_policy" { description = "Set it false you if want to enable network policy" } -variable "pod_security_policy" { - type = bool - default = true - description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." -} +# variable "pod_security_policy" { +# type = bool +# default = true +# description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." +# } variable "dns_cache" { type = bool From 153de3687b09d20a633d5eb70142907342e802ac Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 17:52:50 +0530 Subject: [PATCH 14/54] feat: update gke terraform module --- example/managed-node-pools/example.tf | 7 +++- example/self-hosted-node-pools/example.tf | 4 +++ main.tf | 30 +++++++++++------ variables.tf | 41 ++++++++++++++++++++--- versions.tf | 12 +++---- 5 files changed, 72 insertions(+), 22 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index c0c6627..ce08acc 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -67,7 +67,7 @@ module "gke" { region = var.gcp_region cluster_name = "test-gke" location = "us-central1" - gke_version = "1.29.1-gke.1589017" + gke_version = "1.30.2-gke.1587003" module_enabled = true remove_default_node_pool = true service_account = "" @@ -76,7 +76,12 @@ module "gke" { http_load_balancing = false horizontal_pod_autoscaling = false network_policy = true + spot = false + enable_preemptible = true pod_security_policy = true + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = "10.13.0.0/28" master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index db6e03d..4ab7dde 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -77,6 +77,10 @@ module "gke" { horizontal_pod_autoscaling = false network_policy = true pod_security_policy = true + spot = true + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = "10.13.0.0/28" master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/main.tf b/main.tf index f044be4..74ec1ef 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,9 @@ module "labels" { } resource "google_container_cluster" "primary" { - count = var.google_container_cluster_enabled ? 1 : 0 + count = var.google_container_cluster_enabled ? 1 : 0 + provider = google-beta + project = var.project_id name = module.labels.id location = var.location @@ -23,9 +25,9 @@ resource "google_container_cluster" "primary" { cluster_autoscaling { enabled = var.cluster_autoscaling } -# pod_security_policy_config { -# enabled = var.pod_security_policy -# } + pod_security_policy_config { + enabled = var.pod_security_policy + } addons_config { http_load_balancing { @@ -49,7 +51,8 @@ resource "google_container_cluster" "primary" { machine_type = node_pool.value.machine_type disk_size_gb = node_pool.value.disk_size_gb disk_type = node_pool.value.disk_type - preemptible = node_pool.value.preemptible + preemptible = var.enable_preemptible + spot = var.spot } } } @@ -62,6 +65,13 @@ resource "google_container_cluster" "primary" { } } } + + private_cluster_config { + enable_private_endpoint = var.enable_private_endpoint + enable_private_nodes = var.enable_private_nodes + master_ipv4_cidr_block = var.master_ipv4_cidr_block + } + # dynamic "network_policy" { # for_each = var.cluster_network_policy @@ -76,11 +86,11 @@ resource "google_container_node_pool" "node_pool" { for_each = { for k, v in var.self_node_pools : k => v if var.enabled } provider = google-beta - name = each.value.name - project = var.project_id - location = var.location - cluster = join("", google_container_cluster.primary.*.id) - initial_node_count = var.initial_node_count + name = each.value.name + project = var.project_id + location = var.location + cluster = join("", google_container_cluster.primary.*.id) + node_count = var.initial_node_count autoscaling { min_node_count = var.min_node_count diff --git a/variables.tf b/variables.tf index 7e6ddac..e1c7e3b 100644 --- a/variables.tf +++ b/variables.tf @@ -278,11 +278,11 @@ variable "network_policy" { description = "Set it false you if want to enable network policy" } -# variable "pod_security_policy" { -# type = bool -# default = true -# description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." -# } +variable "pod_security_policy" { + type = bool + default = true + description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." +} variable "dns_cache" { type = bool @@ -295,3 +295,34 @@ variable "filestore_csi_driver" { default = false description = "Set it true you if want to enable filestore csi driver" } + +variable "spot" { + description = "Enable or disable spot (preemptible) instances for the node pool" + type = bool + default = false +} + +variable "enable_preemptible" { + description = "Enable or disable preemptible nodes" + type = bool + default = false +} + +variable "enable_private_endpoint" { + description = "Enable or disable the private endpoint for the GKE cluster" + type = bool + default = false +} + +variable "enable_private_nodes" { + description = "Enable or disable private nodes for the GKE cluster" + type = bool + default = false +} + +variable "master_ipv4_cidr_block" { + description = "The IP range in CIDR notation for the master network in a private GKE cluster. This block is used to assign IP addresses to the master nodes and control access to the master API server. This is only required when 'enable_private_nodes' is set to true." + type = string + default = "" +} + diff --git a/versions.tf b/versions.tf index de5b6d5..c39290b 100644 --- a/versions.tf +++ b/versions.tf @@ -1,22 +1,22 @@ terraform { - required_version = ">= 1.4.6" + required_version = ">=1.3" required_providers { google = { source = "hashicorp/google" - version = "5.22.0" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.29" + version = "~> 2.10" } random = { source = "hashicorp/random" - version = ">= 3.6" + version = ">= 2.1" } } -} \ No newline at end of file +} From b4755f502e17f9be7985d731fc07f944ae602930 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 18:06:13 +0530 Subject: [PATCH 15/54] feat: updated network policy --- example/managed-node-pools/example.tf | 6 ++++++ example/self-hosted-node-pools/example.tf | 6 ++++++ main.tf | 16 ++++++++-------- variables.tf | 14 +++++++------- 4 files changed, 27 insertions(+), 15 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index ce08acc..a36f9fc 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -82,6 +82,12 @@ module "gke" { enable_private_endpoint = false enable_private_nodes = true master_ipv4_cidr_block = "10.13.0.0/28" + cluster_network_policy = { + policy1 = { + enabled = true + provider = "CALICO" + } + } master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 4ab7dde..3d72f77 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -81,6 +81,12 @@ module "gke" { enable_private_endpoint = false enable_private_nodes = true master_ipv4_cidr_block = "10.13.0.0/28" + cluster_network_policy = { + policy1 = { + enabled = true + provider = "CALICO" + } + } master_authorized_networks = [ { cidr_block = "10.0.0.7/32" diff --git a/main.tf b/main.tf index 74ec1ef..e49dbda 100644 --- a/main.tf +++ b/main.tf @@ -72,14 +72,14 @@ resource "google_container_cluster" "primary" { master_ipv4_cidr_block = var.master_ipv4_cidr_block } - # dynamic "network_policy" { - # for_each = var.cluster_network_policy - - # content { - # enabled = network_policy.value.enabled - # provider = network_policy.value.provider - # } - # } + dynamic "network_policy" { + for_each = var.cluster_network_policy + + content { + enabled = network_policy.value.enabled + provider = network_policy.value.provider + } + } } resource "google_container_node_pool" "node_pool" { diff --git a/variables.tf b/variables.tf index e1c7e3b..692b55a 100644 --- a/variables.tf +++ b/variables.tf @@ -72,13 +72,13 @@ variable "master_authorized_networks" { description = "List of master authorized networks" } -# variable "cluster_network_policy" { -# type = list(object({ -# cidr_block = string -# display_name = string -# })) -# description = "List of master authorized networks" -# } +variable "cluster_network_policy" { + type = list(object({ + cidr_block = string + display_name = string + })) + description = "List of master authorized networks" +} variable "managed_node_pool" { type = any From 0aaa40f513a65a2218d94635d15cb9569ae8b1d7 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 18:16:31 +0530 Subject: [PATCH 16/54] feat: resolved tf-checks issue --- variables.tf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/variables.tf b/variables.tf index 692b55a..788a993 100644 --- a/variables.tf +++ b/variables.tf @@ -73,11 +73,12 @@ variable "master_authorized_networks" { } variable "cluster_network_policy" { - type = list(object({ - cidr_block = string - display_name = string + description = "A map of network policy configurations to apply to the GKE cluster." + type = map(object({ + enabled = bool + provider = string })) - description = "List of master authorized networks" + default = {} } variable "managed_node_pool" { From 0258ebedae0f1e6f6228c44d9181702f3fc01f44 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 18:51:53 +0530 Subject: [PATCH 17/54] feat: resolved tfLint warnings --- example/managed-node-pools/example.tf | 1 - example/self-hosted-node-pools/example.tf | 1 - outputs.tf | 8 ++++---- variables.tf | 25 ----------------------- versions.tf | 4 ++++ 5 files changed, 8 insertions(+), 31 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index a36f9fc..b463b89 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -68,7 +68,6 @@ module "gke" { cluster_name = "test-gke" location = "us-central1" gke_version = "1.30.2-gke.1587003" - module_enabled = true remove_default_node_pool = true service_account = "" deletion_protection = false diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 3d72f77..75e3fae 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -68,7 +68,6 @@ module "gke" { cluster_name = "test-gke" location = "us-central1" gke_version = "1.29.1-gke.1589017" - module_enabled = true remove_default_node_pool = true service_account = "" deletion_protection = false diff --git a/outputs.tf b/outputs.tf index 6781f5b..258174a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,15 +1,15 @@ output "name" { - value = join("", google_container_cluster.primary.*.name) + value = join("", google_container_cluster.primary[*].name) } output "id" { - value = join("", google_container_cluster.primary.*.id) + value = join("", google_container_cluster.primary[*].id) } output "endpoint" { - value = join("", google_container_cluster.primary.*.endpoint) + value = join("", google_container_cluster.primary[*].endpoint) } output "cluster_ca_certificate" { - value = join("", google_container_cluster.primary.*.id) + value = join("", google_container_cluster.primary[*].id) } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 788a993..daab758 100644 --- a/variables.tf +++ b/variables.tf @@ -16,12 +16,6 @@ variable "name" { description = "Name of the resource. Provided by the client when the resource is created. " } -variable "module_enabled" { - type = bool - default = true - description = "Flag to control the service_account_enabled creation." -} - variable "enabled" { type = bool default = true @@ -106,12 +100,6 @@ variable "project" { } -variable "cluster" { - type = string - default = "" - description = "The cluster to create the node pool for." -} - ######################### Autoscaling ########################### variable "min_node_count" { type = number @@ -252,13 +240,6 @@ variable "networking_mode" { description = "Determines whether alias IPs or routes will be used for pod IPs in the cluster. Options are VPC_NATIVE or ROUTES." } -variable "logging_config" { - type = bool - default = false - description = "Logging configuration for the cluster" - -} - ########## Addons Config ########## variable "http_load_balancing" { @@ -285,12 +266,6 @@ variable "pod_security_policy" { description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." } -variable "dns_cache" { - type = bool - default = false - description = "Set it true you if want to dns cache" -} - variable "filestore_csi_driver" { type = bool default = false diff --git a/versions.tf b/versions.tf index c39290b..2bdc416 100644 --- a/versions.tf +++ b/versions.tf @@ -18,5 +18,9 @@ terraform { source = "hashicorp/random" version = ">= 2.1" } + null = { + source = "hashicorp/null" + version = ">= 3.0.0" + } } } From 6938f27432fce4cd59f79ca801b61351be711e50 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 19:21:39 +0530 Subject: [PATCH 18/54] feat: resolved tflint warnings --- example/managed-node-pools/example.tf | 2 ++ example/managed-node-pools/outputs.tf | 4 +-- example/self-hosted-node-pools/outputs.tf | 4 +-- main.tf | 2 +- variables.tf | 37 ----------------------- 5 files changed, 7 insertions(+), 42 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index b463b89..bd5fa23 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -22,6 +22,8 @@ module "subnet" { environment = var.environment label_order = var.label_order gcp_region = "us-central1" + version = "1.0.1" + google_compute_subnetwork_enabled = true google_compute_firewall_enabled = true diff --git a/example/managed-node-pools/outputs.tf b/example/managed-node-pools/outputs.tf index 1c0ad6d..db70e4f 100644 --- a/example/managed-node-pools/outputs.tf +++ b/example/managed-node-pools/outputs.tf @@ -1,7 +1,7 @@ output "name" { - value = module.gke.*.name + value = module.gke[*].name } output "id" { - value = module.gke.*.id + value = module.gke[*].id } \ No newline at end of file diff --git a/example/self-hosted-node-pools/outputs.tf b/example/self-hosted-node-pools/outputs.tf index 1c0ad6d..db70e4f 100644 --- a/example/self-hosted-node-pools/outputs.tf +++ b/example/self-hosted-node-pools/outputs.tf @@ -1,7 +1,7 @@ output "name" { - value = module.gke.*.name + value = module.gke[*].name } output "id" { - value = module.gke.*.id + value = module.gke[*].id } \ No newline at end of file diff --git a/main.tf b/main.tf index e49dbda..1fa43c6 100644 --- a/main.tf +++ b/main.tf @@ -89,7 +89,7 @@ resource "google_container_node_pool" "node_pool" { name = each.value.name project = var.project_id location = var.location - cluster = join("", google_container_cluster.primary.*.id) + cluster = join("", google_container_cluster.primary[*].id) node_count = var.initial_node_count autoscaling { diff --git a/variables.tf b/variables.tf index daab758..bea93ba 100644 --- a/variables.tf +++ b/variables.tf @@ -46,18 +46,6 @@ variable "initial_node_count" { description = "The number of nodes to create in this cluster's default node pool." } -variable "google_container_node_pool_enabled" { - type = bool - default = true - description = "Flag to control the cluster_enabled creation." -} - -variable "node_count" { - type = number - default = 1 - description = "The number of nodes to create in this cluster's default node pool." -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string @@ -93,13 +81,6 @@ variable "service_account" { description = "The Google Cloud Platform Service Account to be used by the node VMs created by GKE Autopilot or NAP." } -variable "project" { - type = string - default = "" - description = "The project ID to host the cluster in" - -} - ######################### Autoscaling ########################### variable "min_node_count" { type = number @@ -228,18 +209,6 @@ variable "cluster_autoscaling" { description = "Node Auto-Provisioning with Cluster Autoscaler to automatically adjust the size of the cluster" } -variable "ip_allocation_policy" { - type = bool - default = false - description = "Configuration of cluster IP allocation for VPC-native clusters. If this block is unset during creation, it will be set by the GKE backend." -} - -variable "networking_mode" { - type = bool - default = false - description = "Determines whether alias IPs or routes will be used for pod IPs in the cluster. Options are VPC_NATIVE or ROUTES." -} - ########## Addons Config ########## variable "http_load_balancing" { @@ -266,12 +235,6 @@ variable "pod_security_policy" { description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." } -variable "filestore_csi_driver" { - type = bool - default = false - description = "Set it true you if want to enable filestore csi driver" -} - variable "spot" { description = "Enable or disable spot (preemptible) instances for the node pool" type = bool From c9a4f6e4fe4e5dea801c9095876892b9dcdb2d03 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 19:43:02 +0530 Subject: [PATCH 19/54] feat: resolved tflint warnings provider --- example/managed-node-pools/variables.tf | 23 ------------------ example/managed-node-pools/versions.tf | 26 +++++++++++++++++++++ example/self-hosted-node-pools/example.tf | 1 + example/self-hosted-node-pools/variables.tf | 11 --------- example/self-hosted-node-pools/versions.tf | 26 +++++++++++++++++++++ 5 files changed, 53 insertions(+), 34 deletions(-) create mode 100644 example/managed-node-pools/versions.tf create mode 100644 example/self-hosted-node-pools/versions.tf diff --git a/example/managed-node-pools/variables.tf b/example/managed-node-pools/variables.tf index 8289192..fc86e1d 100644 --- a/example/managed-node-pools/variables.tf +++ b/example/managed-node-pools/variables.tf @@ -28,31 +28,8 @@ variable "gcp_zone" { description = "Google Cloud zone" } -variable "gcp_credentials" { - type = string - default = "" - sensitive = true - description = "Google Cloud service account credentials" -} - -variable "ip_cidr_range" { - type = string - default = "10.11.0.0/16" - description = "(Required) The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported." -} - variable "location" { description = "The location (region or zone) of the GKE cluster." default = "europe-west3" type = string } - -variable "vpc_id" { - type = string - default = "" -} - -variable "subnet_id" { - type = string - default = "" -} \ No newline at end of file diff --git a/example/managed-node-pools/versions.tf b/example/managed-node-pools/versions.tf new file mode 100644 index 0000000..2bdc416 --- /dev/null +++ b/example/managed-node-pools/versions.tf @@ -0,0 +1,26 @@ +terraform { + required_version = ">=1.3" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.9.0, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 5.9.0, < 6" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + null = { + source = "hashicorp/null" + version = ">= 3.0.0" + } + } +} diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 75e3fae..22c46ee 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -22,6 +22,7 @@ module "subnet" { environment = var.environment label_order = var.label_order gcp_region = "us-central1" + version = "1.0.1" google_compute_subnetwork_enabled = true google_compute_firewall_enabled = true diff --git a/example/self-hosted-node-pools/variables.tf b/example/self-hosted-node-pools/variables.tf index 8289192..85ea90a 100644 --- a/example/self-hosted-node-pools/variables.tf +++ b/example/self-hosted-node-pools/variables.tf @@ -41,17 +41,6 @@ variable "ip_cidr_range" { description = "(Required) The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported." } -variable "location" { - description = "The location (region or zone) of the GKE cluster." - default = "europe-west3" - type = string -} - -variable "vpc_id" { - type = string - default = "" -} - variable "subnet_id" { type = string default = "" diff --git a/example/self-hosted-node-pools/versions.tf b/example/self-hosted-node-pools/versions.tf new file mode 100644 index 0000000..2bdc416 --- /dev/null +++ b/example/self-hosted-node-pools/versions.tf @@ -0,0 +1,26 @@ +terraform { + required_version = ">=1.3" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.9.0, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 5.9.0, < 6" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + null = { + source = "hashicorp/null" + version = ">= 3.0.0" + } + } +} From be16972622cd4062e5a8139d75da37ac62d5a079 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 19:47:47 +0530 Subject: [PATCH 20/54] feat: resolved tflint warnings related credentials --- example/managed-node-pools/variables.tf | 6 ------ example/self-hosted-node-pools/variables.tf | 17 ----------------- 2 files changed, 23 deletions(-) diff --git a/example/managed-node-pools/variables.tf b/example/managed-node-pools/variables.tf index fc86e1d..b7e13fe 100644 --- a/example/managed-node-pools/variables.tf +++ b/example/managed-node-pools/variables.tf @@ -27,9 +27,3 @@ variable "gcp_zone" { default = "Europe-west3-c" description = "Google Cloud zone" } - -variable "location" { - description = "The location (region or zone) of the GKE cluster." - default = "europe-west3" - type = string -} diff --git a/example/self-hosted-node-pools/variables.tf b/example/self-hosted-node-pools/variables.tf index 85ea90a..56cb0b8 100644 --- a/example/self-hosted-node-pools/variables.tf +++ b/example/self-hosted-node-pools/variables.tf @@ -28,20 +28,3 @@ variable "gcp_zone" { description = "Google Cloud zone" } -variable "gcp_credentials" { - type = string - default = "" - sensitive = true - description = "Google Cloud service account credentials" -} - -variable "ip_cidr_range" { - type = string - default = "10.11.0.0/16" - description = "(Required) The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported." -} - -variable "subnet_id" { - type = string - default = "" -} \ No newline at end of file From 8a926160cffeaf044cb71073f5d04317dbf5cab8 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 23:47:27 +0530 Subject: [PATCH 21/54] feat: resolved defsec comments --- example/managed-node-pools/example.tf | 55 ++++++++++++++--------- example/self-hosted-node-pools/example.tf | 53 ++++++++++++++-------- main.tf | 15 +++++++ variables.tf | 25 +++++++++++ 4 files changed, 109 insertions(+), 39 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index bd5fa23..4a6f2c2 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -53,6 +53,15 @@ module "subnet" { "ip_cidr_range" : "10.3.0.0/16" } ] + + log_config = { + aggregation_interval = "INTERVAL_10_MIN" + flow_sampling = 0.5 + metadata = "INCLUDE_ALL_METADATA" + metadata_fields = ["SRC_IP", "DST_IP"] + filter_expr = "true" + } + } @@ -63,26 +72,30 @@ module "gke" { environment = var.environment label_order = var.label_order - network = module.vpc.vpc_id - subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.30.2-gke.1587003" - remove_default_node_pool = true - service_account = "" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = true - spot = false - enable_preemptible = true - pod_security_policy = true - enable_private_endpoint = false - enable_private_nodes = true - master_ipv4_cidr_block = "10.13.0.0/28" + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + labels = "dev-gke" + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.30.2-gke.1587003" + remove_default_node_pool = true + service_account = "example@example.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = true + spot = false + enable_preemptible = true + pod_security_policy = true + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_secondary_range_name = "pod-range" + services_secondary_range_name = "svc-range" + metadata = true cluster_network_policy = { policy1 = { enabled = true @@ -100,6 +113,7 @@ module "gke" { name = "critical" initial_node_count = 1 machine_type = "g1-small" + image_type = "COS_CONTAINERD" disk_size_gb = "10" disk_type = "pd-standard" preemptible = true @@ -107,6 +121,7 @@ module "gke" { { name = "general" initial_node_count = 1 + image_type = "COS_CONTAINERD" machine_type = "g1-small" disk_size_gb = "10" disk_type = "pd-standard" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 22c46ee..58e2e1a 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -52,6 +52,15 @@ module "subnet" { "ip_cidr_range" : "10.3.0.0/16" } ] + + log_config = { + aggregation_interval = "INTERVAL_10_MIN" + flow_sampling = 0.5 + metadata = "INCLUDE_ALL_METADATA" + metadata_fields = ["SRC_IP", "DST_IP"] + filter_expr = "true" + } + } @@ -62,25 +71,29 @@ module "gke" { environment = var.environment label_order = var.label_order - network = module.vpc.vpc_id - subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.29.1-gke.1589017" - remove_default_node_pool = true - service_account = "" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = true - pod_security_policy = true - spot = true - enable_private_endpoint = false - enable_private_nodes = true - master_ipv4_cidr_block = "10.13.0.0/28" + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + labels = "dev-gke" + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.29.1-gke.1589017" + remove_default_node_pool = true + service_account = "example@example.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = true + pod_security_policy = true + spot = true + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_secondary_range_name = "pod-range" + services_secondary_range_name = "svc-range" + metadata = true cluster_network_policy = { policy1 = { enabled = true @@ -97,6 +110,7 @@ module "gke" { { name = "critical" initial_node_count = 1 + image_type = "COS_CONTAINERD" machine_type = "g1-small" disk_size_gb = "10" disk_type = "pd-standard" @@ -105,6 +119,7 @@ module "gke" { { name = "general" initial_node_count = 1 + image_type = "COS_CONTAINERD" machine_type = "g1-small" disk_size_gb = "10" disk_type = "pd-standard" diff --git a/main.tf b/main.tf index 1fa43c6..224f973 100644 --- a/main.tf +++ b/main.tf @@ -22,8 +22,10 @@ resource "google_container_cluster" "primary" { cluster_ipv4_cidr = var.cluster_ipv4_cidr initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 + cluster_autoscaling { enabled = var.cluster_autoscaling + } pod_security_policy_config { enabled = var.pod_security_policy @@ -42,6 +44,12 @@ resource "google_container_cluster" "primary" { disabled = !var.network_policy } } + + ip_allocation_policy { + cluster_secondary_range_name = var.cluster_secondary_range_name + services_secondary_range_name = var.services_secondary_range_name + } + dynamic "node_pool" { for_each = { for k, v in var.managed_node_pool : k => v if var.enabled } content { @@ -53,6 +61,8 @@ resource "google_container_cluster" "primary" { disk_type = node_pool.value.disk_type preemptible = var.enable_preemptible spot = var.spot + + labels = var.labels } } } @@ -110,6 +120,11 @@ resource "google_container_node_pool" "node_pool" { disk_size_gb = var.disk_size_gb disk_type = var.disk_type preemptible = var.preemptible + + + metadata = { + disable-legacy-endpoints = "true" + } } lifecycle { diff --git a/variables.tf b/variables.tf index bea93ba..b3a7ac0 100644 --- a/variables.tf +++ b/variables.tf @@ -265,3 +265,28 @@ variable "master_ipv4_cidr_block" { default = "" } +variable "labels" { + description = "A map of labels to apply to the GKE cluster and its resources." + type = map(string) + default = {} +} + +variable "cluster_secondary_range_name" { + type = string + default = "pods-range" + description = "The name of the secondary IP range for pods in the GKE cluster." +} + +variable "services_secondary_range_name" { + type = string + default = "services-range" + description = "The name of the secondary IP range for services in the GKE cluster." + +} + +variable "metadata" { + type = map(string) + default = { + disable-legacy-endpoints = "true" + } +} \ No newline at end of file From 5e4361ab019f332f5833f95d100fcad175b4fcf4 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Mon, 26 Aug 2024 23:52:14 +0530 Subject: [PATCH 22/54] feat: resolved variable issue --- example/self-hosted-node-pools/example.tf | 1 - variables.tf | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 58e2e1a..a1e2d8f 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -93,7 +93,6 @@ module "gke" { master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" - metadata = true cluster_network_policy = { policy1 = { enabled = true diff --git a/variables.tf b/variables.tf index b3a7ac0..93325fa 100644 --- a/variables.tf +++ b/variables.tf @@ -267,7 +267,7 @@ variable "master_ipv4_cidr_block" { variable "labels" { description = "A map of labels to apply to the GKE cluster and its resources." - type = map(string) + type = string default = {} } From b3a959b8efaa57b3fdb1e70ad5e7f8ab906f6de7 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 00:02:14 +0530 Subject: [PATCH 23/54] feat: resolved tfcheck issue --- example/managed-node-pools/example.tf | 6 ++++-- example/self-hosted-node-pools/example.tf | 5 ++++- main.tf | 2 +- variables.tf | 7 ++++--- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index 4a6f2c2..3e78ec3 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -76,7 +76,7 @@ module "gke" { subnetwork = module.subnet.id project_id = var.gcp_project_id region = var.gcp_region - labels = "dev-gke" + cluster_name = "test-gke" location = "us-central1" gke_version = "1.30.2-gke.1587003" @@ -95,7 +95,9 @@ module "gke" { master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" - metadata = true + labels = { + application = "my-other-app" + } cluster_network_policy = { policy1 = { enabled = true diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index a1e2d8f..47d92b8 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -75,7 +75,7 @@ module "gke" { subnetwork = module.subnet.id project_id = var.gcp_project_id region = var.gcp_region - labels = "dev-gke" + cluster_name = "test-gke" location = "us-central1" gke_version = "1.29.1-gke.1589017" @@ -93,6 +93,9 @@ module "gke" { master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" + labels = { + application = "my-other-app" + } cluster_network_policy = { policy1 = { enabled = true diff --git a/main.tf b/main.tf index 224f973..9a78f54 100644 --- a/main.tf +++ b/main.tf @@ -62,7 +62,7 @@ resource "google_container_cluster" "primary" { preemptible = var.enable_preemptible spot = var.spot - labels = var.labels + labels = var.labels } } } diff --git a/variables.tf b/variables.tf index 93325fa..2ac8150 100644 --- a/variables.tf +++ b/variables.tf @@ -266,9 +266,10 @@ variable "master_ipv4_cidr_block" { } variable "labels" { - description = "A map of labels to apply to the GKE cluster and its resources." - type = string - default = {} + type = map(string) + default = { + application = "my-app" + } } variable "cluster_secondary_range_name" { From 7d5a8cebf4e07b8d8c6d1fa6355881d673736c9b Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 00:07:24 +0530 Subject: [PATCH 24/54] feat: resolved tfcheck issue --- example/managed-node-pools/example.tf | 13 +++++++------ example/self-hosted-node-pools/example.tf | 13 +++++++------ main.tf | 2 +- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index 3e78ec3..cfdf933 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -72,11 +72,11 @@ module "gke" { environment = var.environment label_order = var.label_order - network = module.vpc.vpc_id - subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + cluster_name = "test-gke" location = "us-central1" gke_version = "1.30.2-gke.1587003" @@ -92,11 +92,12 @@ module "gke" { pod_security_policy = true enable_private_endpoint = false enable_private_nodes = true + metadata = true master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" labels = { - application = "my-other-app" + application = "my-other-app" } cluster_network_policy = { policy1 = { diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 47d92b8..8b44027 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -71,11 +71,11 @@ module "gke" { environment = var.environment label_order = var.label_order - network = module.vpc.vpc_id - subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + cluster_name = "test-gke" location = "us-central1" gke_version = "1.29.1-gke.1589017" @@ -90,11 +90,12 @@ module "gke" { spot = true enable_private_endpoint = false enable_private_nodes = true + metadata = true master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" labels = { - application = "my-other-app" + application = "my-other-app" } cluster_network_policy = { policy1 = { diff --git a/main.tf b/main.tf index 9a78f54..224f973 100644 --- a/main.tf +++ b/main.tf @@ -62,7 +62,7 @@ resource "google_container_cluster" "primary" { preemptible = var.enable_preemptible spot = var.spot - labels = var.labels + labels = var.labels } } } From 219a65acba68e5c49837ebd2410a5a22e23c9444 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 00:10:50 +0530 Subject: [PATCH 25/54] feat: resolved tfcheck issue --- example/managed-node-pools/example.tf | 1 - example/self-hosted-node-pools/example.tf | 1 - variables.tf | 6 ------ 3 files changed, 8 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index cfdf933..c86b2b9 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -92,7 +92,6 @@ module "gke" { pod_security_policy = true enable_private_endpoint = false enable_private_nodes = true - metadata = true master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 8b44027..6c1f19c 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -90,7 +90,6 @@ module "gke" { spot = true enable_private_endpoint = false enable_private_nodes = true - metadata = true master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" diff --git a/variables.tf b/variables.tf index 2ac8150..8db4ddf 100644 --- a/variables.tf +++ b/variables.tf @@ -285,9 +285,3 @@ variable "services_secondary_range_name" { } -variable "metadata" { - type = map(string) - default = { - disable-legacy-endpoints = "true" - } -} \ No newline at end of file From 34c4433107747a531eaab4ada2be9f2fd730b6e3 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 00:45:27 +0530 Subject: [PATCH 26/54] feat: resolved defsec comments --- example/managed-node-pools/example.tf | 8 +++++--- example/self-hosted-node-pools/example.tf | 8 +++++--- main.tf | 4 ++++ variables.tf | 5 +++++ 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/example/managed-node-pools/example.tf b/example/managed-node-pools/example.tf index c86b2b9..7658891 100644 --- a/example/managed-node-pools/example.tf +++ b/example/managed-node-pools/example.tf @@ -95,9 +95,7 @@ module "gke" { master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" - labels = { - application = "my-other-app" - } + workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { enabled = true @@ -130,4 +128,8 @@ module "gke" { preemptible = true } ] + + labels = { + application = "app" + } } \ No newline at end of file diff --git a/example/self-hosted-node-pools/example.tf b/example/self-hosted-node-pools/example.tf index 6c1f19c..431569e 100644 --- a/example/self-hosted-node-pools/example.tf +++ b/example/self-hosted-node-pools/example.tf @@ -93,9 +93,7 @@ module "gke" { master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" - labels = { - application = "my-other-app" - } + workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { enabled = true @@ -128,4 +126,8 @@ module "gke" { preemptible = true } ] + + labels = { + application = "app" + } } \ No newline at end of file diff --git a/main.tf b/main.tf index 224f973..b6e4eba 100644 --- a/main.tf +++ b/main.tf @@ -63,6 +63,10 @@ resource "google_container_cluster" "primary" { spot = var.spot labels = var.labels + + workload_metadata_config { + mode = var.workload_metadata_mode + } } } } diff --git a/variables.tf b/variables.tf index 8db4ddf..86dd8d0 100644 --- a/variables.tf +++ b/variables.tf @@ -285,3 +285,8 @@ variable "services_secondary_range_name" { } +variable "workload_metadata_mode" { + description = "The mode for workload metadata configuration." + type = string + default = "GKE_METADATA" +} \ No newline at end of file From 469ce5aa890ad0c139ecc0e2ff2fe6c0e8487491 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 00:46:57 +0530 Subject: [PATCH 27/54] feat: resolved tfcheck issue --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index b6e4eba..a8c2767 100644 --- a/main.tf +++ b/main.tf @@ -64,9 +64,9 @@ resource "google_container_cluster" "primary" { labels = var.labels - workload_metadata_config { - mode = var.workload_metadata_mode - } + workload_metadata_config { + mode = var.workload_metadata_mode + } } } } From a1dd4df88b12d917fa08dc1b0b2b427f627afdd5 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 15:02:43 +0530 Subject: [PATCH 28/54] feat: updated workflow files --- .github/dependabot.yml | 23 ++-- .github/workflows/auto_assignee.yml | 2 +- .github/workflows/automerge.yml | 12 -- .github/workflows/changelog.yml | 2 +- .github/workflows/readme.yml | 57 ++------- .github/workflows/tf-checks.yml | 13 +- .github/workflows/tflint.yml | 2 +- .github/workflows/tfsec.yml | 2 +- README.yaml | 114 +++++++++++------- .../managed-node-pools/example.tf | 0 .../managed-node-pools/outputs.tf | 0 .../managed-node-pools/variables.tf | 0 .../managed-node-pools/versions.tf | 0 .../self-hosted-node-pools/example.tf | 0 .../self-hosted-node-pools/outputs.tf | 0 .../self-hosted-node-pools/variables.tf | 0 .../self-hosted-node-pools/versions.tf | 0 versions.tf | 6 +- 18 files changed, 107 insertions(+), 126 deletions(-) delete mode 100644 .github/workflows/automerge.yml rename {example => examples}/managed-node-pools/example.tf (100%) rename {example => examples}/managed-node-pools/outputs.tf (100%) rename {example => examples}/managed-node-pools/variables.tf (100%) rename {example => examples}/managed-node-pools/versions.tf (100%) rename {example => examples}/self-hosted-node-pools/example.tf (100%) rename {example => examples}/self-hosted-node-pools/outputs.tf (100%) rename {example => examples}/self-hosted-node-pools/variables.tf (100%) rename {example => examples}/self-hosted-node-pools/versions.tf (100%) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fdf32a1..29d5cdc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,20 +2,22 @@ # package ecosystems to update and where the package manifests are located. # Please see the documentation for all configuration options: # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + version: 2 updates: - - package-ecosystem: "terraform" # See documentation for possible values - directory: "/" # Location of package manifests + + - package-ecosystem: "github-actions" + directory: "/" schedule: - interval: "weekly" - # Add assignees + interval: "daily" + open-pull-requests-limit: 3 assignees: - "clouddrove-ci" - # Add reviewer reviewers: - "approvers" + - package-ecosystem: "terraform" # See documentation for possible values - directory: "./example/self-hosted-node-pools" # Location of package manifests + directory: "examples/managed-node-pools" # Location of package manifests schedule: interval: "weekly" # Add assignees @@ -24,8 +26,11 @@ updates: # Add reviewer reviewers: - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 + - package-ecosystem: "terraform" # See documentation for possible values - directory: "/example/managed-node-pools" # Location of package manifests + directory: "examples/self-hosted-node-pools" # Location of package manifests schedule: interval: "weekly" # Add assignees @@ -33,4 +38,6 @@ updates: - "clouddrove-ci" # Add reviewer reviewers: - - "approvers" \ No newline at end of file + - "approvers" + # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 \ No newline at end of file diff --git a/.github/workflows/auto_assignee.yml b/.github/workflows/auto_assignee.yml index 0aa2cbd..77d5fdf 100644 --- a/.github/workflows/auto_assignee.yml +++ b/.github/workflows/auto_assignee.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: jobs: assignee: - uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@1.0.9 + uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@master secrets: GITHUB: ${{ secrets.GITHUB }} with: diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml deleted file mode 100644 index 6ec1b8e..0000000 --- a/.github/workflows/automerge.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -name: Auto merge -on: - pull_request: -jobs: - auto-merge: - uses: clouddrove/github-shared-workflows/.github/workflows/auto_merge.yml@1.0.9 - secrets: - GITHUB: ${{ secrets.GITHUB }} - with: - tfcheck: 'tf-checks-aws-managed-example / Check code format' -... \ No newline at end of file diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 2d1b73e..4b735f5 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: jobs: changelog: - uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@1.0.9 + uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@master secrets: inherit with: branch: 'master' \ No newline at end of file diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml index 9513782..a4d3d56 100644 --- a/.github/workflows/readme.yml +++ b/.github/workflows/readme.yml @@ -1,53 +1,14 @@ -name: 'Create README.md file' +name: readme workflow on: push: branches: - master - + paths-ignore: + - 'README.md' + workflow_dispatch: jobs: - readme-create: - name: 'readme-create' - runs-on: ubuntu-latest - steps: - - name: 'Checkout' - uses: actions/checkout@master - - - name: 'Set up Python 3.7' - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - - name: 'create readme' - uses: 'clouddrove/github-actions@9.0.3' - with: - actions_subcommand: 'readme' - github_token: '${{ secrets.GITHUB }}' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: 'pre-commit check errors' - uses: pre-commit/action@v3.0.0 - continue-on-error: true - - - name: 'pre-commit fix erros' - uses: pre-commit/action@v3.0.0 - continue-on-error: true - - - name: 'push readme' - uses: 'clouddrove/github-actions@9.0.3' - continue-on-error: true - with: - actions_subcommand: 'push' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: 'Slack Notification' - uses: clouddrove/action-slack@v2 - with: - status: ${{ job.status }} - fields: repo,author - author_name: 'CloudDrove' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} # required - if: always() \ No newline at end of file + readme: + uses: clouddrove/github-shared-workflows/.github/workflows/readme.yml@master + secrets: + TOKEN : ${{ secrets.GITHUB }} + SLACK_WEBHOOK_TERRAFORM: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} \ No newline at end of file diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml index e3f9ec1..479a122 100644 --- a/.github/workflows/tf-checks.yml +++ b/.github/workflows/tf-checks.yml @@ -5,11 +5,12 @@ on: pull_request: workflow_dispatch: jobs: - tf-checks-aws-managed-example: - uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.9 + basic: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master with: - working_directory: './example/managed-node-pools/' - tf-checks-complete-example: - uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@1.0.9 + working_directory: './examples/managed-node-pools/' + + complete: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master with: - working_directory: './example/self-hosted-node-pools/' \ No newline at end of file + working_directory: './examples/self-hosted-node-pools/' \ No newline at end of file diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml index a467f87..ee98182 100644 --- a/.github/workflows/tflint.yml +++ b/.github/workflows/tflint.yml @@ -6,6 +6,6 @@ on: workflow_dispatch: jobs: tf-lint: - uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@1.0.9 + uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@master secrets: GITHUB: ${{ secrets.GITHUB }} \ No newline at end of file diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 6044183..9aaf588 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: jobs: tfsec: - uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@1.0.9 + uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@master secrets: inherit with: working_directory: '.' \ No newline at end of file diff --git a/README.yaml b/README.yaml index a0e84b3..7437cb5 100644 --- a/README.yaml +++ b/README.yaml @@ -5,7 +5,7 @@ # # Name of this project -name : Terraform gcp gke +name : Terraform module gke # License of this project license: "APACHE" @@ -30,7 +30,7 @@ badges: prerequesties: - name: Terraform url: https://learn.hashicorp.com/terraform/getting-started/install.html - version: ">= 1.4.6" + version: ">= 1.7.0" providers: - name: gcp @@ -39,55 +39,79 @@ providers: # description of this project description: |- - Terraform module to create gke resource on google. -# extra content -include: - - "terraform.md" + Terraform module to create and manage GKE clusters on Google Cloud Platform. -# How to use this project # How to use this project usage: |- Here are some examples of how you can use this module in your inventory structure: ### Default gke ```hcl module "gke" { - source = "../../" - - name = "gke" - environment = var.environment - label_order = var.label_order - - network = module.vpc.vpc_id - subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.29.1-gke.1589017" - module_enabled = true - remove_default_node_pool = true - service_account = "" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - managed_node_pool = [ - { - name = "critical" - initial_node_count = 1 - machine_type = "g1-small" - disk_size_gb = "10" - disk_type = "pd-standard" - preemptible = true - }, - { - name = "general" - initial_node_count = 1 - machine_type = "g1-small" - disk_size_gb = "10" - disk_type = "pd-standard" - preemptible = true - } - ] + source = "../../" + + name = "gke" + environment = var.environment + label_order = var.label_order + + network = module.vpc.vpc_id + subnetwork = module.subnet.id + project_id = var.gcp_project_id + region = var.gcp_region + + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.30.2-gke.1587003" + remove_default_node_pool = true + service_account = "example@example.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = true + spot = false + enable_preemptible = true + pod_security_policy = true + enable_private_endpoint = false + enable_private_nodes = true + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_secondary_range_name = "pod-range" + services_secondary_range_name = "svc-range" + workload_metadata_mode = "GKE_METADATA" + cluster_network_policy = { + policy1 = { + enabled = true + provider = "CALICO" + } + } + master_authorized_networks = [ + { + cidr_block = "10.0.0.7/32" + display_name = "net1" + } + ] + managed_node_pool = [ + { + name = "critical" + initial_node_count = 1 + machine_type = "g1-small" + image_type = "COS_CONTAINERD" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + }, + { + name = "general" + initial_node_count = 1 + image_type = "COS_CONTAINERD" + machine_type = "g1-small" + disk_size_gb = "10" + disk_type = "pd-standard" + preemptible = true + } + ] + + labels = { + application = "app" + } } ``` \ No newline at end of file diff --git a/example/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf similarity index 100% rename from example/managed-node-pools/example.tf rename to examples/managed-node-pools/example.tf diff --git a/example/managed-node-pools/outputs.tf b/examples/managed-node-pools/outputs.tf similarity index 100% rename from example/managed-node-pools/outputs.tf rename to examples/managed-node-pools/outputs.tf diff --git a/example/managed-node-pools/variables.tf b/examples/managed-node-pools/variables.tf similarity index 100% rename from example/managed-node-pools/variables.tf rename to examples/managed-node-pools/variables.tf diff --git a/example/managed-node-pools/versions.tf b/examples/managed-node-pools/versions.tf similarity index 100% rename from example/managed-node-pools/versions.tf rename to examples/managed-node-pools/versions.tf diff --git a/example/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf similarity index 100% rename from example/self-hosted-node-pools/example.tf rename to examples/self-hosted-node-pools/example.tf diff --git a/example/self-hosted-node-pools/outputs.tf b/examples/self-hosted-node-pools/outputs.tf similarity index 100% rename from example/self-hosted-node-pools/outputs.tf rename to examples/self-hosted-node-pools/outputs.tf diff --git a/example/self-hosted-node-pools/variables.tf b/examples/self-hosted-node-pools/variables.tf similarity index 100% rename from example/self-hosted-node-pools/variables.tf rename to examples/self-hosted-node-pools/variables.tf diff --git a/example/self-hosted-node-pools/versions.tf b/examples/self-hosted-node-pools/versions.tf similarity index 100% rename from example/self-hosted-node-pools/versions.tf rename to examples/self-hosted-node-pools/versions.tf diff --git a/versions.tf b/versions.tf index 2bdc416..000817c 100644 --- a/versions.tf +++ b/versions.tf @@ -1,14 +1,14 @@ terraform { - required_version = ">=1.3" + required_version = ">= 1.7.0" required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.22.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.22.0" } kubernetes = { source = "hashicorp/kubernetes" From 7760c4642a3e64118038cf1482546a2f483f25ad Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 16:19:55 +0530 Subject: [PATCH 29/54] feat: Resolved Security Scan issue --- examples/managed-node-pools/example.tf | 6 +++--- main.tf | 20 +++++++++++--------- variables.tf | 10 +++++++++- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index 7658891..35fff33 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -104,9 +104,9 @@ module "gke" { } master_authorized_networks = [ { - cidr_block = "10.0.0.7/32" - display_name = "net1" - } + cidr_block = "192.168.1.0/24" + display_name = "Office Network" + }, ] managed_node_pool = [ { diff --git a/main.tf b/main.tf index a8c2767..f203860 100644 --- a/main.tf +++ b/main.tf @@ -22,6 +22,17 @@ resource "google_container_cluster" "primary" { cluster_ipv4_cidr = var.cluster_ipv4_cidr initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 + master_authorized_networks_config { + dynamic "cidr_blocks" { + for_each = var.master_authorized_networks + + content { + cidr_block = cidr_blocks.value.cidr_block + display_name = cidr_blocks.value.display_name + } + } + } + cluster_autoscaling { enabled = var.cluster_autoscaling @@ -70,15 +81,6 @@ resource "google_container_cluster" "primary" { } } } - dynamic "master_authorized_networks_config" { - for_each = var.master_authorized_networks - content { - cidr_blocks { - cidr_block = master_authorized_networks_config.value["cidr_block"] - display_name = master_authorized_networks_config.value["display_name"] - } - } - } private_cluster_config { enable_private_endpoint = var.enable_private_endpoint diff --git a/variables.tf b/variables.tf index 86dd8d0..d33a110 100644 --- a/variables.tf +++ b/variables.tf @@ -282,11 +282,19 @@ variable "services_secondary_range_name" { type = string default = "services-range" description = "The name of the secondary IP range for services in the GKE cluster." - } variable "workload_metadata_mode" { description = "The mode for workload metadata configuration." type = string default = "GKE_METADATA" +} + +variable "master_authorized_networks" { + description = "A list of CIDR blocks that are allowed to access the master node." + type = list(object({ + cidr_block = string + display_name = string + })) + default = [] } \ No newline at end of file From 7ebd362c7e7b4f169e995c778dfdf2b16f7b1e65 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 16:23:43 +0530 Subject: [PATCH 30/54] feat: Resolved tfcheck error --- variables.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/variables.tf b/variables.tf index d33a110..f320c67 100644 --- a/variables.tf +++ b/variables.tf @@ -46,14 +46,6 @@ variable "initial_node_count" { description = "The number of nodes to create in this cluster's default node pool." } -variable "master_authorized_networks" { - type = list(object({ - cidr_block = string - display_name = string - })) - description = "List of master authorized networks" -} - variable "cluster_network_policy" { description = "A map of network policy configurations to apply to the GKE cluster." type = map(object({ From e1632cb27d596e918089a5cb72c70fbf1e841a4b Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 16:35:48 +0530 Subject: [PATCH 31/54] feat: Resolved master network issue --- examples/managed-node-pools/example.tf | 1 + main.tf | 16 ++++++++++------ variables.tf | 6 ++++++ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index 35fff33..edd9d06 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -102,6 +102,7 @@ module "gke" { provider = "CALICO" } } + enable_master_authorized_networks = false master_authorized_networks = [ { cidr_block = "192.168.1.0/24" diff --git a/main.tf b/main.tf index f203860..9ea9d70 100644 --- a/main.tf +++ b/main.tf @@ -22,13 +22,17 @@ resource "google_container_cluster" "primary" { cluster_ipv4_cidr = var.cluster_ipv4_cidr initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 - master_authorized_networks_config { - dynamic "cidr_blocks" { - for_each = var.master_authorized_networks + dynamic "master_authorized_networks_config" { + for_each = var.enable_master_authorized_networks ? [1] : [] + + content { + dynamic "cidr_blocks" { + for_each = var.master_authorized_networks - content { - cidr_block = cidr_blocks.value.cidr_block - display_name = cidr_blocks.value.display_name + content { + cidr_block = cidr_blocks.value.cidr_block + display_name = cidr_blocks.value.display_name + } } } } diff --git a/variables.tf b/variables.tf index f320c67..4e13ed3 100644 --- a/variables.tf +++ b/variables.tf @@ -289,4 +289,10 @@ variable "master_authorized_networks" { display_name = string })) default = [] +} + +variable "enable_master_authorized_networks" { + description = "Whether to enable master authorized networks for the GKE cluster." + type = bool + default = false } \ No newline at end of file From 8b435a6a92598486873c0567c23b14508a559f52 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 16:37:30 +0530 Subject: [PATCH 32/54] feat: Resolved format issue --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9ea9d70..ae463ff 100644 --- a/main.tf +++ b/main.tf @@ -24,7 +24,7 @@ resource "google_container_cluster" "primary" { dynamic "master_authorized_networks_config" { for_each = var.enable_master_authorized_networks ? [1] : [] - + content { dynamic "cidr_blocks" { for_each = var.master_authorized_networks From da0534134877a76436b6d23a1583f1368de7c18b Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 19:17:12 +0530 Subject: [PATCH 33/54] feat: Resolved Security Scan issue --- examples/managed-node-pools/example.tf | 4 ++-- examples/self-hosted-node-pools/example.tf | 11 ++++++----- variables.tf | 6 +++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index edd9d06..83dc9c4 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -86,12 +86,12 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false - network_policy = true + network_policy = false spot = false enable_preemptible = true pod_security_policy = true enable_private_endpoint = false - enable_private_nodes = true + enable_private_nodes = false master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 431569e..5a00978 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -85,11 +85,11 @@ module "gke" { cluster_autoscaling = false http_load_balancing = false horizontal_pod_autoscaling = false - network_policy = true + network_policy = false pod_security_policy = true spot = true enable_private_endpoint = false - enable_private_nodes = true + enable_private_nodes = false master_ipv4_cidr_block = "10.13.0.0/28" cluster_secondary_range_name = "pod-range" services_secondary_range_name = "svc-range" @@ -100,11 +100,12 @@ module "gke" { provider = "CALICO" } } + enable_master_authorized_networks = false master_authorized_networks = [ { - cidr_block = "10.0.0.7/32" - display_name = "net1" - } + cidr_block = "192.168.1.0/24" + display_name = "Office Network" + }, ] self_node_pools = [ { diff --git a/variables.tf b/variables.tf index 4e13ed3..520f31f 100644 --- a/variables.tf +++ b/variables.tf @@ -52,7 +52,7 @@ variable "cluster_network_policy" { enabled = bool provider = string })) - default = {} + default = true } variable "managed_node_pool" { @@ -248,7 +248,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { description = "Enable or disable private nodes for the GKE cluster" type = bool - default = false + default = true } variable "master_ipv4_cidr_block" { @@ -294,5 +294,5 @@ variable "master_authorized_networks" { variable "enable_master_authorized_networks" { description = "Whether to enable master authorized networks for the GKE cluster." type = bool - default = false + default = true } \ No newline at end of file From e109c780117bddbab2621f64ff8210d869d91a3c Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 19:41:49 +0530 Subject: [PATCH 34/54] feat: Resolved Security Scan --- examples/managed-node-pools/example.tf | 2 +- examples/self-hosted-node-pools/example.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index 83dc9c4..f2a0833 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -98,7 +98,7 @@ module "gke" { workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { - enabled = true + enabled = false provider = "CALICO" } } diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 5a00978..d9e725d 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -96,7 +96,7 @@ module "gke" { workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { - enabled = true + enabled = false provider = "CALICO" } } From e4f65bd3e576bc5141a4a6a77742033552299a29 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 19:44:49 +0530 Subject: [PATCH 35/54] feat: Resolved network issue --- variables.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 520f31f..c56eb77 100644 --- a/variables.tf +++ b/variables.tf @@ -47,12 +47,17 @@ variable "initial_node_count" { } variable "cluster_network_policy" { - description = "A map of network policy configurations to apply to the GKE cluster." + description = "Network policy configuration for the GKE cluster" type = map(object({ enabled = bool provider = string })) - default = true + default = { + policy1 = { + enabled = true + provider = "CALICO" + } + } } variable "managed_node_pool" { From c1a210caf86685a1ba4e47bc73f886f102d2cc8b Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 19:50:51 +0530 Subject: [PATCH 36/54] feat: added default value --- variables.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index c56eb77..5174f58 100644 --- a/variables.tf +++ b/variables.tf @@ -293,7 +293,12 @@ variable "master_authorized_networks" { cidr_block = string display_name = string })) - default = [] + default = [ + { + cidr_block = "10.0.0.0/28" + display_name = "default-network" + } + ] } variable "enable_master_authorized_networks" { From 328f94606ffe3df5d512e00bb8a900c6749deef3 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 20:00:37 +0530 Subject: [PATCH 37/54] feat: added ip allocation --- main.tf | 5 +++-- variables.tf | 12 ++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/main.tf b/main.tf index ae463ff..9fe0253 100644 --- a/main.tf +++ b/main.tf @@ -61,8 +61,9 @@ resource "google_container_cluster" "primary" { } ip_allocation_policy { - cluster_secondary_range_name = var.cluster_secondary_range_name - services_secondary_range_name = var.services_secondary_range_name + cluster_ipv4_cidr_block = var.cluster_ipv4_cidr_block + services_ipv4_cidr_block = var.services_ipv4_cidr_block + } dynamic "node_pool" { diff --git a/variables.tf b/variables.tf index 5174f58..a34c2e8 100644 --- a/variables.tf +++ b/variables.tf @@ -269,16 +269,16 @@ variable "labels" { } } -variable "cluster_secondary_range_name" { +variable "cluster_ipv4_cidr_block" { + description = "The IP range for the cluster pod IPs" type = string - default = "pods-range" - description = "The name of the secondary IP range for pods in the GKE cluster." + default = "/14" } -variable "services_secondary_range_name" { +variable "services_ipv4_cidr_block" { + description = "The IP range for the services IPs" type = string - default = "services-range" - description = "The name of the secondary IP range for services in the GKE cluster." + default = "/20" } variable "workload_metadata_mode" { From 424aec3478eeb3066ff6c911dad8565e848f0993 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 20:04:36 +0530 Subject: [PATCH 38/54] feat: changes in module --- examples/managed-node-pools/example.tf | 4 ++-- examples/self-hosted-node-pools/example.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index f2a0833..9158e43 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -93,8 +93,8 @@ module "gke" { enable_private_endpoint = false enable_private_nodes = false master_ipv4_cidr_block = "10.13.0.0/28" - cluster_secondary_range_name = "pod-range" - services_secondary_range_name = "svc-range" + cluster_ipv4_cidr_block = "/14" + services_ipv4_cidr_block = "/20" workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index d9e725d..4c58a3d 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -91,8 +91,8 @@ module "gke" { enable_private_endpoint = false enable_private_nodes = false master_ipv4_cidr_block = "10.13.0.0/28" - cluster_secondary_range_name = "pod-range" - services_secondary_range_name = "svc-range" + cluster_ipv4_cidr_block = "/14" + services_ipv4_cidr_block = "/20" workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { From d6eafa634e21522ce8201b7d8ae08601253a6bf3 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Tue, 27 Aug 2024 20:06:27 +0530 Subject: [PATCH 39/54] feat: format issue --- examples/managed-node-pools/example.tf | 38 +++++++++++----------- examples/self-hosted-node-pools/example.tf | 36 ++++++++++---------- main.tf | 2 +- variables.tf | 4 +-- 4 files changed, 40 insertions(+), 40 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index 9158e43..b4f1d70 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -77,25 +77,25 @@ module "gke" { project_id = var.gcp_project_id region = var.gcp_region - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.30.2-gke.1587003" - remove_default_node_pool = true - service_account = "example@example.gserviceaccount.com" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = false - spot = false - enable_preemptible = true - pod_security_policy = true - enable_private_endpoint = false - enable_private_nodes = false - master_ipv4_cidr_block = "10.13.0.0/28" - cluster_ipv4_cidr_block = "/14" - services_ipv4_cidr_block = "/20" - workload_metadata_mode = "GKE_METADATA" + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.30.2-gke.1587003" + remove_default_node_pool = true + service_account = "example@example.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = false + spot = false + enable_preemptible = true + pod_security_policy = true + enable_private_endpoint = false + enable_private_nodes = false + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_ipv4_cidr_block = "/14" + services_ipv4_cidr_block = "/20" + workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { enabled = false diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 4c58a3d..9941416 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -76,24 +76,24 @@ module "gke" { project_id = var.gcp_project_id region = var.gcp_region - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.29.1-gke.1589017" - remove_default_node_pool = true - service_account = "example@example.gserviceaccount.com" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = false - pod_security_policy = true - spot = true - enable_private_endpoint = false - enable_private_nodes = false - master_ipv4_cidr_block = "10.13.0.0/28" - cluster_ipv4_cidr_block = "/14" - services_ipv4_cidr_block = "/20" - workload_metadata_mode = "GKE_METADATA" + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.29.1-gke.1589017" + remove_default_node_pool = true + service_account = "example@example.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = false + pod_security_policy = true + spot = true + enable_private_endpoint = false + enable_private_nodes = false + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_ipv4_cidr_block = "/14" + services_ipv4_cidr_block = "/20" + workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { enabled = false diff --git a/main.tf b/main.tf index 9fe0253..581563a 100644 --- a/main.tf +++ b/main.tf @@ -63,7 +63,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_ipv4_cidr_block = var.cluster_ipv4_cidr_block services_ipv4_cidr_block = var.services_ipv4_cidr_block - + } dynamic "node_pool" { diff --git a/variables.tf b/variables.tf index a34c2e8..875b7bf 100644 --- a/variables.tf +++ b/variables.tf @@ -272,13 +272,13 @@ variable "labels" { variable "cluster_ipv4_cidr_block" { description = "The IP range for the cluster pod IPs" type = string - default = "/14" + default = "/14" } variable "services_ipv4_cidr_block" { description = "The IP range for the services IPs" type = string - default = "/20" + default = "/20" } variable "workload_metadata_mode" { From 48d5bc983e98ac3dae68127f3b992982355810f9 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 14:17:05 +0530 Subject: [PATCH 40/54] feat: Resolved Security Scan issue --- examples/managed-node-pools/example.tf | 5 ++++- examples/self-hosted-node-pools/example.tf | 5 ++++- main.tf | 2 ++ variables.tf | 14 +++++++++++++- 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index b4f1d70..b0a6062 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -129,8 +129,11 @@ module "gke" { preemptible = true } ] - labels = { application = "app" } + enable_resource_labels = false + resource_labels = { + environment = "production" + } } \ No newline at end of file diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 9941416..5b7358a 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -127,8 +127,11 @@ module "gke" { preemptible = true } ] - labels = { application = "app" } + enable_resource_labels = false + resource_labels = { + environment = "production" + } } \ No newline at end of file diff --git a/main.tf b/main.tf index 581563a..d7e80ac 100644 --- a/main.tf +++ b/main.tf @@ -38,6 +38,8 @@ resource "google_container_cluster" "primary" { } + resource_labels = var.enable_resource_labels ? var.resource_labels : {} + cluster_autoscaling { enabled = var.cluster_autoscaling diff --git a/variables.tf b/variables.tf index 875b7bf..30b45c3 100644 --- a/variables.tf +++ b/variables.tf @@ -305,4 +305,16 @@ variable "enable_master_authorized_networks" { description = "Whether to enable master authorized networks for the GKE cluster." type = bool default = true -} \ No newline at end of file +} + +variable "enable_resource_labels" { + description = "Boolean to enable or disable resource labels on the GKE cluster." + type = bool + default = true +} + +variable "resource_labels" { + description = "A map of resource labels to be applied to the GKE cluster." + type = map(string) + default = {} +} From 218cde025312b8bd576b393931479419b85b6787 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 14:18:59 +0530 Subject: [PATCH 41/54] feat: Resolved code format --- examples/self-hosted-node-pools/example.tf | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 5b7358a..6ecb028 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -130,7 +130,7 @@ module "gke" { labels = { application = "app" } - enable_resource_labels = false + enable_resource_labels = false resource_labels = { environment = "production" } diff --git a/variables.tf b/variables.tf index 30b45c3..da27fce 100644 --- a/variables.tf +++ b/variables.tf @@ -310,7 +310,7 @@ variable "enable_master_authorized_networks" { variable "enable_resource_labels" { description = "Boolean to enable or disable resource labels on the GKE cluster." type = bool - default = true + default = true } variable "resource_labels" { From 0c5a393f9269a0cc2d5b067c8afb9c68f7142ba0 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 15:02:01 +0530 Subject: [PATCH 42/54] feat: added resource labels --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d7e80ac..5b30629 100644 --- a/main.tf +++ b/main.tf @@ -38,7 +38,7 @@ resource "google_container_cluster" "primary" { } - resource_labels = var.enable_resource_labels ? var.resource_labels : {} + resource_labels = var.enable_resource_labels ? var.resource_labels : null cluster_autoscaling { enabled = var.cluster_autoscaling From 8f721e72caedf98d3cc19e6d47ef87b4305b2e56 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 15:24:32 +0530 Subject: [PATCH 43/54] feat: removed labels --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index 5b30629..9070155 100644 --- a/main.tf +++ b/main.tf @@ -37,9 +37,6 @@ resource "google_container_cluster" "primary" { } } - - resource_labels = var.enable_resource_labels ? var.resource_labels : null - cluster_autoscaling { enabled = var.cluster_autoscaling From b79e8e73d8c845b98e3c33683e4ec42bf39bf392 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 15:36:43 +0530 Subject: [PATCH 44/54] feat: removed labels --- examples/managed-node-pools/example.tf | 7 ------- examples/self-hosted-node-pools/example.tf | 7 ------- main.tf | 2 +- variables.tf | 17 ----------------- 4 files changed, 1 insertion(+), 32 deletions(-) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index b0a6062..f56234d 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -129,11 +129,4 @@ module "gke" { preemptible = true } ] - labels = { - application = "app" - } - enable_resource_labels = false - resource_labels = { - environment = "production" - } } \ No newline at end of file diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 6ecb028..6a445e1 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -127,11 +127,4 @@ module "gke" { preemptible = true } ] - labels = { - application = "app" - } - enable_resource_labels = false - resource_labels = { - environment = "production" - } } \ No newline at end of file diff --git a/main.tf b/main.tf index 9070155..4690eb0 100644 --- a/main.tf +++ b/main.tf @@ -77,7 +77,7 @@ resource "google_container_cluster" "primary" { preemptible = var.enable_preemptible spot = var.spot - labels = var.labels + workload_metadata_config { mode = var.workload_metadata_mode diff --git a/variables.tf b/variables.tf index da27fce..766970d 100644 --- a/variables.tf +++ b/variables.tf @@ -262,13 +262,6 @@ variable "master_ipv4_cidr_block" { default = "" } -variable "labels" { - type = map(string) - default = { - application = "my-app" - } -} - variable "cluster_ipv4_cidr_block" { description = "The IP range for the cluster pod IPs" type = string @@ -307,14 +300,4 @@ variable "enable_master_authorized_networks" { default = true } -variable "enable_resource_labels" { - description = "Boolean to enable or disable resource labels on the GKE cluster." - type = bool - default = true -} -variable "resource_labels" { - description = "A map of resource labels to be applied to the GKE cluster." - type = map(string) - default = {} -} From 5b2bfd5ed0a93f492b77f3799fa3542f662e7172 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 15:38:18 +0530 Subject: [PATCH 45/54] feat: code format --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4690eb0..f3f890a 100644 --- a/main.tf +++ b/main.tf @@ -77,7 +77,7 @@ resource "google_container_cluster" "primary" { preemptible = var.enable_preemptible spot = var.spot - + workload_metadata_config { mode = var.workload_metadata_mode From c832fda6c8c4a306044549d4ca7c9f275ffa6363 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 15:51:43 +0530 Subject: [PATCH 46/54] feat: added lebale --- examples/managed-node-pools/example.tf | 6 ++++++ examples/self-hosted-node-pools/example.tf | 6 ++++++ main.tf | 2 ++ variables.tf | 10 ++++++++++ 4 files changed, 24 insertions(+) diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index f56234d..ba8823e 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -129,4 +129,10 @@ module "gke" { preemptible = true } ] + + enable_resource_labels = false + + resource_labels = { + "env" = "production" + } } \ No newline at end of file diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 6a445e1..f99f2ee 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -127,4 +127,10 @@ module "gke" { preemptible = true } ] + + enable_resource_labels = false + + resource_labels = { + "env" = "production" + } } \ No newline at end of file diff --git a/main.tf b/main.tf index f3f890a..b5239b2 100644 --- a/main.tf +++ b/main.tf @@ -37,6 +37,8 @@ resource "google_container_cluster" "primary" { } } + resource_labels = var.enable_resource_labels ? var.resource_labels : {} + cluster_autoscaling { enabled = var.cluster_autoscaling diff --git a/variables.tf b/variables.tf index 766970d..7a64279 100644 --- a/variables.tf +++ b/variables.tf @@ -300,4 +300,14 @@ variable "enable_master_authorized_networks" { default = true } +variable "enable_resource_labels" { + description = "Flag to enable or disable GCE resource labels." + type = bool + default = false +} +variable "resource_labels" { + description = "Resource labels for GCE resources." + type = map(string) + default = {} +} From fb4e892827f7fa2c9a8c044bb02dc280d80e370a Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 16:01:14 +0530 Subject: [PATCH 47/54] feat: added lebale true --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 7a64279..4a16a74 100644 --- a/variables.tf +++ b/variables.tf @@ -303,7 +303,7 @@ variable "enable_master_authorized_networks" { variable "enable_resource_labels" { description = "Flag to enable or disable GCE resource labels." type = bool - default = false + default = true } variable "resource_labels" { From 229fb1bfc91d4869ac7c5b7226506c64ae6f4b31 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 16:07:11 +0530 Subject: [PATCH 48/54] feat: added default label --- variables.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 4a16a74..1375659 100644 --- a/variables.tf +++ b/variables.tf @@ -309,5 +309,7 @@ variable "enable_resource_labels" { variable "resource_labels" { description = "Resource labels for GCE resources." type = map(string) - default = {} + default = { + "env" = "production" + } } From 1d1dadee2e9d24072b0e57b1070e54334dc4c4f2 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Wed, 28 Aug 2024 20:12:05 +0530 Subject: [PATCH 49/54] feat: new update --- README.yaml | 53 ++++---- .../.terraform.tfstate.lock.info | 1 + examples/managed-node-pools/example.tf | 92 +++++++------- .../.terraform.tfstate.lock.info | 1 + examples/self-hosted-node-pools/example.tf | 113 +++++++++--------- main.tf | 28 +++-- variables.tf | 55 +++++++-- 7 files changed, 202 insertions(+), 141 deletions(-) create mode 100644 examples/managed-node-pools/.terraform.tfstate.lock.info create mode 100644 examples/self-hosted-node-pools/.terraform.tfstate.lock.info diff --git a/README.yaml b/README.yaml index 7437cb5..4e93d0e 100644 --- a/README.yaml +++ b/README.yaml @@ -58,36 +58,37 @@ usage: |- project_id = var.gcp_project_id region = var.gcp_region - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.30.2-gke.1587003" - remove_default_node_pool = true - service_account = "example@example.gserviceaccount.com" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = true - spot = false - enable_preemptible = true - pod_security_policy = true - enable_private_endpoint = false - enable_private_nodes = true - master_ipv4_cidr_block = "10.13.0.0/28" - cluster_secondary_range_name = "pod-range" - services_secondary_range_name = "svc-range" - workload_metadata_mode = "GKE_METADATA" + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.30.2-gke.1587003" + remove_default_node_pool = true + service_account = "example@example.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = false + spot = false + enable_preemptible = true + pod_security_policy = true + enable_private_endpoint = false + enable_private_nodes = false + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_ipv4_cidr_block = "/14" + services_ipv4_cidr_block = "/20" + workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { - enabled = true + enabled = false provider = "CALICO" } } + enable_master_authorized_networks = false master_authorized_networks = [ { - cidr_block = "10.0.0.7/32" - display_name = "net1" - } + cidr_block = "192.168.1.0/24" + display_name = "Office Network" + }, ] managed_node_pool = [ { @@ -110,8 +111,10 @@ usage: |- } ] - labels = { - application = "app" + enable_resource_labels = false + + resource_labels = { + "env" = "production" } } ``` \ No newline at end of file diff --git a/examples/managed-node-pools/.terraform.tfstate.lock.info b/examples/managed-node-pools/.terraform.tfstate.lock.info new file mode 100644 index 0000000..d48bf38 --- /dev/null +++ b/examples/managed-node-pools/.terraform.tfstate.lock.info @@ -0,0 +1 @@ +{"ID":"0cf22bb1-9e0c-baed-0964-4bfb3ecac8b2","Operation":"OperationTypeApply","Info":"","Who":"kalyani@kalyani-HP-EliteBook-840-G3","Version":"1.8.1","Created":"2024-08-28T11:34:00.611482184Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index ba8823e..579984b 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -1,16 +1,16 @@ provider "google" { - project = var.gcp_project_id - region = var.gcp_region - zone = var.gcp_zone + project = "my-project-44865-424207" + region = "us-central1" + zone = "us-central1-b" } module "vpc" { source = "clouddrove/vpc/gcp" version = "1.0.0" - name = "test-vpc" - environment = var.environment - label_order = var.label_order + name = "test-vpc" + #environment = var.environment + #label_order = var.label_order google_compute_network_enabled = true enable_ula_internal_ipv6 = false } @@ -18,11 +18,11 @@ module "vpc" { module "subnet" { source = "clouddrove/subnet/gcp" - name = "dev-test" - environment = var.environment - label_order = var.label_order - gcp_region = "us-central1" - version = "1.0.1" + name = "dev-test" + #environment = var.environment + #label_order = var.label_order + gcp_region = "us-central1" + version = "1.0.1" google_compute_subnetwork_enabled = true @@ -31,7 +31,7 @@ module "subnet" { module_enabled = true ipv6_access_type = "EXTERNAL" network = module.vpc.vpc_id - project_id = "clouddrove" + project_id = "my-project-44865-424207" private_ip_google_access = true allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] source_ranges = ["10.10.0.0/16"] @@ -54,13 +54,13 @@ module "subnet" { } ] - log_config = { - aggregation_interval = "INTERVAL_10_MIN" - flow_sampling = 0.5 - metadata = "INCLUDE_ALL_METADATA" - metadata_fields = ["SRC_IP", "DST_IP"] - filter_expr = "true" - } + # log_config = { + # aggregation_interval = "INTERVAL_10_MIN" + # flow_sampling = 0.5 + # metadata = "INCLUDE_ALL_METADATA" + # metadata_fields = ["SRC_IP", "DST_IP"] + # filter_expr = "true" + # } } @@ -68,34 +68,38 @@ module "subnet" { module "gke" { source = "../../" - name = "gke" - environment = var.environment - label_order = var.label_order + name = "gke-1" + #environment = var.environment + #label_order = var.label_order network = module.vpc.vpc_id subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.30.2-gke.1587003" - remove_default_node_pool = true - service_account = "example@example.gserviceaccount.com" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = false - spot = false - enable_preemptible = true - pod_security_policy = true - enable_private_endpoint = false - enable_private_nodes = false - master_ipv4_cidr_block = "10.13.0.0/28" - cluster_ipv4_cidr_block = "/14" - services_ipv4_cidr_block = "/20" - workload_metadata_mode = "GKE_METADATA" + project_id = "my-project-44865-424207" + region = "us-central1" + + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.30.2-gke.1587003" + remove_default_node_pool = false + service_account = "295233741425-compute@developer.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = false + spot = false + enable_preemptible = true + pod_security_policy = true + enable_private_endpoint = false + enable_private_nodes = false + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_ipv4_cidr = "10.0.0.0/16" + enable_ip_allocation_policy = false + enable_workload_metadata_config = false + cluster_ipv4_cidr_block = "/24" + services_ipv4_cidr_block = "/20" + workload_metadata_mode = "GKE_METADATA" + #enable_metadata = false cluster_network_policy = { policy1 = { enabled = false diff --git a/examples/self-hosted-node-pools/.terraform.tfstate.lock.info b/examples/self-hosted-node-pools/.terraform.tfstate.lock.info new file mode 100644 index 0000000..99b19d3 --- /dev/null +++ b/examples/self-hosted-node-pools/.terraform.tfstate.lock.info @@ -0,0 +1 @@ +{"ID":"c4a9101a-8120-0d7f-51f7-ad6acd024ff2","Operation":"OperationTypeApply","Info":"","Who":"kalyani@kalyani-HP-EliteBook-840-G3","Version":"1.8.1","Created":"2024-08-28T12:47:37.034037376Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index f99f2ee..1001449 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -1,16 +1,16 @@ provider "google" { - project = var.gcp_project_id - region = var.gcp_region - zone = var.gcp_zone + project = "my-project-44865-424207" + region = "us-central1" + #zone = var.gcp_zone } module "vpc" { source = "clouddrove/vpc/gcp" version = "1.0.0" - name = "test-vpc" - environment = var.environment - label_order = var.label_order + name = "test-vpc" + #environment = var.environment + #label_order = var.label_order google_compute_network_enabled = true enable_ula_internal_ipv6 = false } @@ -18,11 +18,11 @@ module "vpc" { module "subnet" { source = "clouddrove/subnet/gcp" - name = "dev-test" - environment = var.environment - label_order = var.label_order - gcp_region = "us-central1" - version = "1.0.1" + name = "dev-test" + #environment = var.environment + #label_order = var.label_order + gcp_region = "us-central1" + version = "1.0.1" google_compute_subnetwork_enabled = true google_compute_firewall_enabled = true @@ -30,7 +30,7 @@ module "subnet" { module_enabled = true ipv6_access_type = "EXTERNAL" network = module.vpc.vpc_id - project_id = "clouddrove" + project_id = "my-project-44865-424207" private_ip_google_access = true allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] source_ranges = ["10.10.0.0/16"] @@ -53,13 +53,13 @@ module "subnet" { } ] - log_config = { - aggregation_interval = "INTERVAL_10_MIN" - flow_sampling = 0.5 - metadata = "INCLUDE_ALL_METADATA" - metadata_fields = ["SRC_IP", "DST_IP"] - filter_expr = "true" - } + # log_config = { + # aggregation_interval = "INTERVAL_10_MIN" + # flow_sampling = 0.5 + # metadata = "INCLUDE_ALL_METADATA" + # metadata_fields = ["SRC_IP", "DST_IP"] + # filter_expr = "true" + # } } @@ -67,33 +67,35 @@ module "subnet" { module "gke" { source = "../../" - name = "gke" - environment = var.environment - label_order = var.label_order + name = "gke" + # environment = var.environment + # label_order = var.label_order network = module.vpc.vpc_id subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region + project_id = "my-project-44865-424207" + region = "us-central1" - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.29.1-gke.1589017" - remove_default_node_pool = true - service_account = "example@example.gserviceaccount.com" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = false - pod_security_policy = true - spot = true - enable_private_endpoint = false - enable_private_nodes = false - master_ipv4_cidr_block = "10.13.0.0/28" - cluster_ipv4_cidr_block = "/14" - services_ipv4_cidr_block = "/20" - workload_metadata_mode = "GKE_METADATA" + cluster_name = "test-gke" + location = "us-central1" + gke_version = "1.30.2-gke.1587003" + remove_default_node_pool = true + service_account = "295233741425-compute@developer.gserviceaccount.com" + deletion_protection = false + cluster_autoscaling = false + http_load_balancing = false + horizontal_pod_autoscaling = false + network_policy = false + pod_security_policy = true + spot = true + enable_private_endpoint = false + enable_private_nodes = false + master_ipv4_cidr_block = "10.13.0.0/28" + cluster_ipv4_cidr_block = "/14" + services_ipv4_cidr_block = "/20" + enable_ip_allocation_policy = false + enable_workload_metadata_config = false + workload_metadata_mode = "GKE_METADATA" cluster_network_policy = { policy1 = { enabled = false @@ -107,26 +109,27 @@ module "gke" { display_name = "Office Network" }, ] - self_node_pools = [ - { + self_node_pools = { + critical = { name = "critical" initial_node_count = 1 image_type = "COS_CONTAINERD" machine_type = "g1-small" - disk_size_gb = "10" + disk_size_gb = 10 # Change to number, not string disk_type = "pd-standard" preemptible = true + node_location = "us-central1-a" }, - { - name = "general" - initial_node_count = 1 - image_type = "COS_CONTAINERD" - machine_type = "g1-small" - disk_size_gb = "10" - disk_type = "pd-standard" - preemptible = true - } - ] + # general = { + # name = "general" + # initial_node_count = 1 + # image_type = "COS_CONTAINERD" + # machine_type = "g1-small" + # disk_size_gb = 10 # Change to number, not string + # disk_type = "pd-standard" + # preemptible = true + # } + } enable_resource_labels = false diff --git a/main.tf b/main.tf index b5239b2..0fa04fa 100644 --- a/main.tf +++ b/main.tf @@ -37,6 +37,8 @@ resource "google_container_cluster" "primary" { } } + + resource_labels = var.enable_resource_labels ? var.resource_labels : {} cluster_autoscaling { @@ -61,17 +63,19 @@ resource "google_container_cluster" "primary" { } } - ip_allocation_policy { - cluster_ipv4_cidr_block = var.cluster_ipv4_cidr_block - services_ipv4_cidr_block = var.services_ipv4_cidr_block - + dynamic "ip_allocation_policy" { + for_each = var.enable_ip_allocation_policy ? [1] : [] + content { + cluster_ipv4_cidr_block = var.cluster_ipv4_cidr_block + services_ipv4_cidr_block = var.services_ipv4_cidr_block + } } dynamic "node_pool" { - for_each = { for k, v in var.managed_node_pool : k => v if var.enabled } + for_each = var.enabled ? { for k, v in var.managed_node_pool : k => v } : {} content { name = node_pool.value.name - initial_node_count = node_pool.value.initial_node_count + initial_node_count = var.initial_node_count node_config { machine_type = node_pool.value.machine_type disk_size_gb = node_pool.value.disk_size_gb @@ -80,10 +84,13 @@ resource "google_container_cluster" "primary" { spot = var.spot - - workload_metadata_config { - mode = var.workload_metadata_mode + dynamic "workload_metadata_config" { + for_each = var.enable_workload_metadata_config ? [1] : [] + content { + mode = var.workload_metadata_mode + } } + } } } @@ -110,7 +117,7 @@ resource "google_container_node_pool" "node_pool" { name = each.value.name project = var.project_id - location = var.location + location = var.node_location cluster = join("", google_container_cluster.primary[*].id) node_count = var.initial_node_count @@ -134,6 +141,7 @@ resource "google_container_node_pool" "node_pool" { preemptible = var.preemptible + metadata = { disable-legacy-endpoints = "true" } diff --git a/variables.tf b/variables.tf index 1375659..cbce180 100644 --- a/variables.tf +++ b/variables.tf @@ -67,11 +67,26 @@ variable "managed_node_pool" { } variable "self_node_pools" { - type = any - default = {} - description = "Map of self-managed node pools definitions to create" + description = "Map of self-defined node pools" + type = map(object({ + name = string + initial_node_count = number + machine_type = string + disk_size_gb = number + disk_type = string + preemptible = bool + })) + default = { + default_pool = { + name = "default-pool" + initial_node_count = 1 + machine_type = "" + disk_size_gb = 100 + disk_type = "pd-standard" + preemptible = false + } + } } - variable "service_account" { type = string default = "" @@ -81,7 +96,7 @@ variable "service_account" { ######################### Autoscaling ########################### variable "min_node_count" { type = number - default = 2 + default = 0 } variable "max_node_count" { @@ -265,13 +280,13 @@ variable "master_ipv4_cidr_block" { variable "cluster_ipv4_cidr_block" { description = "The IP range for the cluster pod IPs" type = string - default = "/14" + default = "" } variable "services_ipv4_cidr_block" { description = "The IP range for the services IPs" type = string - default = "/20" + default = "" } variable "workload_metadata_mode" { @@ -313,3 +328,29 @@ variable "resource_labels" { "env" = "production" } } + +variable "enable_metadata" { + description = "Enable or disable the metadata block." + type = bool + default = false +} + +variable "enable_ip_allocation_policy" { + description = "Set to true to enable IP allocation policy, false to disable" + type = bool + default = false +} + + +variable "enable_workload_metadata_config" { + description = "Set to true to enable IP allocation policy, false to disable" + type = bool + default = false +} + +variable "node_location" { + type = string + default = "" + description = "The location (region or zone) in which the cluster master will be created, as well as the default node location." +} + From c80991b4b341b26e7d5b2ccd82bcb1f187ce8072 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Thu, 29 Aug 2024 00:57:09 +0530 Subject: [PATCH 50/54] feat: update module --- .../.terraform.tfstate.lock.info | 1 - examples/managed-node-pools/example.tf | 41 ++++++------ .../.terraform.tfstate.lock.info | 1 - examples/self-hosted-node-pools/example.tf | 64 ++++++++++--------- main.tf | 4 ++ 5 files changed, 58 insertions(+), 53 deletions(-) delete mode 100644 examples/managed-node-pools/.terraform.tfstate.lock.info delete mode 100644 examples/self-hosted-node-pools/.terraform.tfstate.lock.info diff --git a/examples/managed-node-pools/.terraform.tfstate.lock.info b/examples/managed-node-pools/.terraform.tfstate.lock.info deleted file mode 100644 index d48bf38..0000000 --- a/examples/managed-node-pools/.terraform.tfstate.lock.info +++ /dev/null @@ -1 +0,0 @@ -{"ID":"0cf22bb1-9e0c-baed-0964-4bfb3ecac8b2","Operation":"OperationTypeApply","Info":"","Who":"kalyani@kalyani-HP-EliteBook-840-G3","Version":"1.8.1","Created":"2024-08-28T11:34:00.611482184Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/examples/managed-node-pools/example.tf b/examples/managed-node-pools/example.tf index 579984b..7bed48a 100644 --- a/examples/managed-node-pools/example.tf +++ b/examples/managed-node-pools/example.tf @@ -1,7 +1,7 @@ provider "google" { - project = "my-project-44865-424207" - region = "us-central1" - zone = "us-central1-b" + project = var.gcp_project_id + region = var.gcp_region + zone = var.gcp_zone } module "vpc" { @@ -9,8 +9,8 @@ module "vpc" { version = "1.0.0" name = "test-vpc" - #environment = var.environment - #label_order = var.label_order + environment = var.environment + label_order = var.label_order google_compute_network_enabled = true enable_ula_internal_ipv6 = false } @@ -19,8 +19,8 @@ module "subnet" { source = "clouddrove/subnet/gcp" name = "dev-test" - #environment = var.environment - #label_order = var.label_order + environment = var.environment + label_order = var.label_order gcp_region = "us-central1" version = "1.0.1" @@ -31,7 +31,7 @@ module "subnet" { module_enabled = true ipv6_access_type = "EXTERNAL" network = module.vpc.vpc_id - project_id = "my-project-44865-424207" + project_id = var.gcp_project_id private_ip_google_access = true allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] source_ranges = ["10.10.0.0/16"] @@ -54,13 +54,13 @@ module "subnet" { } ] - # log_config = { - # aggregation_interval = "INTERVAL_10_MIN" - # flow_sampling = 0.5 - # metadata = "INCLUDE_ALL_METADATA" - # metadata_fields = ["SRC_IP", "DST_IP"] - # filter_expr = "true" - # } + log_config = { + aggregation_interval = "INTERVAL_10_MIN" + flow_sampling = 0.5 + metadata = "INCLUDE_ALL_METADATA" + metadata_fields = ["SRC_IP", "DST_IP"] + filter_expr = "true" + } } @@ -68,20 +68,20 @@ module "subnet" { module "gke" { source = "../../" - name = "gke-1" - #environment = var.environment - #label_order = var.label_order + name = "gke" + environment = var.environment + label_order = var.label_order network = module.vpc.vpc_id subnetwork = module.subnet.id - project_id = "my-project-44865-424207" + project_id = var.gcp_project_id region = "us-central1" cluster_name = "test-gke" location = "us-central1" gke_version = "1.30.2-gke.1587003" remove_default_node_pool = false - service_account = "295233741425-compute@developer.gserviceaccount.com" + service_account = "example@example.gserviceaccount.com" deletion_protection = false cluster_autoscaling = false http_load_balancing = false @@ -99,7 +99,6 @@ module "gke" { cluster_ipv4_cidr_block = "/24" services_ipv4_cidr_block = "/20" workload_metadata_mode = "GKE_METADATA" - #enable_metadata = false cluster_network_policy = { policy1 = { enabled = false diff --git a/examples/self-hosted-node-pools/.terraform.tfstate.lock.info b/examples/self-hosted-node-pools/.terraform.tfstate.lock.info deleted file mode 100644 index 99b19d3..0000000 --- a/examples/self-hosted-node-pools/.terraform.tfstate.lock.info +++ /dev/null @@ -1 +0,0 @@ -{"ID":"c4a9101a-8120-0d7f-51f7-ad6acd024ff2","Operation":"OperationTypeApply","Info":"","Who":"kalyani@kalyani-HP-EliteBook-840-G3","Version":"1.8.1","Created":"2024-08-28T12:47:37.034037376Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/examples/self-hosted-node-pools/example.tf b/examples/self-hosted-node-pools/example.tf index 1001449..9ed4a5f 100644 --- a/examples/self-hosted-node-pools/example.tf +++ b/examples/self-hosted-node-pools/example.tf @@ -1,7 +1,7 @@ provider "google" { - project = "my-project-44865-424207" - region = "us-central1" - #zone = var.gcp_zone + project = var.gcp_project_id + region = var.gcp_region + zone = var.gcp_zone } module "vpc" { @@ -9,8 +9,8 @@ module "vpc" { version = "1.0.0" name = "test-vpc" - #environment = var.environment - #label_order = var.label_order + environment = var.environment + label_order = var.label_order google_compute_network_enabled = true enable_ula_internal_ipv6 = false } @@ -19,8 +19,8 @@ module "subnet" { source = "clouddrove/subnet/gcp" name = "dev-test" - #environment = var.environment - #label_order = var.label_order + environment = var.environment + label_order = var.label_order gcp_region = "us-central1" version = "1.0.1" @@ -30,7 +30,7 @@ module "subnet" { module_enabled = true ipv6_access_type = "EXTERNAL" network = module.vpc.vpc_id - project_id = "my-project-44865-424207" + project_id = var.gcp_project_id private_ip_google_access = true allow = [{ "protocol" : "tcp", "ports" : ["1-65535"] }] source_ranges = ["10.10.0.0/16"] @@ -53,13 +53,13 @@ module "subnet" { } ] - # log_config = { - # aggregation_interval = "INTERVAL_10_MIN" - # flow_sampling = 0.5 - # metadata = "INCLUDE_ALL_METADATA" - # metadata_fields = ["SRC_IP", "DST_IP"] - # filter_expr = "true" - # } + log_config = { + aggregation_interval = "INTERVAL_10_MIN" + flow_sampling = 0.5 + metadata = "INCLUDE_ALL_METADATA" + metadata_fields = ["SRC_IP", "DST_IP"] + filter_expr = "true" + } } @@ -68,19 +68,19 @@ module "gke" { source = "../../" name = "gke" - # environment = var.environment - # label_order = var.label_order + environment = var.environment + label_order = var.label_order network = module.vpc.vpc_id subnetwork = module.subnet.id - project_id = "my-project-44865-424207" + project_id = var.gcp_project_id region = "us-central1" cluster_name = "test-gke" location = "us-central1" gke_version = "1.30.2-gke.1587003" remove_default_node_pool = true - service_account = "295233741425-compute@developer.gserviceaccount.com" + service_account = "example@example.gserviceaccount.com" deletion_protection = false cluster_autoscaling = false http_load_balancing = false @@ -96,6 +96,10 @@ module "gke" { enable_ip_allocation_policy = false enable_workload_metadata_config = false workload_metadata_mode = "GKE_METADATA" + machine_type = "g1-small" + initial_node_count = 1 + node_location = "us-central1-a" + disk_size_gb = 30 cluster_network_policy = { policy1 = { enabled = false @@ -111,24 +115,24 @@ module "gke" { ] self_node_pools = { critical = { - name = "critical" + name = "critical-2" initial_node_count = 1 image_type = "COS_CONTAINERD" machine_type = "g1-small" - disk_size_gb = 10 # Change to number, not string + disk_size_gb = 10 disk_type = "pd-standard" preemptible = true node_location = "us-central1-a" }, - # general = { - # name = "general" - # initial_node_count = 1 - # image_type = "COS_CONTAINERD" - # machine_type = "g1-small" - # disk_size_gb = 10 # Change to number, not string - # disk_type = "pd-standard" - # preemptible = true - # } + general = { + name = "general" + initial_node_count = 1 + image_type = "COS_CONTAINERD" + machine_type = "g1-small" + disk_size_gb = 20 + disk_type = "pd-standard" + preemptible = true + } } enable_resource_labels = false diff --git a/main.tf b/main.tf index 0fa04fa..0d02c8e 100644 --- a/main.tf +++ b/main.tf @@ -21,6 +21,7 @@ resource "google_container_cluster" "primary" { deletion_protection = var.deletion_protection cluster_ipv4_cidr = var.cluster_ipv4_cidr initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 + node_locations = ["us-central1-a"] dynamic "master_authorized_networks_config" { for_each = var.enable_master_authorized_networks ? [1] : [] @@ -37,6 +38,7 @@ resource "google_container_cluster" "primary" { } } + resource_labels = var.enable_resource_labels ? var.resource_labels : {} @@ -120,6 +122,7 @@ resource "google_container_node_pool" "node_pool" { location = var.node_location cluster = join("", google_container_cluster.primary[*].id) node_count = var.initial_node_count + autoscaling { min_node_count = var.min_node_count @@ -139,6 +142,7 @@ resource "google_container_node_pool" "node_pool" { disk_size_gb = var.disk_size_gb disk_type = var.disk_type preemptible = var.preemptible + From 8dcceaebac291a4e777a1fda79e8c1ed4d4d91e4 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Thu, 29 Aug 2024 15:35:44 +0530 Subject: [PATCH 51/54] feat: added new file for gke --- README.md | 386 ++++---- cluster.tf | 970 +++++++++++++++++++ dns.tf | 73 ++ examples/managed-node-pools/example.tf | 188 ++-- examples/managed-node-pools/outputs.tf | 11 +- examples/managed-node-pools/variables.tf | 117 +++ examples/self-hosted-node-pools/example.tf | 143 --- examples/self-hosted-node-pools/outputs.tf | 7 - examples/self-hosted-node-pools/variables.tf | 30 - examples/self-hosted-node-pools/versions.tf | 26 - firewall.tf | 241 +++++ main.tf | 354 +++---- masq.tf | 30 + networks.tf | 10 + outputs.tf | 202 +++- sa.tf | 65 ++ scripts/delete-default-resource.sh | 26 + variables.tf | 835 ++++++++++++---- variables_defaults.tf | 96 ++ versions.tf | 10 +- 20 files changed, 2999 insertions(+), 821 deletions(-) create mode 100644 cluster.tf create mode 100644 dns.tf delete mode 100644 examples/self-hosted-node-pools/example.tf delete mode 100644 examples/self-hosted-node-pools/outputs.tf delete mode 100644 examples/self-hosted-node-pools/variables.tf delete mode 100644 examples/self-hosted-node-pools/versions.tf create mode 100644 firewall.tf create mode 100644 masq.tf create mode 100644 networks.tf create mode 100644 sa.tf create mode 100755 scripts/delete-default-resource.sh create mode 100644 variables_defaults.tf diff --git a/README.md b/README.md index b051675..1bbcb75 100644 --- a/README.md +++ b/README.md @@ -1,183 +1,223 @@ - - -

- - -

- Terraform gcp gke -

- -

- Terraform module to create gke resource on google. -

- -

- - - Terraform - - - Licence - - - tfsec - - - static-checks - - - -

-

- - - - - - - - - - - -

-
- - -We eat, drink, sleep and most importantly love **DevOps**. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure. - -This module is basically combination of [Terraform open source](https://www.terraform.io/) and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself. - -We have [*fifty plus terraform modules*][terraform_modules]. A few of them are comepleted and are available for open source usage while a few others are in progress. - - - - -## Prerequisites - -This module has a few dependencies: - -- [Terraform 1.x.x](https://learn.hashicorp.com/terraform/getting-started/install.html) -- [Go](https://golang.org/doc/install) -- [github.com/stretchr/testify/assert](https://github.com/stretchr/testify) -- [github.com/gruntwork-io/terratest/modules/terraform](https://github.com/gruntwork-io/terratest) - - - - - - - -## Examples - - -**IMPORTANT:** Since the `master` branch used in `source` varies based on new modifications, we suggest that you use the release versions [here](https://github.com/clouddrove/terraform-gcp-gke/releases). - - -Here are some examples of how you can use this module in your inventory structure: -### Default gke -```hcl -module "gke" { -source = "clouddrove/gke/google" -version = "1.0.0" - - name = "test-gke" -module_enabled = true -google_container_cluster_enabled = true -location = "europe-west3" -remove_default_node_pool = true -initial_node_count = 1 -google_container_node_pool_enabled = true -node_count = 1 -cluster_name = "test-gke" -project_id = var.gcp_project_id -region = var.gcp_region -service_account = "" - -} -``` - - - - - + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.3 | +| [google](#requirement\_google) | >= 5.9.0, < 6 | +| [google-beta](#requirement\_google-beta) | >= 5.9.0, < 6 | +| [kubernetes](#requirement\_kubernetes) | ~> 2.10 | +| [random](#requirement\_random) | >= 2.1 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | >= 5.9.0, < 6 | +| [google-beta](#provider\_google-beta) | >= 5.9.0, < 6 | +| [kubernetes](#provider\_kubernetes) | ~> 2.10 | +| [random](#provider\_random) | >= 2.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google-beta_google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_cluster) | resource | +| [google-beta_google_container_node_pool.pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource | +| [google-beta_google_container_node_pool.windows_pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource | +| [google-beta_google_project_service_identity.fleet_project](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_project_service_identity) | resource | +| [google_compute_firewall.intra_egress](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.master_webhooks](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.shadow_allow_inkubelet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.shadow_allow_master](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.shadow_allow_nodes](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.shadow_allow_pods](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.shadow_deny_exkubelet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_compute_firewall.tpu_egress](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | +| [google_project_iam_member.cluster_service_account-artifact-registry](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +| [google_project_iam_member.cluster_service_account-gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +| [google_project_iam_member.cluster_service_account-nodeService_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +| [google_project_iam_member.service_agent](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +| [google_service_account.cluster_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [kubernetes_config_map.ip-masq-agent](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_config_map_v1_data.kube-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | +| [kubernetes_config_map_v1_data.kube-dns-upstream-nameservers-and-stub-domains](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | +| [kubernetes_config_map_v1_data.kube-dns-upstream-namservers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | +| [random_shuffle.available_zones](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/shuffle) | resource | +| [random_string.cluster_service_account_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [google-beta_google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/data-sources/google_compute_zones) | data source | +| [google_compute_subnetwork.gke_subnetwork](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_subnetwork) | data source | +| [google_container_engine_versions.region](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_engine_versions) | data source | +| [google_container_engine_versions.zone](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_engine_versions) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| auto\_repair | ######################## management ########################### | `bool` | `true` | no | -| auto\_upgrade | n/a | `bool` | `true` | no | -| cluster | The cluster to create the node pool for. | `string` | `""` | no | -| cluster\_create\_timeouts | ######################## timeouts ########################### | `string` | `"30m"` | no | -| cluster\_delete\_timeouts | n/a | `string` | `"30m"` | no | -| cluster\_name | n/a | `string` | `""` | no | -| cluster\_update\_timeouts | n/a | `string` | `"30m"` | no | -| disk\_size\_gb | n/a | `number` | `50` | no | -| disk\_type | n/a | `string` | `""` | no | -| environment | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | -| gke\_version | The minimum version of the master. | `string` | `""` | no | -| google\_container\_cluster\_enabled | Flag to control the cluster\_enabled creation. | `bool` | `true` | no | -| google\_container\_node\_pool\_enabled | Flag to control the cluster\_enabled creation. | `bool` | `true` | no | -| image\_type | ######################## node\_config ########################### | `string` | `""` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `1` | no | -| kubectl\_config\_path | Path to the kubectl config file. Defaults to $HOME/.kube/config | `string` | `""` | no | -| label\_order | Label order, e.g. sequence of application name and environment `name`,`environment`,'attribute' [`webserver`,`qa`,`devops`,`public`,] . | `list(any)` | `[]` | no | -| location | The location (region or zone) in which the cluster master will be created, as well as the default node location. | `string` | `""` | no | -| location\_policy | n/a | `string` | `"BALANCED"` | no | -| machine\_type | n/a | `string` | `""` | no | -| max\_node\_count | n/a | `number` | `7` | no | -| min\_node\_count | ######################## Autoscaling ########################### | `number` | `2` | no | -| module\_enabled | Flag to control the service\_account\_enabled creation. | `bool` | `true` | no | -| name | Name of the resource. Provided by the client when the resource is created. | `string` | `""` | no | -| network | A reference (self link) to the VPC network to host the cluster in | `string` | `""` | no | -| node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `1` | no | -| preemptible | n/a | `bool` | `false` | no | -| project | The project ID to host the cluster in | `string` | `""` | no | -| project\_id | Google Cloud project ID | `string` | `""` | no | -| region | Google Cloud region | `string` | `""` | no | -| remove\_default\_node\_pool | deletes the default node pool upon cluster creation. | `bool` | `true` | no | -| service\_account | The Google Cloud Platform Service Account to be used by the node VMs created by GKE Autopilot or NAP. | `string` | `""` | no | -| subnetwork | A reference (self link) to the subnetwork to host the cluster in | `string` | `""` | no | +| [add\_cluster\_firewall\_rules](#input\_add\_cluster\_firewall\_rules) | Create additional firewall rules | `bool` | `false` | no | +| [add\_master\_webhook\_firewall\_rules](#input\_add\_master\_webhook\_firewall\_rules) | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | +| [add\_shadow\_firewall\_rules](#input\_add\_shadow\_firewall\_rules) | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| [additional\_ip\_range\_pods](#input\_additional\_ip\_range\_pods) | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| [authenticator\_security\_group](#input\_authenticator\_security\_group) | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| [cloudrun](#input\_cloudrun) | (Beta) Enable CloudRun addon | `bool` | `false` | no | +| [cloudrun\_load\_balancer\_type](#input\_cloudrun\_load\_balancer\_type) | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | +| [cluster\_autoscaling](#input\_cluster\_autoscaling) | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) |
object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
auto_repair = bool
auto_upgrade = bool
disk_size = optional(number)
disk_type = optional(string)
})
|
{
"auto_repair": true,
"auto_upgrade": true,
"autoscaling_profile": "BALANCED",
"disk_size": 100,
"disk_type": "pd-standard",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
}
| no | +| [cluster\_dns\_domain](#input\_cluster\_dns\_domain) | The suffix used for all cluster service records. | `string` | `""` | no | +| [cluster\_dns\_provider](#input\_cluster\_dns\_provider) | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | +| [cluster\_dns\_scope](#input\_cluster\_dns\_scope) | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | +| [cluster\_ipv4\_cidr](#input\_cluster\_ipv4\_cidr) | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | +| [cluster\_resource\_labels](#input\_cluster\_resource\_labels) | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | +| [cluster\_telemetry\_type](#input\_cluster\_telemetry\_type) | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | +| [config\_connector](#input\_config\_connector) | Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | +| [configure\_ip\_masq](#input\_configure\_ip\_masq) | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | +| [create\_service\_account](#input\_create\_service\_account) | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | +| [database\_encryption](#input\_database\_encryption) | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | +| [datapath\_provider](#input\_datapath\_provider) | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | +| [default\_max\_pods\_per\_node](#input\_default\_max\_pods\_per\_node) | The maximum number of pods to schedule per node | `number` | `110` | no | +| [deletion\_protection](#input\_deletion\_protection) | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | +| [deploy\_using\_private\_endpoint](#input\_deploy\_using\_private\_endpoint) | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| [description](#input\_description) | The description of the cluster | `string` | `""` | no | +| [disable\_default\_snat](#input\_disable\_default\_snat) | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | +| [disable\_legacy\_metadata\_endpoints](#input\_disable\_legacy\_metadata\_endpoints) | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | +| [dns\_cache](#input\_dns\_cache) | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | +| [enable\_binary\_authorization](#input\_enable\_binary\_authorization) | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| [enable\_confidential\_nodes](#input\_enable\_confidential\_nodes) | An optional flag to enable confidential node config. | `bool` | `false` | no | +| [enable\_cost\_allocation](#input\_enable\_cost\_allocation) | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| [enable\_fqdn\_network\_policy](#input\_enable\_fqdn\_network\_policy) | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | +| [enable\_gcfs](#input\_enable\_gcfs) | Enable image streaming on cluster level. | `bool` | `false` | no | +| [enable\_identity\_service](#input\_enable\_identity\_service) | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | +| [enable\_intranode\_visibility](#input\_enable\_intranode\_visibility) | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| [enable\_kubernetes\_alpha](#input\_enable\_kubernetes\_alpha) | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| [enable\_l4\_ilb\_subsetting](#input\_enable\_l4\_ilb\_subsetting) | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| [enable\_mesh\_certificates](#input\_enable\_mesh\_certificates) | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | +| [enable\_network\_egress\_export](#input\_enable\_network\_egress\_export) | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | +| [enable\_pod\_security\_policy](#input\_enable\_pod\_security\_policy) | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | +| [enable\_private\_endpoint](#input\_enable\_private\_endpoint) | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| [enable\_private\_nodes](#input\_enable\_private\_nodes) | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | +| [enable\_resource\_consumption\_export](#input\_enable\_resource\_consumption\_export) | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| [enable\_shielded\_nodes](#input\_enable\_shielded\_nodes) | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | +| [enable\_tpu](#input\_enable\_tpu) | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | +| [enable\_vertical\_pod\_autoscaling](#input\_enable\_vertical\_pod\_autoscaling) | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | +| [filestore\_csi\_driver](#input\_filestore\_csi\_driver) | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | +| [firewall\_inbound\_ports](#input\_firewall\_inbound\_ports) | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` |
[
"8443",
"9443",
"15017"
]
| no | +| [firewall\_priority](#input\_firewall\_priority) | Priority rule for firewall rules | `number` | `1000` | no | +| [fleet\_project](#input\_fleet\_project) | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| [fleet\_project\_grant\_service\_agent](#input\_fleet\_project\_grant\_service\_agent) | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | +| [gateway\_api\_channel](#input\_gateway\_api\_channel) | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| [gce\_pd\_csi\_driver](#input\_gce\_pd\_csi\_driver) | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| [gcs\_fuse\_csi\_driver](#input\_gcs\_fuse\_csi\_driver) | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | +| [gke\_backup\_agent\_config](#input\_gke\_backup\_agent\_config) | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | +| [grant\_registry\_access](#input\_grant\_registry\_access) | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | +| [horizontal\_pod\_autoscaling](#input\_horizontal\_pod\_autoscaling) | Enable horizontal pod autoscaling addon | `bool` | `true` | no | +| [http\_load\_balancing](#input\_http\_load\_balancing) | Enable httpload balancer addon | `bool` | `true` | no | +| [identity\_namespace](#input\_identity\_namespace) | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| [initial\_node\_count](#input\_initial\_node\_count) | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| [ip\_masq\_link\_local](#input\_ip\_masq\_link\_local) | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | +| [ip\_masq\_resync\_interval](#input\_ip\_masq\_resync\_interval) | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | +| [ip\_range\_pods](#input\_ip\_range\_pods) | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | +| [ip\_range\_services](#input\_ip\_range\_services) | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| [issue\_client\_certificate](#input\_issue\_client\_certificate) | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | +| [istio](#input\_istio) | (Beta) Enable Istio addon | `bool` | `false` | no | +| [istio\_auth](#input\_istio\_auth) | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | +| [kalm\_config](#input\_kalm\_config) | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | +| [kubernetes\_version](#input\_kubernetes\_version) | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | +| [logging\_enabled\_components](#input\_logging\_enabled\_components) | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| [logging\_service](#input\_logging\_service) | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | +| [maintenance\_end\_time](#input\_maintenance\_end\_time) | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | +| [maintenance\_exclusions](#input\_maintenance\_exclusions) | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | +| [maintenance\_recurrence](#input\_maintenance\_recurrence) | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | +| [maintenance\_start\_time](#input\_maintenance\_start\_time) | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | +| [master\_authorized\_networks](#input\_master\_authorized\_networks) | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| [master\_global\_access\_enabled](#input\_master\_global\_access\_enabled) | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| [master\_ipv4\_cidr\_block](#input\_master\_ipv4\_cidr\_block) | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | +| [monitoring\_enable\_managed\_prometheus](#input\_monitoring\_enable\_managed\_prometheus) | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | +| [monitoring\_enable\_observability\_metrics](#input\_monitoring\_enable\_observability\_metrics) | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| [monitoring\_enabled\_components](#input\_monitoring\_enabled\_components) | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| [monitoring\_observability\_metrics\_relay\_mode](#input\_monitoring\_observability\_metrics\_relay\_mode) | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | +| [monitoring\_service](#input\_monitoring\_service) | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | +| [name](#input\_name) | The name of the cluster (required) | `string` | n/a | yes | +| [network](#input\_network) | The VPC network to host the cluster in (required) | `string` | n/a | yes | +| [network\_policy](#input\_network\_policy) | Enable network policy addon | `bool` | `false` | no | +| [network\_policy\_provider](#input\_network\_policy\_provider) | The network policy provider. | `string` | `"CALICO"` | no | +| [network\_project\_id](#input\_network\_project\_id) | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| [network\_tags](#input\_network\_tags) | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | +| [node\_metadata](#input\_node\_metadata) | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | +| [node\_pools](#input\_node\_pools) | List of maps containing node pools | `list(map(any))` |
[
{
"name": "default-node-pool"
}
]
| no | +| [node\_pools\_labels](#input\_node\_pools\_labels) | Map of maps containing node labels by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | +| [node\_pools\_linux\_node\_configs\_sysctls](#input\_node\_pools\_linux\_node\_configs\_sysctls) | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | +| [node\_pools\_metadata](#input\_node\_pools\_metadata) | Map of maps containing node metadata by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | +| [node\_pools\_oauth\_scopes](#input\_node\_pools\_oauth\_scopes) | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` |
{
"all": [
"https://www.googleapis.com/auth/cloud-platform"
],
"default-node-pool": []
}
| no | +| [node\_pools\_resource\_labels](#input\_node\_pools\_resource\_labels) | Map of maps containing resource labels by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | +| [node\_pools\_tags](#input\_node\_pools\_tags) | Map of lists containing node network tags by node-pool name | `map(list(string))` |
{
"all": [],
"default-node-pool": []
}
| no | +| [node\_pools\_taints](#input\_node\_pools\_taints) | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` |
{
"all": [],
"default-node-pool": []
}
| no | +| [non\_masquerade\_cidrs](#input\_non\_masquerade\_cidrs) | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` |
[
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no | +| [notification\_config\_topic](#input\_notification\_config\_topic) | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| [project\_id](#input\_project\_id) | The project ID to host the cluster in (required) | `string` | n/a | yes | +| [region](#input\_region) | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | +| [regional](#input\_regional) | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| [registry\_project\_ids](#input\_registry\_project\_ids) | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | +| [release\_channel](#input\_release\_channel) | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | +| [remove\_default\_node\_pool](#input\_remove\_default\_node\_pool) | Remove default node pool while setting up the cluster | `bool` | `false` | no | +| [resource\_usage\_export\_dataset\_id](#input\_resource\_usage\_export\_dataset\_id) | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| [sandbox\_enabled](#input\_sandbox\_enabled) | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| [security\_posture\_mode](#input\_security\_posture\_mode) | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| [security\_posture\_vulnerability\_mode](#input\_security\_posture\_vulnerability\_mode) | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| [service\_account](#input\_service\_account) | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | +| [service\_account\_name](#input\_service\_account\_name) | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | +| [service\_external\_ips](#input\_service\_external\_ips) | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | +| [shadow\_firewall\_rules\_log\_config](#input\_shadow\_firewall\_rules\_log\_config) | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | +| [shadow\_firewall\_rules\_priority](#input\_shadow\_firewall\_rules\_priority) | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| [stack\_type](#input\_stack\_type) | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| [stub\_domains](#input\_stub\_domains) | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | +| [subnetwork](#input\_subnetwork) | The subnetwork to host the cluster in (required) | `string` | n/a | yes | +| [timeouts](#input\_timeouts) | Timeout for cluster operations. | `map(string)` | `{}` | no | +| [upstream\_nameservers](#input\_upstream\_nameservers) | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| [windows\_node\_pools](#input\_windows\_node\_pools) | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| [workload\_config\_audit\_mode](#input\_workload\_config\_audit\_mode) | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | +| [workload\_vulnerability\_mode](#input\_workload\_vulnerability\_mode) | (beta) Vulnerability mode. | `string` | `""` | no | +| [zones](#input\_zones) | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs | Name | Description | |------|-------------| -| cluster\_ca\_certificate | n/a | -| endpoint | n/a | -| id | n/a | -| name | n/a | - - - - -## Testing -In this module testing is performed with [terratest](https://github.com/gruntwork-io/terratest) and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a [GO environment](https://golang.org/doc/install) in your system. - -You need to run the following command in the testing folder: -```hcl - go test -run Test -``` - - - -## Feedback -If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-gcp-gke/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). - -If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-gcp-gke)! - -## About us - -At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. - -

We are The Cloud Experts!

-
-

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

- - [website]: https://clouddrove.com - [github]: https://github.com/clouddrove - [linkedin]: https://cpco.io/linkedin - [twitter]: https://twitter.com/clouddrove/ - [email]: https://clouddrove.com/contact-us.html - [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= +| [ca\_certificate](#output\_ca\_certificate) | Cluster ca certificate (base64 encoded) | +| [cloudrun\_enabled](#output\_cloudrun\_enabled) | Whether CloudRun enabled | +| [cluster\_id](#output\_cluster\_id) | Cluster ID | +| [dns\_cache\_enabled](#output\_dns\_cache\_enabled) | Whether DNS Cache enabled | +| [endpoint](#output\_endpoint) | Cluster endpoint | +| [fleet\_membership](#output\_fleet\_membership) | Fleet membership (if registered) | +| [gateway\_api\_channel](#output\_gateway\_api\_channel) | The gateway api channel of this cluster. | +| [horizontal\_pod\_autoscaling\_enabled](#output\_horizontal\_pod\_autoscaling\_enabled) | Whether horizontal pod autoscaling enabled | +| [http\_load\_balancing\_enabled](#output\_http\_load\_balancing\_enabled) | Whether http load balancing enabled | +| [identity\_namespace](#output\_identity\_namespace) | Workload Identity pool | +| [identity\_service\_enabled](#output\_identity\_service\_enabled) | Whether Identity Service is enabled | +| [instance\_group\_urls](#output\_instance\_group\_urls) | List of GKE generated instance groups | +| [intranode\_visibility\_enabled](#output\_intranode\_visibility\_enabled) | Whether intra-node visibility is enabled | +| [istio\_enabled](#output\_istio\_enabled) | Whether Istio is enabled | +| [location](#output\_location) | Cluster location (region if regional cluster, zone if zonal cluster) | +| [logging\_service](#output\_logging\_service) | Logging service used | +| [master\_authorized\_networks\_config](#output\_master\_authorized\_networks\_config) | Networks from which access to master is permitted | +| [master\_ipv4\_cidr\_block](#output\_master\_ipv4\_cidr\_block) | The IP range in CIDR notation used for the hosted master network | +| [master\_version](#output\_master\_version) | Current master kubernetes version | +| [mesh\_certificates\_config](#output\_mesh\_certificates\_config) | Mesh certificates configuration | +| [min\_master\_version](#output\_min\_master\_version) | Minimum master kubernetes version | +| [monitoring\_service](#output\_monitoring\_service) | Monitoring service used | +| [name](#output\_name) | Cluster name | +| [network\_policy\_enabled](#output\_network\_policy\_enabled) | Whether network policy enabled | +| [node\_pools\_names](#output\_node\_pools\_names) | List of node pools names | +| [node\_pools\_versions](#output\_node\_pools\_versions) | Node pool versions by node pool name | +| [peering\_name](#output\_peering\_name) | The name of the peering between this cluster and the Google owned VPC. | +| [pod\_security\_policy\_enabled](#output\_pod\_security\_policy\_enabled) | Whether pod security policy is enabled | +| [region](#output\_region) | Cluster region | +| [release\_channel](#output\_release\_channel) | The release channel of this cluster | +| [service\_account](#output\_service\_account) | The service account to default running nodes as if not overridden in `node_pools`. | +| [tpu\_ipv4\_cidr\_block](#output\_tpu\_ipv4\_cidr\_block) | The IP range in CIDR notation used for the TPUs | +| [type](#output\_type) | Cluster type (regional / zonal) | +| [vertical\_pod\_autoscaling\_enabled](#output\_vertical\_pod\_autoscaling\_enabled) | Whether vertical pod autoscaling enabled | +| [zones](#output\_zones) | List of zones in which the cluster resides | + \ No newline at end of file diff --git a/cluster.tf b/cluster.tf new file mode 100644 index 0000000..f215145 --- /dev/null +++ b/cluster.tf @@ -0,0 +1,970 @@ + +/****************************************** + Create Container Cluster + *****************************************/ +resource "google_container_cluster" "primary" { + provider = google-beta + + name = var.name + description = var.description + project = var.project_id + resource_labels = var.cluster_resource_labels + + location = local.location + node_locations = local.node_locations + cluster_ipv4_cidr = var.cluster_ipv4_cidr + network = "projects/${local.network_project_id}/global/networks/${var.network}" + deletion_protection = var.deletion_protection + + dynamic "network_policy" { + for_each = local.cluster_network_policy + + content { + enabled = network_policy.value.enabled + provider = network_policy.value.provider + } + } + + dynamic "release_channel" { + for_each = local.release_channel + + content { + channel = release_channel.value.channel + } + } + + dynamic "gateway_api_config" { + for_each = local.gateway_api_config + + content { + channel = gateway_api_config.value.channel + } + } + + dynamic "cost_management_config" { + for_each = var.enable_cost_allocation ? [1] : [] + content { + enabled = var.enable_cost_allocation + } + } + + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" + + default_snat_status { + disabled = var.disable_default_snat + } + + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : var.kubernetes_version == "latest" ? null : var.kubernetes_version + + dynamic "cluster_telemetry" { + for_each = local.cluster_telemetry_type_is_set ? [1] : [] + content { + type = var.cluster_telemetry_type + } + } + # only one of logging/monitoring_service or logging/monitoring_config can be specified + logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service + dynamic "logging_config" { + for_each = length(var.logging_enabled_components) > 0 ? [1] : [] + + content { + enable_components = var.logging_enabled_components + } + } + monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service + dynamic "monitoring_config" { + for_each = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? [1] : [] + content { + enable_components = var.monitoring_enabled_components + managed_prometheus { + enabled = var.monitoring_enable_managed_prometheus + } + advanced_datapath_observability_config { + enable_metrics = var.monitoring_enable_observability_metrics + relay_mode = var.monitoring_observability_metrics_relay_mode + } + } + } + cluster_autoscaling { + enabled = var.cluster_autoscaling.enabled + dynamic "auto_provisioning_defaults" { + for_each = var.cluster_autoscaling.enabled ? [1] : [] + + content { + service_account = local.service_account + oauth_scopes = local.node_pools_oauth_scopes["all"] + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) + disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + } + } + autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" + dynamic "resource_limits" { + for_each = local.autoscaling_resource_limits + content { + resource_type = lookup(resource_limits.value, "resource_type") + minimum = lookup(resource_limits.value, "minimum") + maximum = lookup(resource_limits.value, "maximum") + } + } + } + vertical_pod_autoscaling { + enabled = var.enable_vertical_pod_autoscaling + } + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + + enable_kubernetes_alpha = var.enable_kubernetes_alpha + enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility + + dynamic "pod_security_policy_config" { + for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] + content { + enabled = pod_security_policy_config.value + } + } + + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy + dynamic "master_authorized_networks_config" { + for_each = local.master_authorized_networks_config + content { + dynamic "cidr_blocks" { + for_each = master_authorized_networks_config.value.cidr_blocks + content { + cidr_block = lookup(cidr_blocks.value, "cidr_block", "") + display_name = lookup(cidr_blocks.value, "display_name", "") + } + } + } + } + + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + + master_auth { + client_certificate_config { + issue_client_certificate = var.issue_client_certificate + } + } + + dynamic "service_external_ips_config" { + for_each = var.service_external_ips ? [1] : [] + content { + enabled = var.service_external_ips + } + } + + addons_config { + http_load_balancing { + disabled = !var.http_load_balancing + } + + horizontal_pod_autoscaling { + disabled = !var.horizontal_pod_autoscaling + } + + network_policy_config { + disabled = !var.network_policy + } + + dns_cache_config { + enabled = var.dns_cache + } + + gcp_filestore_csi_driver_config { + enabled = var.filestore_csi_driver + } + + dynamic "gce_persistent_disk_csi_driver_config" { + for_each = local.cluster_gce_pd_csi_config + + content { + enabled = gce_persistent_disk_csi_driver_config.value.enabled + } + } + + dynamic "gke_backup_agent_config" { + for_each = local.gke_backup_agent_config + + content { + enabled = gke_backup_agent_config.value.enabled + } + } + + dynamic "gcs_fuse_csi_driver_config" { + for_each = local.gcs_fuse_csi_driver_config + + content { + enabled = gcs_fuse_csi_driver_config.value.enabled + } + } + + config_connector_config { + enabled = var.config_connector + } + + istio_config { + disabled = !var.istio + auth = var.istio_auth + } + + dynamic "cloudrun_config" { + for_each = local.cluster_cloudrun_config + + content { + disabled = cloudrun_config.value.disabled + } + } + + kalm_config { + enabled = var.kalm_config + } + } + + datapath_provider = var.datapath_provider + + networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } + + security_posture_config { + mode = var.security_posture_mode + vulnerability_mode = var.security_posture_vulnerability_mode + } + + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + + ip_allocation_policy { + cluster_secondary_range_name = var.ip_range_pods + services_secondary_range_name = var.ip_range_services + dynamic "additional_pod_ranges_config" { + for_each = length(var.additional_ip_range_pods) != 0 ? [1] : [] + content { + pod_range_names = var.additional_ip_range_pods + } + } + stack_type = var.stack_type + } + + maintenance_policy { + dynamic "recurring_window" { + for_each = local.cluster_maintenance_window_is_recurring + content { + start_time = var.maintenance_start_time + end_time = var.maintenance_end_time + recurrence = var.maintenance_recurrence + } + } + + dynamic "daily_maintenance_window" { + for_each = local.cluster_maintenance_window_is_daily + content { + start_time = var.maintenance_start_time + } + } + + dynamic "maintenance_exclusion" { + for_each = var.maintenance_exclusions + content { + exclusion_name = maintenance_exclusion.value.name + start_time = maintenance_exclusion.value.start_time + end_time = maintenance_exclusion.value.end_time + + dynamic "exclusion_options" { + for_each = maintenance_exclusion.value.exclusion_scope == null ? [] : [maintenance_exclusion.value.exclusion_scope] + content { + scope = exclusion_options.value + } + } + } + } + } + + lifecycle { + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], master_authorized_networks_config] + } + + dynamic "dns_config" { + for_each = var.cluster_dns_provider == "CLOUD_DNS" ? [1] : [] + content { + cluster_dns = var.cluster_dns_provider + cluster_dns_scope = var.cluster_dns_scope + cluster_dns_domain = var.cluster_dns_domain + } + } + + timeouts { + create = lookup(var.timeouts, "create", "45m") + update = lookup(var.timeouts, "update", "45m") + delete = lookup(var.timeouts, "delete", "45m") + } + node_pool { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + content { + enabled = gcfs_config.value + } + } + + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + + service_account = lookup(var.node_pools[0], "service_account", local.service_account) + + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) + + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config + + content { + mode = workload_metadata_config.value.mode + } + } + + metadata = local.node_pools_metadata["all"] + + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } + } + } + + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [{ + enable_network_egress_metering = var.enable_network_egress_export + enable_resource_consumption_metering = var.enable_resource_consumption_export + dataset_id = var.resource_usage_export_dataset_id + }] : [] + + content { + enable_network_egress_metering = resource_usage_export_config.value.enable_network_egress_metering + enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering + bigquery_destination { + dataset_id = resource_usage_export_config.value.dataset_id + } + } + } + + dynamic "private_cluster_config" { + for_each = var.enable_private_nodes ? [{ + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + }] : [] + + content { + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + dynamic "master_global_access_config" { + for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] + content { + enabled = master_global_access_config.value + } + } + } + } + + remove_default_node_pool = var.remove_default_node_pool + + dynamic "database_encryption" { + for_each = var.database_encryption + + content { + key_name = database_encryption.value.key_name + state = database_encryption.value.state + } + } + + dynamic "workload_identity_config" { + for_each = local.cluster_workload_identity_config + + content { + workload_pool = workload_identity_config.value.workload_pool + } + } + + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } + + notification_config { + pubsub { + enabled = var.notification_config_topic != "" ? true : false + topic = var.notification_config_topic + } + } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } + + depends_on = [google_project_iam_member.service_agent] +} +/****************************************** + Create Container Cluster node pools + *****************************************/ +resource "google_container_node_pool" "pools" { + provider = google-beta + for_each = local.node_pools + name = each.key + project = var.project_id + location = local.location + // use node_locations if provided, defaults to cluster level node_locations if not specified + node_locations = lookup(each.value, "node_locations", "") != "" ? split(",", each.value["node_locations"]) : null + + cluster = google_container_cluster.primary.name + + version = lookup(each.value, "auto_upgrade", local.default_auto_upgrade) ? "" : lookup( + each.value, + "version", + google_container_cluster.primary.min_master_version, + ) + + initial_node_count = lookup(each.value, "autoscaling", true) ? lookup( + each.value, + "initial_node_count", + lookup(each.value, "min_count", 1) + ) : null + + max_pods_per_node = lookup(each.value, "max_pods_per_node", null) + + node_count = lookup(each.value, "autoscaling", true) ? null : lookup(each.value, "node_count", 1) + + dynamic "autoscaling" { + for_each = lookup(each.value, "autoscaling", true) ? [each.value] : [] + content { + min_node_count = contains(keys(autoscaling.value), "total_min_count") ? null : lookup(autoscaling.value, "min_count", 1) + max_node_count = contains(keys(autoscaling.value), "total_max_count") ? null : lookup(autoscaling.value, "max_count", 100) + location_policy = lookup(autoscaling.value, "location_policy", null) + total_min_node_count = lookup(autoscaling.value, "total_min_count", null) + total_max_node_count = lookup(autoscaling.value, "total_max_count", null) + } + } + + dynamic "placement_policy" { + for_each = length(lookup(each.value, "placement_policy", "")) > 0 ? [each.value] : [] + content { + type = lookup(placement_policy.value, "placement_policy", null) + } + } + + dynamic "network_config" { + for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : [] + content { + pod_range = lookup(network_config.value, "pod_range", null) + enable_private_nodes = var.enable_private_nodes + } + } + + management { + auto_repair = lookup(each.value, "auto_repair", true) + auto_upgrade = lookup(each.value, "auto_upgrade", local.default_auto_upgrade) + } + + upgrade_settings { + strategy = lookup(each.value, "strategy", "SURGE") + max_surge = lookup(each.value, "strategy", "SURGE") == "SURGE" ? lookup(each.value, "max_surge", 1) : null + max_unavailable = lookup(each.value, "strategy", "SURGE") == "SURGE" ? lookup(each.value, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(each.value, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(each.value, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(each.value, "batch_soak_duration", null) + batch_percentage = lookup(each.value, "batch_percentage", null) + batch_node_count = lookup(each.value, "batch_node_count", null) + } + } + } + } + + node_config { + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + dynamic "gcfs_config" { + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + content { + enabled = gcfs_config.value + } + } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + labels = merge( + lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + local.node_pools_labels["all"], + local.node_pools_labels[each.value["name"]], + ) + resource_labels = merge( + local.node_pools_resource_labels["all"], + local.node_pools_resource_labels[each.value["name"]], + ) + metadata = merge( + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + local.node_pools_metadata["all"], + local.node_pools_metadata[each.value["name"]], + { + "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints + }, + ) + dynamic "taint" { + for_each = concat( + local.node_pools_taints["all"], + local.node_pools_taints[each.value["name"]], + ) + content { + effect = taint.value.effect + key = taint.value.key + value = taint.value.value + } + } + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-${each.value["name"]}"] : [], + local.node_pools_tags["all"], + local.node_pools_tags[each.value["name"]], + ) + + logging_variant = lookup(each.value, "logging_variant", "DEFAULT") + + local_ssd_count = lookup(each.value, "local_ssd_count", 0) + disk_size_gb = lookup(each.value, "disk_size_gb", 100) + disk_type = lookup(each.value, "disk_type", "pd-standard") + + dynamic "ephemeral_storage_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_config.value + } + } + + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + + service_account = lookup( + each.value, + "service_account", + local.service_account, + ) + preemptible = lookup(each.value, "preemptible", false) + spot = lookup(each.value, "spot", false) + + oauth_scopes = concat( + local.node_pools_oauth_scopes["all"], + local.node_pools_oauth_scopes[each.value["name"]], + ) + + dynamic "guest_accelerator" { + for_each = lookup(each.value, "accelerator_count", 0) > 0 ? [1] : [] + content { + type = lookup(each.value, "accelerator_type", "") + count = lookup(each.value, "accelerator_count", 0) + gpu_partition_size = lookup(each.value, "gpu_partition_size", null) + + dynamic "gpu_driver_installation_config" { + for_each = lookup(each.value, "gpu_driver_version", "") != "" ? [1] : [] + content { + gpu_driver_version = lookup(each.value, "gpu_driver_version", "") + } + } + } + } + + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config + + content { + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) + } + } + + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + } + } + + dynamic "linux_node_config" { + for_each = length(merge( + local.node_pools_linux_node_configs_sysctls["all"], + local.node_pools_linux_node_configs_sysctls[each.value["name"]] + )) != 0 ? [1] : [] + + content { + sysctls = merge( + local.node_pools_linux_node_configs_sysctls["all"], + local.node_pools_linux_node_configs_sysctls[each.value["name"]] + ) + } + } + + boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(each.value, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) + } + } + + lifecycle { + ignore_changes = [initial_node_count] + + } + + timeouts { + create = lookup(var.timeouts, "create", "45m") + update = lookup(var.timeouts, "update", "45m") + delete = lookup(var.timeouts, "delete", "45m") + } + +} +resource "google_container_node_pool" "windows_pools" { + provider = google-beta + for_each = local.windows_node_pools + name = each.key + project = var.project_id + location = local.location + // use node_locations if provided, defaults to cluster level node_locations if not specified + node_locations = lookup(each.value, "node_locations", "") != "" ? split(",", each.value["node_locations"]) : null + + cluster = google_container_cluster.primary.name + + version = lookup(each.value, "auto_upgrade", local.default_auto_upgrade) ? "" : lookup( + each.value, + "version", + google_container_cluster.primary.min_master_version, + ) + + initial_node_count = lookup(each.value, "autoscaling", true) ? lookup( + each.value, + "initial_node_count", + lookup(each.value, "min_count", 1) + ) : null + + max_pods_per_node = lookup(each.value, "max_pods_per_node", null) + + node_count = lookup(each.value, "autoscaling", true) ? null : lookup(each.value, "node_count", 1) + + dynamic "autoscaling" { + for_each = lookup(each.value, "autoscaling", true) ? [each.value] : [] + content { + min_node_count = contains(keys(autoscaling.value), "total_min_count") ? null : lookup(autoscaling.value, "min_count", 1) + max_node_count = contains(keys(autoscaling.value), "total_max_count") ? null : lookup(autoscaling.value, "max_count", 100) + location_policy = lookup(autoscaling.value, "location_policy", null) + total_min_node_count = lookup(autoscaling.value, "total_min_count", null) + total_max_node_count = lookup(autoscaling.value, "total_max_count", null) + } + } + + dynamic "placement_policy" { + for_each = length(lookup(each.value, "placement_policy", "")) > 0 ? [each.value] : [] + content { + type = lookup(placement_policy.value, "placement_policy", null) + } + } + + dynamic "network_config" { + for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : [] + content { + pod_range = lookup(network_config.value, "pod_range", null) + enable_private_nodes = var.enable_private_nodes + } + } + + management { + auto_repair = lookup(each.value, "auto_repair", true) + auto_upgrade = lookup(each.value, "auto_upgrade", local.default_auto_upgrade) + } + + upgrade_settings { + strategy = lookup(each.value, "strategy", "SURGE") + max_surge = lookup(each.value, "strategy", "SURGE") == "SURGE" ? lookup(each.value, "max_surge", 1) : null + max_unavailable = lookup(each.value, "strategy", "SURGE") == "SURGE" ? lookup(each.value, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(each.value, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(each.value, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(each.value, "batch_soak_duration", null) + batch_percentage = lookup(each.value, "batch_percentage", null) + batch_node_count = lookup(each.value, "batch_node_count", null) + } + } + } + } + + node_config { + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + dynamic "gcfs_config" { + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + content { + enabled = gcfs_config.value + } + } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + labels = merge( + lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + local.node_pools_labels["all"], + local.node_pools_labels[each.value["name"]], + ) + resource_labels = merge( + local.node_pools_resource_labels["all"], + local.node_pools_resource_labels[each.value["name"]], + ) + metadata = merge( + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + local.node_pools_metadata["all"], + local.node_pools_metadata[each.value["name"]], + { + "disable-legacy-endpoints" = var.disable_legacy_metadata_endpoints + }, + ) + dynamic "taint" { + for_each = concat( + local.node_pools_taints["all"], + local.node_pools_taints[each.value["name"]], + ) + content { + effect = taint.value.effect + key = taint.value.key + value = taint.value.value + } + } + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-${each.value["name"]}"] : [], + local.node_pools_tags["all"], + local.node_pools_tags[each.value["name"]], + ) + + logging_variant = lookup(each.value, "logging_variant", "DEFAULT") + + local_ssd_count = lookup(each.value, "local_ssd_count", 0) + disk_size_gb = lookup(each.value, "disk_size_gb", 100) + disk_type = lookup(each.value, "disk_type", "pd-standard") + + dynamic "ephemeral_storage_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_config.value + } + } + + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + + service_account = lookup( + each.value, + "service_account", + local.service_account, + ) + preemptible = lookup(each.value, "preemptible", false) + spot = lookup(each.value, "spot", false) + + oauth_scopes = concat( + local.node_pools_oauth_scopes["all"], + local.node_pools_oauth_scopes[each.value["name"]], + ) + + dynamic "guest_accelerator" { + for_each = lookup(each.value, "accelerator_count", 0) > 0 ? [1] : [] + content { + type = lookup(each.value, "accelerator_type", "") + count = lookup(each.value, "accelerator_count", 0) + gpu_partition_size = lookup(each.value, "gpu_partition_size", null) + + dynamic "gpu_driver_installation_config" { + for_each = lookup(each.value, "gpu_driver_version", "") != "" ? [1] : [] + content { + gpu_driver_version = lookup(each.value, "gpu_driver_version", "") + } + } + } + } + + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config + + content { + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) + } + } + + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + } + } + + + boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(each.value, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) + } + } + + lifecycle { + ignore_changes = [initial_node_count] + + } + + timeouts { + create = lookup(var.timeouts, "create", "45m") + update = lookup(var.timeouts, "update", "45m") + delete = lookup(var.timeouts, "delete", "45m") + } + + depends_on = [google_container_node_pool.pools[0]] +} diff --git a/dns.tf b/dns.tf new file mode 100644 index 0000000..bfc51ed --- /dev/null +++ b/dns.tf @@ -0,0 +1,73 @@ +/****************************************** + Manage kube-dns configmaps + *****************************************/ + +resource "kubernetes_config_map_v1_data" "kube-dns" { + count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 + + metadata { + name = "kube-dns" + namespace = "kube-system" + } + + data = { + stubDomains = <--all INGRESS + firewall rule created by GKE but for EGRESS + + Required for clusters when VPCs enforce + a default-deny egress rule + *****************************************/ +resource "google_compute_firewall" "intra_egress" { + count = var.add_cluster_firewall_rules ? 1 : 0 + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" + description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" + project = local.network_project_id + network = var.network + priority = var.firewall_priority + direction = "EGRESS" + + target_tags = [local.cluster_network_tag] + destination_ranges = concat([ + local.cluster_endpoint_for_nodes, + local.cluster_subnet_cidr, + ], + local.pod_all_ip_ranges + ) + + # Allow all possible protocols + allow { protocol = "tcp" } + allow { protocol = "udp" } + allow { protocol = "icmp" } + allow { protocol = "sctp" } + allow { protocol = "esp" } + allow { protocol = "ah" } + +} + + +/****************************************** + Allow egress to the TPU IPv4 CIDR block + + This rule is defined separately from the + intra_egress rule above since it requires + an output from the google_container_cluster + resource. + + https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1124 + *****************************************/ +resource "google_compute_firewall" "tpu_egress" { + count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" + description = "Managed by terraform gke module: Allow pods to communicate with TPUs" + project = local.network_project_id + network = var.network + priority = var.firewall_priority + direction = "EGRESS" + + target_tags = [local.cluster_network_tag] + destination_ranges = [google_container_cluster.primary.tpu_ipv4_cidr_block] + + # Allow all possible protocols + allow { protocol = "tcp" } + allow { protocol = "udp" } + allow { protocol = "icmp" } + allow { protocol = "sctp" } + allow { protocol = "esp" } + allow { protocol = "ah" } + +} + +/****************************************** + Allow GKE master to hit non 443 ports for + Webhooks/Admission Controllers + + https://github.com/kubernetes/kubernetes/issues/79739 + *****************************************/ +resource "google_compute_firewall" "master_webhooks" { + count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" + description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" + project = local.network_project_id + network = var.network + priority = var.firewall_priority + direction = "INGRESS" + + source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [] + target_tags = [local.cluster_network_tag] + + allow { + protocol = "tcp" + ports = var.firewall_inbound_ports + } + + +} + + +/****************************************** + Create shadow firewall rules to capture the + traffic flow between the managed firewall rules + *****************************************/ +resource "google_compute_firewall" "shadow_allow_pods" { + count = var.add_shadow_firewall_rules ? 1 : 0 + + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" + description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." + project = local.network_project_id + network = var.network + priority = var.shadow_firewall_rules_priority + direction = "INGRESS" + + source_ranges = local.pod_all_ip_ranges + target_tags = [local.cluster_network_tag] + + # Allow all possible protocols + allow { protocol = "tcp" } + allow { protocol = "udp" } + allow { protocol = "icmp" } + allow { protocol = "sctp" } + allow { protocol = "esp" } + allow { protocol = "ah" } + + dynamic "log_config" { + for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config] + content { + metadata = log_config.value.metadata + } + } +} + +resource "google_compute_firewall" "shadow_allow_master" { + count = var.add_shadow_firewall_rules ? 1 : 0 + + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" + description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." + project = local.network_project_id + network = var.network + priority = var.shadow_firewall_rules_priority + direction = "INGRESS" + + source_ranges = [local.cluster_endpoint_for_nodes] + target_tags = [local.cluster_network_tag] + + allow { + protocol = "tcp" + ports = ["10250", "443"] + } + + dynamic "log_config" { + for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config] + content { + metadata = log_config.value.metadata + } + } +} + +resource "google_compute_firewall" "shadow_allow_nodes" { + count = var.add_shadow_firewall_rules ? 1 : 0 + + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" + description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." + project = local.network_project_id + network = var.network + priority = var.shadow_firewall_rules_priority + direction = "INGRESS" + + source_ranges = [local.cluster_subnet_cidr] + target_tags = [local.cluster_network_tag] + + allow { + protocol = "icmp" + } + + allow { + protocol = "udp" + ports = ["1-65535"] + } + + allow { + protocol = "tcp" + ports = ["1-65535"] + } + + dynamic "log_config" { + for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config] + content { + metadata = log_config.value.metadata + } + } +} + +resource "google_compute_firewall" "shadow_allow_inkubelet" { + count = var.add_shadow_firewall_rules ? 1 : 0 + + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" + description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." + project = local.network_project_id + network = var.network + priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999 + direction = "INGRESS" + + source_ranges = local.pod_all_ip_ranges + source_tags = [local.cluster_network_tag] + target_tags = [local.cluster_network_tag] + + allow { + protocol = "tcp" + ports = ["10255"] + } + + dynamic "log_config" { + for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config] + content { + metadata = log_config.value.metadata + } + } +} + +resource "google_compute_firewall" "shadow_deny_exkubelet" { + count = var.add_shadow_firewall_rules ? 1 : 0 + + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" + description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." + project = local.network_project_id + network = var.network + priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000 + direction = "INGRESS" + + source_ranges = ["0.0.0.0/0"] + target_tags = [local.cluster_network_tag] + + deny { + protocol = "tcp" + ports = ["10255"] + } + + dynamic "log_config" { + for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config] + content { + metadata = log_config.value.metadata + } + } +} diff --git a/main.tf b/main.tf index 0d02c8e..a58a663 100644 --- a/main.tf +++ b/main.tf @@ -1,176 +1,202 @@ -module "labels" { - source = "clouddrove/labels/gcp" - version = "1.0.0" - name = var.name - environment = var.environment - label_order = var.label_order -} +/****************************************** + Get available zones in region + *****************************************/ +data "google_compute_zones" "available" { + count = local.zone_count == 0 ? 1 : 0 -resource "google_container_cluster" "primary" { - count = var.google_container_cluster_enabled ? 1 : 0 provider = google-beta - project = var.project_id - name = module.labels.id - location = var.location - network = var.network - subnetwork = var.subnetwork - remove_default_node_pool = var.remove_default_node_pool - min_master_version = var.gke_version - deletion_protection = var.deletion_protection - cluster_ipv4_cidr = var.cluster_ipv4_cidr - initial_node_count = var.managed_node_pool == {} ? var.initial_node_count : 0 - node_locations = ["us-central1-a"] - - dynamic "master_authorized_networks_config" { - for_each = var.enable_master_authorized_networks ? [1] : [] - - content { - dynamic "cidr_blocks" { - for_each = var.master_authorized_networks - - content { - cidr_block = cidr_blocks.value.cidr_block - display_name = cidr_blocks.value.display_name - } - } - } - } - - - - - resource_labels = var.enable_resource_labels ? var.resource_labels : {} - - cluster_autoscaling { - enabled = var.cluster_autoscaling - - } - pod_security_policy_config { - enabled = var.pod_security_policy - } - - addons_config { - http_load_balancing { - disabled = !var.http_load_balancing - } - - horizontal_pod_autoscaling { - disabled = !var.horizontal_pod_autoscaling - } - - network_policy_config { - disabled = !var.network_policy - } - } - - dynamic "ip_allocation_policy" { - for_each = var.enable_ip_allocation_policy ? [1] : [] - content { - cluster_ipv4_cidr_block = var.cluster_ipv4_cidr_block - services_ipv4_cidr_block = var.services_ipv4_cidr_block - } - } - - dynamic "node_pool" { - for_each = var.enabled ? { for k, v in var.managed_node_pool : k => v } : {} - content { - name = node_pool.value.name - initial_node_count = var.initial_node_count - node_config { - machine_type = node_pool.value.machine_type - disk_size_gb = node_pool.value.disk_size_gb - disk_type = node_pool.value.disk_type - preemptible = var.enable_preemptible - spot = var.spot - - - dynamic "workload_metadata_config" { - for_each = var.enable_workload_metadata_config ? [1] : [] - content { - mode = var.workload_metadata_mode - } - } - - } - } - } - - private_cluster_config { - enable_private_endpoint = var.enable_private_endpoint - enable_private_nodes = var.enable_private_nodes - master_ipv4_cidr_block = var.master_ipv4_cidr_block - } - - dynamic "network_policy" { - for_each = var.cluster_network_policy - - content { - enabled = network_policy.value.enabled - provider = network_policy.value.provider - } - } + project = var.project_id + region = local.region } -resource "google_container_node_pool" "node_pool" { - for_each = { for k, v in var.self_node_pools : k => v if var.enabled } - provider = google-beta +resource "random_shuffle" "available_zones" { + count = local.zone_count == 0 ? 1 : 0 - name = each.value.name - project = var.project_id - location = var.node_location - cluster = join("", google_container_cluster.primary[*].id) - node_count = var.initial_node_count - - - autoscaling { - min_node_count = var.min_node_count - max_node_count = var.max_node_count - location_policy = var.location_policy - } - - management { - auto_repair = var.auto_repair - auto_upgrade = var.auto_upgrade - } - - node_config { - image_type = var.image_type - machine_type = var.machine_type - service_account = var.service_account - disk_size_gb = var.disk_size_gb - disk_type = var.disk_type - preemptible = var.preemptible - - - - - metadata = { - disable-legacy-endpoints = "true" - } - } - - lifecycle { - ignore_changes = [initial_node_count] - create_before_destroy = false - } - - timeouts { - create = var.cluster_create_timeouts - update = var.cluster_update_timeouts - delete = var.cluster_delete_timeouts - } + input = data.google_compute_zones.available[0].names + result_count = 3 +} +locals { + // ID of the cluster + cluster_id = google_container_cluster.primary.id + + // location + location = var.regional ? var.region : var.zones[0] + region = var.regional ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2)) + // for regional cluster - use var.zones if provided, use available otherwise, for zonal cluster use var.zones with first element extracted + node_locations = var.regional ? coalescelist(compact(var.zones), try(sort(random_shuffle.available_zones[0].result), [])) : slice(var.zones, 1, length(var.zones)) + // Kubernetes version + master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version + master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version + master_version = var.regional ? local.master_version_regional : local.master_version_zonal + // Build a map of maps of node pools from a list of objects + node_pool_names = [for np in toset(var.node_pools) : np.name] + node_pools = zipmap(local.node_pool_names, tolist(toset(var.node_pools))) + windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] + windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] + gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] + + autoscaling_resource_limits = var.cluster_autoscaling.enabled ? concat([{ + resource_type = "cpu" + minimum = var.cluster_autoscaling.min_cpu_cores + maximum = var.cluster_autoscaling.max_cpu_cores + }, { + resource_type = "memory" + minimum = var.cluster_autoscaling.min_memory_gb + maximum = var.cluster_autoscaling.max_memory_gb + }], var.cluster_autoscaling.gpu_resources) : [] + + + custom_kube_dns_config = length(keys(var.stub_domains)) > 0 + upstream_nameservers_config = length(var.upstream_nameservers) > 0 + network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id + zone_count = length(var.zones) + cluster_type = var.regional ? "regional" : "zonal" + // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous. + // When a release channel is used, node auto-upgrade is enabled and cannot be disabled. + default_auto_upgrade = var.regional || var.release_channel != "UNSPECIFIED" ? true : false + + cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null + cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} + pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0], [for k, v in merge(local.node_pools, local.windows_node_pools) : local.cluster_alias_ranges_cidr[v.pod_range] if length(lookup(v, "pod_range", "")) > 0])) : [] + + cluster_network_policy = var.network_policy ? [{ + enabled = true + provider = var.network_policy_provider + }] : [{ + enabled = false + provider = null + }] + cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] + gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { + load_balancer_type = var.cloudrun_load_balancer_type + } : {} + cluster_cloudrun_config = var.cloudrun ? [ + merge( + { + disabled = false + }, + local.cluster_cloudrun_config_load_balancer_config + ) + ] : [] + cluster_cloudrun_enabled = var.cloudrun + + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", EXPOSE = "GCE_METADATA" } + + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + }] + + cluster_output_regional_zones = google_container_cluster.primary.node_locations + cluster_output_zones = local.cluster_output_regional_zones + + cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null + cluster_endpoint_for_nodes = var.master_ipv4_cidr_block + + cluster_output_master_auth = concat(google_container_cluster.primary[*].master_auth, []) + cluster_output_master_version = google_container_cluster.primary.master_version + cluster_output_min_master_version = google_container_cluster.primary.min_master_version + cluster_output_logging_service = google_container_cluster.primary.logging_service + cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service + cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + + # BETA features + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + + # /BETA features + + master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ + cidr_blocks : var.master_authorized_networks + }] + + cluster_output_node_pools_names = concat( + [for np in google_container_node_pool.pools : np.name], [""], + [for np in google_container_node_pool.windows_pools : np.name], [""] + ) + + cluster_output_node_pools_versions = merge( + { for np in google_container_node_pool.pools : np.name => np.version }, + { for np in google_container_node_pool.windows_pools : np.name => np.version }, + ) + + cluster_master_auth_list_layer1 = local.cluster_output_master_auth + cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] + cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + + // node pool ID is in the form projects//locations//clusters//nodePools/ + cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_network_tag = "gke-${var.name}" + cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] + cluster_master_version = local.cluster_output_master_version + cluster_min_master_version = local.cluster_output_min_master_version + cluster_logging_service = local.cluster_output_logging_service + cluster_monitoring_service = local.cluster_output_monitoring_service + cluster_node_pools_names = local.cluster_output_node_pools_names + cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled + cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled + cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled + cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace + }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + + # BETA features + cluster_istio_enabled = !local.cluster_output_istio_disabled + cluster_dns_cache_enabled = var.dns_cache + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null + cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + + # /BETA features + + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] + cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } -resource "null_resource" "configure_kubectl" { - provisioner "local-exec" { - command = "gcloud container clusters get-credentials ${var.cluster_name} --region ${var.region} --project ${var.project_id}" +/****************************************** + Get available container engine versions + *****************************************/ +data "google_container_engine_versions" "region" { + location = local.location + project = var.project_id +} - environment = { - KUBECONFIG = var.kubectl_config_path != "" ? var.kubectl_config_path : "" - } - } - depends_on = [google_container_node_pool.node_pool] +data "google_container_engine_versions" "zone" { + // Work around to prevent a lack of zone declaration from causing regional cluster creation from erroring out due to error + // + // data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone. + // + location = local.zone_count == 0 ? data.google_compute_zones.available[0].names[0] : var.zones[0] + project = var.project_id } diff --git a/masq.tf b/masq.tf new file mode 100644 index 0000000..1d3a30a --- /dev/null +++ b/masq.tf @@ -0,0 +1,30 @@ + +/****************************************** + Create ip-masq-agent confimap + *****************************************/ +resource "kubernetes_config_map" "ip-masq-agent" { + count = var.configure_ip_masq ? 1 : 0 + + metadata { + name = "ip-masq-agent" + namespace = "kube-system" + + labels = { + maintained_by = "terraform" + } + } + + data = { + config = < 0 ? local.cluster_workload_identity_config[0].workload_pool : null + depends_on = [ + google_container_cluster.primary + ] +} + +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + +output "master_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the hosted master network" + value = var.master_ipv4_cidr_block +} + +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_pod_security_policy_enabled +} + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} + +output "http_load_balancing_enabled" { + description = "Whether http load balancing enabled" + value = local.cluster_http_load_balancing_enabled +} + +output "horizontal_pod_autoscaling_enabled" { + description = "Whether horizontal pod autoscaling enabled" + value = local.cluster_horizontal_pod_autoscaling_enabled +} + +output "vertical_pod_autoscaling_enabled" { + description = "Whether vertical pod autoscaling enabled" + value = local.cluster_vertical_pod_autoscaling_enabled +} + +output "node_pools_names" { + description = "List of node pools names" + value = local.cluster_node_pools_names +} + +output "node_pools_versions" { + description = "Node pool versions by node pool name" + value = local.cluster_node_pools_versions +} + +output "peering_name" { + description = "The name of the peering between this cluster and the Google owned VPC." + value = local.cluster_peering_name +} + +output "cloudrun_enabled" { + description = "Whether CloudRun enabled" + value = local.cluster_cloudrun_enabled +} + +output "istio_enabled" { + description = "Whether Istio is enabled" + value = local.cluster_istio_enabled +} + +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled } -output "cluster_ca_certificate" { - value = join("", google_container_cluster.primary[*].id) +output "pod_security_policy_enabled" { + description = "Whether pod security policy is enabled" + value = local.cluster_pod_security_policy_enabled } \ No newline at end of file diff --git a/sa.tf b/sa.tf new file mode 100644 index 0000000..86ed152 --- /dev/null +++ b/sa.tf @@ -0,0 +1,65 @@ +// This file was automatically generated from a template in ./autogen/main + +locals { + service_account_list = compact( + concat( + google_service_account.cluster_service_account[*].email, + ["dummy"], + ), + ) + service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + + // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used + service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids +} + +resource "random_string" "cluster_service_account_suffix" { + upper = false + lower = true + special = false + length = 4 +} + +resource "google_service_account" "cluster_service_account" { + count = var.create_service_account ? 1 : 0 + project = var.project_id + account_id = var.service_account_name == "" ? local.service_account_default_name : var.service_account_name + display_name = "Terraform-managed service account for cluster ${var.name}" +} + +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/container.defaultNodeServiceAccount" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-gcr" { + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + +resource "google_project_iam_member" "cluster_service_account-artifact-registry" { + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/scripts/delete-default-resource.sh b/scripts/delete-default-resource.sh new file mode 100755 index 0000000..e5717d4 --- /dev/null +++ b/scripts/delete-default-resource.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -e + +if [ "$#" -ne 3 ]; then + >&2 echo "3 arguments expected. Exiting." + exit 1 +fi + +RESOURCE_NAMESPACE=$1 +RESOURCE_TYPE=$2 +RESOURCE_NAME=$3 + +RESOURCE_LIST=$(kubectl -n "${RESOURCE_NAMESPACE}" get "${RESOURCE_TYPE}" || exit 1) + +# Delete requested resource +if [[ $RESOURCE_LIST = *"${RESOURCE_NAME}"* ]]; then + RESOURCE_MAINTAINED_LABEL=$(kubectl -n "${RESOURCE_NAMESPACE}" get "${RESOURCE_TYPE}" "${RESOURCE_NAME}" -o=jsonpath='{.metadata.labels.maintained_by}') + if [[ $RESOURCE_MAINTAINED_LABEL = "terraform" ]]; then + echo "Terraform maintained ${RESOURCE_NAME} ${RESOURCE_TYPE} appears to have already been created in ${RESOURCE_NAMESPACE} namespace" + else + echo "Deleting default ${RESOURCE_NAME} ${RESOURCE_TYPE} found in ${RESOURCE_NAMESPACE} namespace" + kubectl -n "${RESOURCE_NAMESPACE}" delete "${RESOURCE_TYPE}" "${RESOURCE_NAME}" + fi +else + echo "No default ${RESOURCE_NAME} ${RESOURCE_TYPE} found in ${RESOURCE_NAMESPACE} namespace" +fi diff --git a/variables.tf b/variables.tf index cbce180..28d4bba 100644 --- a/variables.tf +++ b/variables.tf @@ -1,356 +1,813 @@ -variable "environment" { +variable "project_id" { + type = string + description = "The project ID to host the cluster in (required)" +} + +variable "name" { type = string + description = "The name of the cluster (required)" +} + +variable "description" { + type = string + description = "The description of the cluster" default = "" - description = "Environment (e.g. `prod`, `dev`, `staging`)." } -variable "label_order" { - type = list(any) +variable "regional" { + type = bool + description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + default = true +} + +variable "region" { + type = string + description = "The region to host the cluster in (optional if zonal cluster / required if regional)" + default = null +} + +variable "zones" { + type = list(string) + description = "The zones to host the cluster in (optional if regional cluster / required if zonal)" default = [] - description = "Label order, e.g. sequence of application name and environment `name`,`environment`,'attribute' [`webserver`,`qa`,`devops`,`public`,] ." } -variable "name" { +variable "network" { type = string + description = "The VPC network to host the cluster in (required)" +} + +variable "network_project_id" { + type = string + description = "The project ID of the shared VPC's host (for shared vpc support)" default = "" - description = "Name of the resource. Provided by the client when the resource is created. " } -variable "enabled" { +variable "subnetwork" { + type = string + description = "The subnetwork to host the cluster in (required)" +} + +variable "kubernetes_version" { + type = string + description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region." + default = "latest" +} + +variable "master_authorized_networks" { + type = list(object({ cidr_block = string, display_name = string })) + description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." + default = [] +} + +variable "enable_vertical_pod_autoscaling" { type = bool + description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" + default = false +} + +variable "horizontal_pod_autoscaling" { + type = bool + description = "Enable horizontal pod autoscaling addon" default = true - description = "Whether to create the resources. Set to `false` to prevent the module from creating any resources." } -variable "google_container_cluster_enabled" { +variable "http_load_balancing" { type = bool + description = "Enable httpload balancer addon" default = true - description = "Flag to control the cluster_enabled creation." } -variable "location" { +variable "service_external_ips" { + type = bool + description = "Whether external ips specified by a service will be allowed in this cluster" + default = false +} + +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} + +variable "maintenance_start_time" { type = string + description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" + default = "05:00" +} + +variable "maintenance_exclusions" { + type = list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + description = "List of maintenance exclusions. A cluster can have up to three" + default = [] +} + +variable "maintenance_end_time" { + type = string + description = "Time window specified for recurring maintenance operations in RFC3339 format" default = "" - description = "The location (region or zone) in which the cluster master will be created, as well as the default node location." } -variable "remove_default_node_pool" { - type = bool - default = true - description = "deletes the default node pool upon cluster creation." +variable "maintenance_recurrence" { + type = string + description = "Frequency of the recurring maintenance window in RFC5545 format." + default = "" } -variable "initial_node_count" { - type = number - default = 1 - description = "The number of nodes to create in this cluster's default node pool." +variable "ip_range_pods" { + type = string + description = "The _name_ of the secondary subnet ip range to use for pods" } -variable "cluster_network_policy" { - description = "Network policy configuration for the GKE cluster" - type = map(object({ - enabled = bool - provider = string - })) +variable "additional_ip_range_pods" { + type = list(string) + description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" + default = [] +} + +variable "ip_range_services" { + type = string + description = "The _name_ of the secondary subnet range to use for services" +} + +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + +variable "node_pools" { + type = list(map(any)) + description = "List of maps containing node pools" + + default = [ + { + name = "default-node-pool" + }, + ] +} + +variable "windows_node_pools" { + type = list(map(string)) + description = "List of maps containing Windows node pools" + default = [] +} + +variable "node_pools_labels" { + type = map(map(string)) + description = "Map of maps containing node labels by node-pool name" + + # Default is being set in variables_defaults.tf default = { - policy1 = { - enabled = true - provider = "CALICO" - } + all = {} + default-node-pool = {} } } -variable "managed_node_pool" { - type = any - default = {} - description = "Map of self-managed node pools definitions to create" -} - -variable "self_node_pools" { - description = "Map of self-defined node pools" - type = map(object({ - name = string - initial_node_count = number - machine_type = string - disk_size_gb = number - disk_type = string - preemptible = bool - })) +variable "node_pools_resource_labels" { + type = map(map(string)) + description = "Map of maps containing resource labels by node-pool name" + default = { - default_pool = { - name = "default-pool" - initial_node_count = 1 - machine_type = "" - disk_size_gb = 100 - disk_type = "pd-standard" - preemptible = false - } + all = {} + default-node-pool = {} } } -variable "service_account" { - type = string - default = "" - description = "The Google Cloud Platform Service Account to be used by the node VMs created by GKE Autopilot or NAP." -} -######################### Autoscaling ########################### -variable "min_node_count" { - type = number - default = 0 -} +variable "node_pools_metadata" { + type = map(map(string)) + description = "Map of maps containing node metadata by node-pool name" -variable "max_node_count" { - type = number - default = 7 + # Default is being set in variables_defaults.tf + default = { + all = {} + default-node-pool = {} + } } -variable "location_policy" { - type = string - default = "BALANCED" +variable "node_pools_linux_node_configs_sysctls" { + type = map(map(string)) + description = "Map of maps containing linux node config sysctls by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = {} + default-node-pool = {} + } } -######################### management ########################### -variable "auto_repair" { - type = bool - default = true +variable "enable_cost_allocation" { + type = bool + description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery" + default = false +} +variable "resource_usage_export_dataset_id" { + type = string + description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export." + default = "" } -variable "auto_upgrade" { - type = bool - default = true +variable "enable_network_egress_export" { + type = bool + description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = false } -variable "deletion_protection" { +variable "enable_resource_consumption_export" { type = bool + description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export." default = true - description = "Environment (e.g. `prod`, `dev`, `staging`)." } -######################### node_config ########################### -variable "image_type" { - type = string - default = "" +variable "cluster_autoscaling" { + type = object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + }) + default = { + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + } + description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } -variable "machine_type" { - type = string - default = "" +variable "node_pools_taints" { + type = map(list(object({ key = string, value = string, effect = string }))) + description = "Map of lists containing node taints by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = [] + default-node-pool = [] + } } -variable "disk_size_gb" { - type = number - default = 50 +variable "node_pools_tags" { + type = map(list(string)) + description = "Map of lists containing node network tags by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = [] + default-node-pool = [] + } } -variable "disk_type" { - type = string - default = "" +variable "node_pools_oauth_scopes" { + type = map(list(string)) + description = "Map of lists containing node oauth scopes by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = ["https://www.googleapis.com/auth/cloud-platform"] + default-node-pool = [] + } } -variable "preemptible" { - type = bool - default = false +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] } -######################### timeouts ########################### -variable "cluster_create_timeouts" { - type = string - default = "30m" +variable "stub_domains" { + type = map(list(string)) + description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" + default = {} } -variable "cluster_update_timeouts" { - type = string - default = "30m" +variable "upstream_nameservers" { + type = list(string) + description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf" + default = [] } -variable "cluster_delete_timeouts" { - type = string - default = "30m" +variable "non_masquerade_cidrs" { + type = list(string) + description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading." + default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] } -variable "kubectl_config_path" { - description = "Path to the kubectl config file. Defaults to $HOME/.kube/config" +variable "ip_masq_resync_interval" { type = string - default = "" + description = "The interval at which the agent attempts to sync its ConfigMap file from the disk." + default = "60s" } -variable "cluster_name" { - type = string - default = "" +variable "ip_masq_link_local" { + type = bool + description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)." + default = false } -variable "project_id" { +variable "configure_ip_masq" { + type = bool + description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server." + default = false +} + +variable "cluster_telemetry_type" { type = string - default = "" - description = "Google Cloud project ID" + description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" + default = null } -variable "region" { +variable "logging_service" { type = string - default = "" - description = "Google Cloud region" + description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" + default = "logging.googleapis.com/kubernetes" } -variable "network" { + +variable "monitoring_service" { type = string - default = "" - description = "A reference (self link) to the VPC network to host the cluster in" + description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" + default = "monitoring.googleapis.com/kubernetes" +} +variable "create_service_account" { + type = bool + description = "Defines if service account specified to run nodes should be created." + default = true } -variable "subnetwork" { +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles." + default = false +} + +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects." + default = [] +} + +variable "service_account" { type = string + description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable." default = "" - description = "A reference (self link) to the subnetwork to host the cluster in" - } -variable "gke_version" { + +variable "service_account_name" { type = string + description = "The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable." default = "" - description = "The minimum version of the master. " +} + +variable "issue_client_certificate" { + type = bool + description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + default = false } variable "cluster_ipv4_cidr" { type = string - default = "" - description = "The IP address range of the Kubernetes pods in this cluster in CIDR notation (e.g. 10.96.0.0/14)." + default = null + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." } -variable "cluster_autoscaling" { +variable "cluster_resource_labels" { + type = map(string) + description = "The GCE resource labels (a map of key/value pairs) to be applied to the cluster" + default = {} +} + + +variable "deploy_using_private_endpoint" { type = bool + description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false - description = "Node Auto-Provisioning with Cluster Autoscaler to automatically adjust the size of the cluster" } -########## Addons Config ########## +variable "enable_private_endpoint" { + type = bool + description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + default = false +} -variable "http_load_balancing" { +variable "enable_private_nodes" { type = bool - default = true - description = "Set it false you if want to enable http load balancing" + description = "(Beta) Whether nodes have internal IP addresses only" + default = false } -variable "horizontal_pod_autoscaling" { +variable "master_ipv4_cidr_block" { + type = string + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + default = "10.0.0.0/28" +} + +variable "master_global_access_enabled" { type = bool + description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." default = true - description = "Set it false you if want to enable horizontal pod autoscaling" } -variable "network_policy" { +variable "dns_cache" { type = bool - default = true - description = "Set it false you if want to enable network policy" + description = "The status of the NodeLocal DNSCache addon." + default = false +} + +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null } -variable "pod_security_policy" { +variable "identity_namespace" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" + type = string + default = "enabled" +} + +variable "enable_mesh_certificates" { type = bool - default = true - description = "PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + +variable "release_channel" { + type = string + description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." + default = "REGULAR" +} + +variable "gateway_api_channel" { + type = string + description = "The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`." + default = null } -variable "spot" { - description = "Enable or disable spot (preemptible) instances for the node pool" +variable "add_cluster_firewall_rules" { type = bool + description = "Create additional firewall rules" default = false } -variable "enable_preemptible" { - description = "Enable or disable preemptible nodes" +variable "add_master_webhook_firewall_rules" { type = bool + description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" default = false } -variable "enable_private_endpoint" { - description = "Enable or disable the private endpoint for the GKE cluster" +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." + default = ["8443", "9443", "15017"] +} + +variable "add_shadow_firewall_rules" { type = bool + description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." default = false } -variable "enable_private_nodes" { - description = "Enable or disable private nodes for the GKE cluster" +variable "shadow_firewall_rules_priority" { + type = number + description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." + default = 999 + validation { + condition = var.shadow_firewall_rules_priority < 1000 + error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)." + } +} + +variable "shadow_firewall_rules_log_config" { + type = object({ + metadata = string + }) + description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging." + default = { + metadata = "INCLUDE_ALL_METADATA" + } +} + +variable "enable_confidential_nodes" { type = bool - default = true + description = "An optional flag to enable confidential node config." + default = false } -variable "master_ipv4_cidr_block" { - description = "The IP range in CIDR notation for the master network in a private GKE cluster. This block is used to assign IP addresses to the master nodes and control access to the master API server. This is only required when 'enable_private_nodes' is set to true." +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." type = string default = "" } -variable "cluster_ipv4_cidr_block" { - description = "The IP range for the cluster pod IPs" +variable "workload_config_audit_mode" { + description = "(beta) Workload config audit mode." type = string - default = "" + default = "DISABLED" +} + +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + +variable "security_posture_mode" { + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + type = string + default = "DISABLED" +} + +variable "security_posture_vulnerability_mode" { + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + type = string + default = "VULNERABILITY_DISABLED" +} + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false } -variable "services_ipv4_cidr_block" { - description = "The IP range for the services IPs" +variable "notification_config_topic" { type = string + description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." default = "" } -variable "workload_metadata_mode" { - description = "The mode for workload metadata configuration." +variable "deletion_protection" { + type = bool + description = "Whether or not to allow Terraform to destroy the cluster." + default = true +} + +variable "enable_tpu" { + type = bool + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + default = false +} + +variable "network_policy" { + type = bool + description = "Enable network policy addon" + default = false +} + +variable "network_policy_provider" { type = string - default = "GKE_METADATA" + description = "The network policy provider." + default = "CALICO" } -variable "master_authorized_networks" { - description = "A list of CIDR blocks that are allowed to access the master node." - type = list(object({ - cidr_block = string - display_name = string - })) - default = [ - { - cidr_block = "10.0.0.0/28" - display_name = "default-network" - } - ] +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 } -variable "enable_master_authorized_networks" { - description = "Whether to enable master authorized networks for the GKE cluster." +variable "remove_default_node_pool" { + type = bool + description = "Remove default node pool while setting up the cluster" + default = false +} + +variable "filestore_csi_driver" { type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false +} + +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." default = true } -variable "enable_resource_labels" { - description = "Flag to enable or disable GCE resource labels." +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 +} + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "enable_shielded_nodes" { + type = bool + description = "Enable Shielded Nodes features on all nodes in this cluster" + default = true +} + +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA, UNSPECIFIED, GKE_METADATA_SERVER or EXPOSE." + } +} + +variable "cluster_dns_provider" { + type = string + description = "Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS." + default = "PROVIDER_UNSPECIFIED" +} + +variable "cluster_dns_scope" { + type = string + description = "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + default = "DNS_SCOPE_UNSPECIFIED" +} + +variable "cluster_dns_domain" { + type = string + description = "The suffix used for all cluster service records." + default = "" +} + +variable "gce_pd_csi_driver" { type = bool + description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } -variable "resource_labels" { - description = "Resource labels for GCE resources." +variable "gke_backup_agent_config" { + type = bool + description = "Whether Backup for GKE agent is enabled for this cluster." + default = false +} + +variable "gcs_fuse_csi_driver" { + type = bool + description = "Whether GCE FUSE CSI driver is enabled for this cluster." + default = false +} + +variable "timeouts" { type = map(string) - default = { - "env" = "production" + description = "Timeout for cluster operations." + default = {} + validation { + condition = !contains([for t in keys(var.timeouts) : contains(["create", "update", "delete"], t)], false) + error_message = "Only create, update, delete timeouts can be specified." } } -variable "enable_metadata" { - description = "Enable or disable the metadata block." +variable "monitoring_enable_managed_prometheus" { + type = bool + description = "Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled." + default = false +} + +variable "monitoring_enable_observability_metrics" { + type = bool + description = "Whether or not the advanced datapath metrics are enabled." + default = false +} + +variable "monitoring_observability_metrics_relay_mode" { + type = string + description = "Mode used to make advanced datapath metrics relay available." + default = null + validation { + condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) + error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." + } +} + +variable "monitoring_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] +} + +variable "logging_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] +} + +variable "enable_kubernetes_alpha" { + type = bool + description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." + default = false +} + +variable "config_connector" { + type = bool + description = "Whether ConfigConnector is enabled for this cluster." + default = false +} + +variable "enable_l4_ilb_subsetting" { type = bool + description = "Enable L4 ILB Subsetting on the cluster" default = false } -variable "enable_ip_allocation_policy" { - description = "Set to true to enable IP allocation policy, false to disable" +variable "istio" { + description = "(Beta) Enable Istio addon" type = bool default = false } +variable "istio_auth" { + type = string + description = "(Beta) The authentication type between services in Istio." + default = "AUTH_MUTUAL_TLS" +} + +variable "kalm_config" { + type = bool + description = "(Beta) Whether KALM is enabled for this cluster." + default = false +} -variable "enable_workload_metadata_config" { - description = "Set to true to enable IP allocation policy, false to disable" +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" type = bool default = false } -variable "node_location" { +variable "cloudrun_load_balancer_type" { + description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." type = string default = "" - description = "The location (region or zone) in which the cluster master will be created, as well as the default node location." } +variable "enable_pod_security_policy" { + type = bool + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0." + default = false +} + +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + default = false +} + +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/variables_defaults.tf b/variables_defaults.tf new file mode 100644 index 0000000..2d9e29a --- /dev/null +++ b/variables_defaults.tf @@ -0,0 +1,96 @@ + +locals { + node_pools_labels = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_labels + ) + + node_pools_resource_labels = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_labels + ) + + node_pools_metadata = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_metadata + ) + + node_pools_taints = merge( + { all = [] }, + { default-node-pool = [] }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : []] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : []] + ), + var.node_pools_taints + ) + + node_pools_tags = merge( + { all = [] }, + { default-node-pool = [] }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : []] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : []] + ), + var.node_pools_tags + ) + + node_pools_oauth_scopes = merge( + { all = ["https://www.googleapis.com/auth/cloud-platform"] }, + { default-node-pool = [] }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : []] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : []] + ), + var.node_pools_oauth_scopes + ) + + node_pools_linux_node_configs_sysctls = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + var.node_pools_linux_node_configs_sysctls + ) +} diff --git a/versions.tf b/versions.tf index 000817c..c39290b 100644 --- a/versions.tf +++ b/versions.tf @@ -1,14 +1,14 @@ terraform { - required_version = ">= 1.7.0" + required_version = ">=1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 5.22.0" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.22.0" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" @@ -18,9 +18,5 @@ terraform { source = "hashicorp/random" version = ">= 2.1" } - null = { - source = "hashicorp/null" - version = ">= 3.0.0" - } } } From 0e6573df16652fbefe94cc095081eacbf828ca30 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Thu, 29 Aug 2024 15:37:37 +0530 Subject: [PATCH 52/54] feat: change in workflow --- .github/dependabot.yml | 13 +------------ .github/workflows/tf-checks.yml | 5 +---- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 29d5cdc..f4d265e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -29,15 +29,4 @@ updates: # Allow up to 3 open pull requests for pip dependencies open-pull-requests-limit: 3 - - package-ecosystem: "terraform" # See documentation for possible values - directory: "examples/self-hosted-node-pools" # Location of package manifests - schedule: - interval: "weekly" - # Add assignees - assignees: - - "clouddrove-ci" - # Add reviewer - reviewers: - - "approvers" - # Allow up to 3 open pull requests for pip dependencies - open-pull-requests-limit: 3 \ No newline at end of file + \ No newline at end of file diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml index 479a122..a3327d0 100644 --- a/.github/workflows/tf-checks.yml +++ b/.github/workflows/tf-checks.yml @@ -10,7 +10,4 @@ jobs: with: working_directory: './examples/managed-node-pools/' - complete: - uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master - with: - working_directory: './examples/self-hosted-node-pools/' \ No newline at end of file + \ No newline at end of file From a4cc6f4ae87f82ae6ab5b68a19efccc75d2932f3 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Thu, 29 Aug 2024 15:54:31 +0530 Subject: [PATCH 53/54] feat: change in readme and workflow --- .github/dependabot.yml | 2 +- .github/workflows/tf-checks.yml | 2 +- README.md | 223 ------------------ README.yaml | 119 ++++------ .../example.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../versions.tf | 6 +- versions.tf | 6 +- 9 files changed, 60 insertions(+), 298 deletions(-) delete mode 100644 README.md rename examples/{managed-node-pools => complete-example}/example.tf (100%) rename examples/{managed-node-pools => complete-example}/outputs.tf (100%) rename examples/{managed-node-pools => complete-example}/variables.tf (100%) rename examples/{managed-node-pools => complete-example}/versions.tf (81%) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f4d265e..400fa6b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,7 +17,7 @@ updates: - "approvers" - package-ecosystem: "terraform" # See documentation for possible values - directory: "examples/managed-node-pools" # Location of package manifests + directory: "examples/complete-example" # Location of package manifests schedule: interval: "weekly" # Add assignees diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml index a3327d0..903c621 100644 --- a/.github/workflows/tf-checks.yml +++ b/.github/workflows/tf-checks.yml @@ -8,6 +8,6 @@ jobs: basic: uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master with: - working_directory: './examples/managed-node-pools/' + working_directory: './examples/complete-example/' \ No newline at end of file diff --git a/README.md b/README.md deleted file mode 100644 index 1bbcb75..0000000 --- a/README.md +++ /dev/null @@ -1,223 +0,0 @@ - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >=1.3 | -| [google](#requirement\_google) | >= 5.9.0, < 6 | -| [google-beta](#requirement\_google-beta) | >= 5.9.0, < 6 | -| [kubernetes](#requirement\_kubernetes) | ~> 2.10 | -| [random](#requirement\_random) | >= 2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 5.9.0, < 6 | -| [google-beta](#provider\_google-beta) | >= 5.9.0, < 6 | -| [kubernetes](#provider\_kubernetes) | ~> 2.10 | -| [random](#provider\_random) | >= 2.1 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google-beta_google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_cluster) | resource | -| [google-beta_google_container_node_pool.pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource | -| [google-beta_google_container_node_pool.windows_pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource | -| [google-beta_google_project_service_identity.fleet_project](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_project_service_identity) | resource | -| [google_compute_firewall.intra_egress](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.master_webhooks](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.shadow_allow_inkubelet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.shadow_allow_master](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.shadow_allow_nodes](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.shadow_allow_pods](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.shadow_deny_exkubelet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_compute_firewall.tpu_egress](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | -| [google_project_iam_member.cluster_service_account-artifact-registry](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-nodeService_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.service_agent](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_service_account.cluster_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [kubernetes_config_map.ip-masq-agent](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_config_map_v1_data.kube-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | -| [kubernetes_config_map_v1_data.kube-dns-upstream-nameservers-and-stub-domains](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | -| [kubernetes_config_map_v1_data.kube-dns-upstream-namservers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource | -| [random_shuffle.available_zones](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/shuffle) | resource | -| [random_string.cluster_service_account_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [google-beta_google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/data-sources/google_compute_zones) | data source | -| [google_compute_subnetwork.gke_subnetwork](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_subnetwork) | data source | -| [google_container_engine_versions.region](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_engine_versions) | data source | -| [google_container_engine_versions.zone](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_engine_versions) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [add\_cluster\_firewall\_rules](#input\_add\_cluster\_firewall\_rules) | Create additional firewall rules | `bool` | `false` | no | -| [add\_master\_webhook\_firewall\_rules](#input\_add\_master\_webhook\_firewall\_rules) | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | -| [add\_shadow\_firewall\_rules](#input\_add\_shadow\_firewall\_rules) | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | -| [additional\_ip\_range\_pods](#input\_additional\_ip\_range\_pods) | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | -| [authenticator\_security\_group](#input\_authenticator\_security\_group) | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| [cloudrun](#input\_cloudrun) | (Beta) Enable CloudRun addon | `bool` | `false` | no | -| [cloudrun\_load\_balancer\_type](#input\_cloudrun\_load\_balancer\_type) | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| [cluster\_autoscaling](#input\_cluster\_autoscaling) | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) |
object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
auto_repair = bool
auto_upgrade = bool
disk_size = optional(number)
disk_type = optional(string)
})
|
{
"auto_repair": true,
"auto_upgrade": true,
"autoscaling_profile": "BALANCED",
"disk_size": 100,
"disk_type": "pd-standard",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
}
| no | -| [cluster\_dns\_domain](#input\_cluster\_dns\_domain) | The suffix used for all cluster service records. | `string` | `""` | no | -| [cluster\_dns\_provider](#input\_cluster\_dns\_provider) | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | -| [cluster\_dns\_scope](#input\_cluster\_dns\_scope) | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | -| [cluster\_ipv4\_cidr](#input\_cluster\_ipv4\_cidr) | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | -| [cluster\_resource\_labels](#input\_cluster\_resource\_labels) | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| [cluster\_telemetry\_type](#input\_cluster\_telemetry\_type) | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | -| [config\_connector](#input\_config\_connector) | Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | -| [configure\_ip\_masq](#input\_configure\_ip\_masq) | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | -| [create\_service\_account](#input\_create\_service\_account) | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | -| [database\_encryption](#input\_database\_encryption) | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | -| [datapath\_provider](#input\_datapath\_provider) | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | -| [default\_max\_pods\_per\_node](#input\_default\_max\_pods\_per\_node) | The maximum number of pods to schedule per node | `number` | `110` | no | -| [deletion\_protection](#input\_deletion\_protection) | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| [deploy\_using\_private\_endpoint](#input\_deploy\_using\_private\_endpoint) | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | -| [description](#input\_description) | The description of the cluster | `string` | `""` | no | -| [disable\_default\_snat](#input\_disable\_default\_snat) | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | -| [disable\_legacy\_metadata\_endpoints](#input\_disable\_legacy\_metadata\_endpoints) | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | -| [dns\_cache](#input\_dns\_cache) | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | -| [enable\_binary\_authorization](#input\_enable\_binary\_authorization) | Enable BinAuthZ Admission controller | `bool` | `false` | no | -| [enable\_confidential\_nodes](#input\_enable\_confidential\_nodes) | An optional flag to enable confidential node config. | `bool` | `false` | no | -| [enable\_cost\_allocation](#input\_enable\_cost\_allocation) | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | -| [enable\_fqdn\_network\_policy](#input\_enable\_fqdn\_network\_policy) | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| [enable\_gcfs](#input\_enable\_gcfs) | Enable image streaming on cluster level. | `bool` | `false` | no | -| [enable\_identity\_service](#input\_enable\_identity\_service) | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | -| [enable\_intranode\_visibility](#input\_enable\_intranode\_visibility) | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| [enable\_kubernetes\_alpha](#input\_enable\_kubernetes\_alpha) | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | -| [enable\_l4\_ilb\_subsetting](#input\_enable\_l4\_ilb\_subsetting) | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | -| [enable\_mesh\_certificates](#input\_enable\_mesh\_certificates) | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | -| [enable\_network\_egress\_export](#input\_enable\_network\_egress\_export) | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| [enable\_pod\_security\_policy](#input\_enable\_pod\_security\_policy) | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | -| [enable\_private\_endpoint](#input\_enable\_private\_endpoint) | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| [enable\_private\_nodes](#input\_enable\_private\_nodes) | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | -| [enable\_resource\_consumption\_export](#input\_enable\_resource\_consumption\_export) | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | -| [enable\_shielded\_nodes](#input\_enable\_shielded\_nodes) | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | -| [enable\_tpu](#input\_enable\_tpu) | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| [enable\_vertical\_pod\_autoscaling](#input\_enable\_vertical\_pod\_autoscaling) | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | -| [filestore\_csi\_driver](#input\_filestore\_csi\_driver) | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | -| [firewall\_inbound\_ports](#input\_firewall\_inbound\_ports) | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` |
[
"8443",
"9443",
"15017"
]
| no | -| [firewall\_priority](#input\_firewall\_priority) | Priority rule for firewall rules | `number` | `1000` | no | -| [fleet\_project](#input\_fleet\_project) | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | -| [fleet\_project\_grant\_service\_agent](#input\_fleet\_project\_grant\_service\_agent) | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | -| [gateway\_api\_channel](#input\_gateway\_api\_channel) | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | -| [gce\_pd\_csi\_driver](#input\_gce\_pd\_csi\_driver) | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | -| [gcs\_fuse\_csi\_driver](#input\_gcs\_fuse\_csi\_driver) | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | -| [gke\_backup\_agent\_config](#input\_gke\_backup\_agent\_config) | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | -| [grant\_registry\_access](#input\_grant\_registry\_access) | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | -| [horizontal\_pod\_autoscaling](#input\_horizontal\_pod\_autoscaling) | Enable horizontal pod autoscaling addon | `bool` | `true` | no | -| [http\_load\_balancing](#input\_http\_load\_balancing) | Enable httpload balancer addon | `bool` | `true` | no | -| [identity\_namespace](#input\_identity\_namespace) | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| [initial\_node\_count](#input\_initial\_node\_count) | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| [ip\_masq\_link\_local](#input\_ip\_masq\_link\_local) | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | -| [ip\_masq\_resync\_interval](#input\_ip\_masq\_resync\_interval) | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | -| [ip\_range\_pods](#input\_ip\_range\_pods) | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| [ip\_range\_services](#input\_ip\_range\_services) | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | -| [issue\_client\_certificate](#input\_issue\_client\_certificate) | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| [istio](#input\_istio) | (Beta) Enable Istio addon | `bool` | `false` | no | -| [istio\_auth](#input\_istio\_auth) | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| [kalm\_config](#input\_kalm\_config) | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | -| [kubernetes\_version](#input\_kubernetes\_version) | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| [logging\_enabled\_components](#input\_logging\_enabled\_components) | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| [logging\_service](#input\_logging\_service) | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | -| [maintenance\_end\_time](#input\_maintenance\_end\_time) | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | -| [maintenance\_exclusions](#input\_maintenance\_exclusions) | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | -| [maintenance\_recurrence](#input\_maintenance\_recurrence) | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | -| [maintenance\_start\_time](#input\_maintenance\_start\_time) | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| [master\_authorized\_networks](#input\_master\_authorized\_networks) | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| [master\_global\_access\_enabled](#input\_master\_global\_access\_enabled) | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| [master\_ipv4\_cidr\_block](#input\_master\_ipv4\_cidr\_block) | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | -| [monitoring\_enable\_managed\_prometheus](#input\_monitoring\_enable\_managed\_prometheus) | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | -| [monitoring\_enable\_observability\_metrics](#input\_monitoring\_enable\_observability\_metrics) | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| [monitoring\_enabled\_components](#input\_monitoring\_enabled\_components) | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| [monitoring\_observability\_metrics\_relay\_mode](#input\_monitoring\_observability\_metrics\_relay\_mode) | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | -| [monitoring\_service](#input\_monitoring\_service) | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | -| [name](#input\_name) | The name of the cluster (required) | `string` | n/a | yes | -| [network](#input\_network) | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| [network\_policy](#input\_network\_policy) | Enable network policy addon | `bool` | `false` | no | -| [network\_policy\_provider](#input\_network\_policy\_provider) | The network policy provider. | `string` | `"CALICO"` | no | -| [network\_project\_id](#input\_network\_project\_id) | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| [network\_tags](#input\_network\_tags) | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | -| [node\_metadata](#input\_node\_metadata) | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | -| [node\_pools](#input\_node\_pools) | List of maps containing node pools | `list(map(any))` |
[
{
"name": "default-node-pool"
}
]
| no | -| [node\_pools\_labels](#input\_node\_pools\_labels) | Map of maps containing node labels by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | -| [node\_pools\_linux\_node\_configs\_sysctls](#input\_node\_pools\_linux\_node\_configs\_sysctls) | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | -| [node\_pools\_metadata](#input\_node\_pools\_metadata) | Map of maps containing node metadata by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | -| [node\_pools\_oauth\_scopes](#input\_node\_pools\_oauth\_scopes) | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` |
{
"all": [
"https://www.googleapis.com/auth/cloud-platform"
],
"default-node-pool": []
}
| no | -| [node\_pools\_resource\_labels](#input\_node\_pools\_resource\_labels) | Map of maps containing resource labels by node-pool name | `map(map(string))` |
{
"all": {},
"default-node-pool": {}
}
| no | -| [node\_pools\_tags](#input\_node\_pools\_tags) | Map of lists containing node network tags by node-pool name | `map(list(string))` |
{
"all": [],
"default-node-pool": []
}
| no | -| [node\_pools\_taints](#input\_node\_pools\_taints) | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` |
{
"all": [],
"default-node-pool": []
}
| no | -| [non\_masquerade\_cidrs](#input\_non\_masquerade\_cidrs) | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` |
[
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no | -| [notification\_config\_topic](#input\_notification\_config\_topic) | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | -| [project\_id](#input\_project\_id) | The project ID to host the cluster in (required) | `string` | n/a | yes | -| [region](#input\_region) | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | -| [regional](#input\_regional) | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| [registry\_project\_ids](#input\_registry\_project\_ids) | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | -| [release\_channel](#input\_release\_channel) | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | -| [remove\_default\_node\_pool](#input\_remove\_default\_node\_pool) | Remove default node pool while setting up the cluster | `bool` | `false` | no | -| [resource\_usage\_export\_dataset\_id](#input\_resource\_usage\_export\_dataset\_id) | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| [sandbox\_enabled](#input\_sandbox\_enabled) | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| [security\_posture\_mode](#input\_security\_posture\_mode) | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| [security\_posture\_vulnerability\_mode](#input\_security\_posture\_vulnerability\_mode) | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | -| [service\_account](#input\_service\_account) | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | -| [service\_account\_name](#input\_service\_account\_name) | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | -| [service\_external\_ips](#input\_service\_external\_ips) | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | -| [shadow\_firewall\_rules\_log\_config](#input\_shadow\_firewall\_rules\_log\_config) | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. |
object({
metadata = string
})
|
{
"metadata": "INCLUDE_ALL_METADATA"
}
| no | -| [shadow\_firewall\_rules\_priority](#input\_shadow\_firewall\_rules\_priority) | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| [stack\_type](#input\_stack\_type) | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | -| [stub\_domains](#input\_stub\_domains) | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | -| [subnetwork](#input\_subnetwork) | The subnetwork to host the cluster in (required) | `string` | n/a | yes | -| [timeouts](#input\_timeouts) | Timeout for cluster operations. | `map(string)` | `{}` | no | -| [upstream\_nameservers](#input\_upstream\_nameservers) | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| [windows\_node\_pools](#input\_windows\_node\_pools) | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| [workload\_config\_audit\_mode](#input\_workload\_config\_audit\_mode) | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| [workload\_vulnerability\_mode](#input\_workload\_vulnerability\_mode) | (beta) Vulnerability mode. | `string` | `""` | no | -| [zones](#input\_zones) | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [ca\_certificate](#output\_ca\_certificate) | Cluster ca certificate (base64 encoded) | -| [cloudrun\_enabled](#output\_cloudrun\_enabled) | Whether CloudRun enabled | -| [cluster\_id](#output\_cluster\_id) | Cluster ID | -| [dns\_cache\_enabled](#output\_dns\_cache\_enabled) | Whether DNS Cache enabled | -| [endpoint](#output\_endpoint) | Cluster endpoint | -| [fleet\_membership](#output\_fleet\_membership) | Fleet membership (if registered) | -| [gateway\_api\_channel](#output\_gateway\_api\_channel) | The gateway api channel of this cluster. | -| [horizontal\_pod\_autoscaling\_enabled](#output\_horizontal\_pod\_autoscaling\_enabled) | Whether horizontal pod autoscaling enabled | -| [http\_load\_balancing\_enabled](#output\_http\_load\_balancing\_enabled) | Whether http load balancing enabled | -| [identity\_namespace](#output\_identity\_namespace) | Workload Identity pool | -| [identity\_service\_enabled](#output\_identity\_service\_enabled) | Whether Identity Service is enabled | -| [instance\_group\_urls](#output\_instance\_group\_urls) | List of GKE generated instance groups | -| [intranode\_visibility\_enabled](#output\_intranode\_visibility\_enabled) | Whether intra-node visibility is enabled | -| [istio\_enabled](#output\_istio\_enabled) | Whether Istio is enabled | -| [location](#output\_location) | Cluster location (region if regional cluster, zone if zonal cluster) | -| [logging\_service](#output\_logging\_service) | Logging service used | -| [master\_authorized\_networks\_config](#output\_master\_authorized\_networks\_config) | Networks from which access to master is permitted | -| [master\_ipv4\_cidr\_block](#output\_master\_ipv4\_cidr\_block) | The IP range in CIDR notation used for the hosted master network | -| [master\_version](#output\_master\_version) | Current master kubernetes version | -| [mesh\_certificates\_config](#output\_mesh\_certificates\_config) | Mesh certificates configuration | -| [min\_master\_version](#output\_min\_master\_version) | Minimum master kubernetes version | -| [monitoring\_service](#output\_monitoring\_service) | Monitoring service used | -| [name](#output\_name) | Cluster name | -| [network\_policy\_enabled](#output\_network\_policy\_enabled) | Whether network policy enabled | -| [node\_pools\_names](#output\_node\_pools\_names) | List of node pools names | -| [node\_pools\_versions](#output\_node\_pools\_versions) | Node pool versions by node pool name | -| [peering\_name](#output\_peering\_name) | The name of the peering between this cluster and the Google owned VPC. | -| [pod\_security\_policy\_enabled](#output\_pod\_security\_policy\_enabled) | Whether pod security policy is enabled | -| [region](#output\_region) | Cluster region | -| [release\_channel](#output\_release\_channel) | The release channel of this cluster | -| [service\_account](#output\_service\_account) | The service account to default running nodes as if not overridden in `node_pools`. | -| [tpu\_ipv4\_cidr\_block](#output\_tpu\_ipv4\_cidr\_block) | The IP range in CIDR notation used for the TPUs | -| [type](#output\_type) | Cluster type (regional / zonal) | -| [vertical\_pod\_autoscaling\_enabled](#output\_vertical\_pod\_autoscaling\_enabled) | Whether vertical pod autoscaling enabled | -| [zones](#output\_zones) | List of zones in which the cluster resides | - \ No newline at end of file diff --git a/README.yaml b/README.yaml index 4e93d0e..c1cd2a9 100644 --- a/README.yaml +++ b/README.yaml @@ -46,75 +46,60 @@ usage: |- Here are some examples of how you can use this module in your inventory structure: ### Default gke ```hcl - module "gke" { - source = "../../" + module "gke-dev-jetic-cluster" { + source = "../../" + project_id = var.gcp_project_id + name = "cluster-1" + region = "us-central1" + zones = ["us-central1-c"] + network = "test-vpc-dev" + subnetwork = "dev-test" + ip_range_pods = "pods" + workload_config_audit_mode = "BASIC" + security_posture_mode = "BASIC" + kubernetes_version = "1.30.2-gke.1587003" + regional = true - name = "gke" - environment = var.environment - label_order = var.label_order + logging_service = "logging.googleapis.com/kubernetes" + monitoring_service = "monitoring.googleapis.com/kubernetes" + enable_private_nodes = true + release_channel = "STABLE" + horizontal_pod_autoscaling = true + http_load_balancing = false + filestore_csi_driver = true + istio = false + network_policy = true + ip_range_services = "services" + create_service_account = false + cluster_resource_labels = { env = "test" } + service_account = "example@example.gserviceaccount.com" + remove_default_node_pool = true + disable_legacy_metadata_endpoints = true + deletion_protection = false - network = module.vpc.vpc_id - subnetwork = module.subnet.id - project_id = var.gcp_project_id - region = var.gcp_region - - cluster_name = "test-gke" - location = "us-central1" - gke_version = "1.30.2-gke.1587003" - remove_default_node_pool = true - service_account = "example@example.gserviceaccount.com" - deletion_protection = false - cluster_autoscaling = false - http_load_balancing = false - horizontal_pod_autoscaling = false - network_policy = false - spot = false - enable_preemptible = true - pod_security_policy = true - enable_private_endpoint = false - enable_private_nodes = false - master_ipv4_cidr_block = "10.13.0.0/28" - cluster_ipv4_cidr_block = "/14" - services_ipv4_cidr_block = "/20" - workload_metadata_mode = "GKE_METADATA" - cluster_network_policy = { - policy1 = { - enabled = false - provider = "CALICO" - } - } - enable_master_authorized_networks = false - master_authorized_networks = [ - { - cidr_block = "192.168.1.0/24" - display_name = "Office Network" - }, - ] - managed_node_pool = [ + node_pools = [ { - name = "critical" - initial_node_count = 1 - machine_type = "g1-small" - image_type = "COS_CONTAINERD" - disk_size_gb = "10" - disk_type = "pd-standard" - preemptible = true - }, - { - name = "general" - initial_node_count = 1 - image_type = "COS_CONTAINERD" - machine_type = "g1-small" - disk_size_gb = "10" - disk_type = "pd-standard" - preemptible = true + name = "critical" + master_version = "1.30.2-gke.1587003" + machine_type = "g1-small" + node_locations = "us-central1-c" + min_count = 1 + max_count = 1 + local_ssd_count = 0 + spot = true + disk_size_gb = 10 + disk_type = "pd-standard" + image_type = "cos_containerd" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + create_service_account = false + service_account = "example@example.gserviceaccount.com" + preemptible = false + initial_node_count = 1 + enable_node_pool_autoscaling = false + enable_private_nodes = true } - ] - - enable_resource_labels = false - - resource_labels = { - "env" = "production" - } - } ``` \ No newline at end of file diff --git a/examples/managed-node-pools/example.tf b/examples/complete-example/example.tf similarity index 100% rename from examples/managed-node-pools/example.tf rename to examples/complete-example/example.tf diff --git a/examples/managed-node-pools/outputs.tf b/examples/complete-example/outputs.tf similarity index 100% rename from examples/managed-node-pools/outputs.tf rename to examples/complete-example/outputs.tf diff --git a/examples/managed-node-pools/variables.tf b/examples/complete-example/variables.tf similarity index 100% rename from examples/managed-node-pools/variables.tf rename to examples/complete-example/variables.tf diff --git a/examples/managed-node-pools/versions.tf b/examples/complete-example/versions.tf similarity index 81% rename from examples/managed-node-pools/versions.tf rename to examples/complete-example/versions.tf index 2bdc416..e9d1b5c 100644 --- a/examples/managed-node-pools/versions.tf +++ b/examples/complete-example/versions.tf @@ -1,14 +1,14 @@ terraform { - required_version = ">=1.3" + required_version = ">=1.7.0" required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.22.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.22.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index c39290b..af9d5b0 100644 --- a/versions.tf +++ b/versions.tf @@ -1,14 +1,14 @@ terraform { - required_version = ">=1.3" + required_version = ">=1.7.0" required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.22.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.22.0" } kubernetes = { source = "hashicorp/kubernetes" From 39b69facc22b5102e566e3d0788e7335328772e6 Mon Sep 17 00:00:00 2001 From: Kkhandale2024 Date: Thu, 29 Aug 2024 15:57:51 +0530 Subject: [PATCH 54/54] feat: tfcheck issue --- README.yaml | 4 ++-- examples/complete-example/versions.tf | 6 +++--- versions.tf | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.yaml b/README.yaml index c1cd2a9..c9fb342 100644 --- a/README.yaml +++ b/README.yaml @@ -30,12 +30,12 @@ badges: prerequesties: - name: Terraform url: https://learn.hashicorp.com/terraform/getting-started/install.html - version: ">= 1.7.0" + version: ">= 1.3" providers: - name: gcp url: https://cloud.google.com/ - version: ">= 5.22.0" + version: ">= 5.9.0, < 6" # description of this project description: |- diff --git a/examples/complete-example/versions.tf b/examples/complete-example/versions.tf index e9d1b5c..2bdc416 100644 --- a/examples/complete-example/versions.tf +++ b/examples/complete-example/versions.tf @@ -1,14 +1,14 @@ terraform { - required_version = ">=1.7.0" + required_version = ">=1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 5.22.0" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.22.0" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index af9d5b0..c39290b 100644 --- a/versions.tf +++ b/versions.tf @@ -1,14 +1,14 @@ terraform { - required_version = ">=1.7.0" + required_version = ">=1.3" required_providers { google = { source = "hashicorp/google" - version = ">= 5.22.0" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.22.0" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes"