Add Kubernetes ranges for google-cloud-kubernetes repository

[brettcurtis]

Summary by CodeRabbit

• New Features

  • Introduced region-specific subnet configurations across various environments (non-production, production, sandbox) with unique IP ranges and master configurations.
  • Added service_project_number field to subnet configurations to enhance project management and identification.

• Refactor

  • Renamed module_subnet to module_subnets and updated related attributes to align with the new naming convention.
  • Adjusted subnet configurations to be more region-specific, providing distinct IP ranges and configurations for enhanced network management.

• Documentation

  • Updated documentation to reflect changes in subnet naming and the addition of the service_project_number field.

[infracost]

💰 Infracost report

Monthly cost will not change

Governance checks

🟢 52 passed

50 FinOps policies, 1 Tagging policy, and 1 Guardrail passed.

_{View report in Infracost Cloud. This comment will be updated when code changes.}

[coderabbitai]

Walkthrough

Walkthrough

This update focuses on enhancing the infrastructure management for Kubernetes clusters by renaming modules, updating subnet configurations, and introducing service project numbers. It streamlines the Terraform configuration for better clarity and specificity across different environments (non-production, production, sandbox) and regions (us-east1, us-east4), ensuring a more efficient and region-specific deployment process.

Changes

File Path	Change Summary
regional/README.md	Renamed module_subnet to module_subnets, updated input_subnets to include service_project_number.
regional/main.tf	Updated module names, attributes, and values for better specificity and clarity.
regional/tfvars/...-non-production.tfvars	Updated and added new subnet configurations for non-production environments across regions.
regional/tfvars/...-production.tfvars	Updated subnet configurations for production environments across regions.
regional/tfvars/...-sandbox.tfvars	Added new subnets with unique configurations for sandbox environments across regions.
regional/variables.tf	Removed kubernetes_service_projects, added service_project_number to subnets variable.

Possibly related issues

• osinfra-io/github-organization-discussions#6: The changes could simplify the onboarding process for new teams by streamlining subnet configurations and dependencies across repositories.
• Simplify adding a new internal customer feature request (Terraform root module) to the platform platform-google-cloud-landing-zone#1: By simplifying the Terraform configuration, this PR may facilitate the addition of new internal customer feature requests and improve the continuous delivery flow for IaC.
• Simplify onboarding for new teams consuming Kubernetes clusters platform-google-cloud-kubernetes#1: The PR's focus on enhancing infrastructure management for Kubernetes aligns with the objectives of improving the onboarding process and reducing complexity in repository coordination.

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Actionable comments posted: 0

Review Status

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 7ff729b and ea8f332.

Files selected for processing (9)

• regional/README.md (2 hunks)
• regional/main.tf (3 hunks)
• regional/tfvars/us-east1-non-production.tfvars (1 hunks)
• regional/tfvars/us-east1-production.tfvars (1 hunks)
• regional/tfvars/us-east1-sandbox.tfvars (1 hunks)
• regional/tfvars/us-east4-non-production.tfvars (1 hunks)
• regional/tfvars/us-east4-production.tfvars (1 hunks)
• regional/tfvars/us-east4-sandbox.tfvars (1 hunks)
• regional/variables.tf (2 hunks)

Additional Context Used

Additional comments not posted (13)

regional/variables.tf (1)

21-21: The addition of service_project_number to the subnets variable aligns with the PR objectives to enhance project management and IAM configurations. Ensure that all references to this variable across the Terraform configurations are updated to include this new field.

regional/tfvars/us-east1-sandbox.tfvars (1)

5-26: The addition of new subnets with distinct IP ranges and configurations, including the service_project_number, for the us-east1 region in a sandbox environment is consistent with the PR objectives. Ensure that these configurations are validated against the network architecture to prevent conflicts.

regional/tfvars/us-east4-sandbox.tfvars (1)

5-26: The new subnets for the us-east4 region in a sandbox environment, including distinct IP ranges and service_project_number, align with the PR's goals. Validate these configurations against the network architecture to ensure there are no conflicts.

regional/tfvars/us-east1-production.tfvars (1)

6-27: The updated subnet configurations for the us-east1 region in the production environment, including adjustments to IP ranges and the introduction of service_project_number, are in line with the PR's objectives. It's crucial to validate these changes against the network architecture and production requirements to ensure compatibility and security.

regional/tfvars/us-east4-production.tfvars (1)

6-27: The updates to subnet configurations for the us-east4 region in the production environment, including new IP ranges and service_project_number, align with the PR's goals. Ensure these configurations are thoroughly validated for compatibility and security within the production network architecture.

regional/tfvars/us-east1-non-production.tfvars (1)

6-27: The restructuring of subnets for the us-east1 region in a non-production environment, including unique IP ranges and service_project_number, supports the PR's objectives. Validate these changes against the non-production network architecture to ensure they meet the intended requirements without causing conflicts.

regional/tfvars/us-east4-non-production.tfvars (1)

6-27: The updated subnets for the us-east4 region in a non-production environment, including distinct IP ranges and service_project_number, are consistent with the PR's goals. It's important to validate these configurations against the non-production network architecture to ensure they are appropriate and do not introduce conflicts.

regional/README.md (2)

20-20: The renaming of module_subnet to module_subnets in the documentation accurately reflects the changes made in the Terraform configurations. This helps maintain clarity and consistency in the project documentation.

---

37-37: The addition of service_project_number to the input_subnets parameter in the documentation is a valuable update that aligns with the PR's objectives to enhance project management and IAM configurations. Ensure that the documentation is kept up-to-date with any further changes to the Terraform configurations.

regional/main.tf (4)

48-54: The renaming of module "subnet" to module "subnets" and the change of the name attribute to each.key are well-aligned with the PR objectives to enhance clarity and manage subnet configurations more effectively. However, ensure that all references to this module throughout the project have been updated to reflect the new name.

Verification successful

---

The renaming of module "subnet" to module "subnets" has been successfully verified across the project, with no occurrences of the old module name found. This aligns with the PR objectives and ensures consistency in module references.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Search for old module name to ensure it's fully replaced.
rg --type tf 'module "subnet"' || echo "No occurrences found, rename successful."

Length of output: 123

---

71-75: Updating the range_name values in secondary_ip_ranges to "k8s-secondary-services" and "k8s-secondary-pods" improves clarity and aligns with Kubernetes naming conventions. This change should help in distinguishing between services and pods IP ranges more effectively.

---

85-91: The modification of the for_each directive to use var.subnets and the adjustment of member values to incorporate service_project_number are significant improvements. These changes enhance the granularity and security of IAM role assignments by tying them directly to specific service project numbers. It's crucial to verify that the service_project_number values are correctly populated in the var.subnets variable for all environments and regions to avoid potential IAM misconfigurations.

Verification successful

---

The review comment is supported by the findings in the Terraform configuration files, indicating that service_project_number is indeed intended to be part of the var.subnets variable and is utilized within the regional/main.tf file. However, verifying that service_project_number is correctly populated for all subnets in all environments and regions would require access to the actual variable assignments (e.g., in a .tfvars file or environment variables), which is beyond the scope of this verification process. Therefore, the code modifications align with the intent to enhance granularity and security of IAM role assignments as mentioned in the review comment.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Verify that service_project_number is populated for all subnets.
ast-grep --lang hcl --pattern $'var.subnets {
  $$$
  service_project_number = $_
  $$$
}' || echo "service_project_number is missing in some subnets."

Length of output: 309

---

---

Script:

#!/bin/bash
# Search for the pattern 'service_project_number' in the context of 'var.subnets' across all .tf files.
rg "service_project_number" --glob "*.tf" || echo "service_project_number not found in any .tf files."

Length of output: 360

---

95-101: Similar to the previous IAM member resource, the adjustments here are consistent with the PR's objectives to refine IAM role assignments. It's important to ensure that the service_project_number is correctly used across all subnet configurations to maintain the intended security posture.