diff --git a/README.md b/README.md index 99208648b4..9130ebb172 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o |------|-------------|:----:|:-----:|:-----:| | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | @@ -233,8 +234,10 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. -Note: The correct sequence to update the repo using autogen functionality is the run `make generate && make generate_docs`. This -will create the various Terraform files, and then generate the Terraform documentation using `terraform-docs`. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. ## Testing diff --git a/autogen/README.md b/autogen/README.md index 77c45feee6..775c12b429 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -182,6 +182,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index bf7d39be3f..e9ff964931 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -74,6 +74,7 @@ resource "google_container_cluster" "primary" { disabled = "${var.network_policy ? 0 : 1}" } {% if beta_cluster %} + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -114,12 +115,14 @@ resource "google_container_cluster" "primary" { } } {% if private_cluster %} + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } {% endif %} + remove_default_node_pool = "${var.remove_default_node_pool}" {% if beta_cluster %} database_encryption = ["${var.database_encryption}"] diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index d86342e1cc..f899035a0d 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -74,6 +74,7 @@ resource "google_container_cluster" "zonal_primary" { disabled = "${var.network_policy ? 0 : 1}" } {% if beta_cluster %} + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -114,12 +115,14 @@ resource "google_container_cluster" "zonal_primary" { } } {% if private_cluster %} + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } {% endif %} + remove_default_node_pool = "${var.remove_default_node_pool}" {% if beta_cluster %} database_encryption = ["${var.database_encryption}"] diff --git a/autogen/main.tf b/autogen/main.tf index ba8bb1c329..9d0f2ab9c8 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -163,21 +163,19 @@ locals { cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" - # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" - + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/autogen/outputs.tf b/autogen/outputs.tf index 891b49a880..1c33f8236e 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -112,8 +112,8 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - {% if beta_cluster %} + output "istio_enabled" { description = "Whether Istio is enabled" value = "${local.cluster_istio_enabled}" @@ -124,8 +124,8 @@ output "cloudrun_enabled" { value = "${local.cluster_cloudrun_enabled}" } {% endif %} - {% if private_cluster %} + output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = "${local.cluster_pod_security_policy_enabled}" diff --git a/autogen/variables.tf b/autogen/variables.tf index e1d1f50ee1..1bc3d3d89e 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -251,8 +251,8 @@ variable "service_account" { description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created." default = "create" } - {% if private_cluster %} + variable "deploy_using_private_endpoint" { description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = "false" @@ -273,8 +273,8 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } {% endif %} - {% if beta_cluster %} + variable "istio" { description = "(Beta) Enable Istio addon" default = false @@ -315,3 +315,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} diff --git a/cluster_regional.tf b/cluster_regional.tf index 3cc1af3d5b..124fd8b21b 100644 --- a/cluster_regional.tf +++ b/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -100,6 +100,7 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/cluster_zonal.tf b/cluster_zonal.tf index 5ab108cfa2..5f3735857e 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -100,6 +100,7 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/main.tf b/main.tf index e96d301c43..0b88544f21 100644 --- a/main.tf +++ b/main.tf @@ -128,19 +128,18 @@ locals { cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" - + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 82d93ff45f..00eb0bfb9b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -124,6 +124,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | | database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | | description | The description of the cluster | string | `""` | no | @@ -252,6 +253,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/modules/beta-private-cluster/cluster_regional.tf b/modules/beta-private-cluster/cluster_regional.tf index af580bf57e..39c4e3a899 100644 --- a/modules/beta-private-cluster/cluster_regional.tf +++ b/modules/beta-private-cluster/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -71,6 +71,7 @@ resource "google_container_cluster" "primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -109,11 +110,13 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf index bdac00bd0c..95697ce5b2 100644 --- a/modules/beta-private-cluster/cluster_zonal.tf +++ b/modules/beta-private-cluster/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -71,6 +71,7 @@ resource "google_container_cluster" "zonal_primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -109,11 +110,13 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 1694ce6007..f9ebd7f70a 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -151,18 +151,18 @@ locals { cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index c435ddf265..398a6bd871 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -311,3 +311,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 30e8978bf4..1e96939fb9 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -119,6 +119,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | | database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | @@ -240,6 +241,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf index 438efff015..ad92b21d6e 100644 --- a/modules/beta-public-cluster/cluster_regional.tf +++ b/modules/beta-public-cluster/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -69,6 +69,7 @@ resource "google_container_cluster" "primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -107,6 +108,7 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf index d04c5b4d3e..936c569c5a 100644 --- a/modules/beta-public-cluster/cluster_zonal.tf +++ b/modules/beta-public-cluster/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -69,6 +69,7 @@ resource "google_container_cluster" "zonal_primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -107,6 +108,7 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 413da4e26c..83f4865b38 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -138,18 +138,18 @@ locals { cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 548ca02749..eb24b144e3 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -122,4 +122,3 @@ output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = "${local.cluster_cloudrun_enabled}" } - diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 858b73ae87..a6ce0884ea 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -278,3 +278,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0f173c16d6..3bc7d89eb0 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -121,6 +121,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o |------|-------------|:----:|:-----:|:-----:| | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | @@ -245,6 +246,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 5c0818a904..a2c8fcf10d 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -102,11 +102,13 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 39fbcb6098..1a824110df 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] - - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -102,11 +102,13 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 95e28ae4b3..ecb267e9ce 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -142,19 +142,18 @@ locals { cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" - + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 7e31d6dcad..0cda908649 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -113,7 +113,6 @@ output "service_account" { value = "${local.service_account}" } - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = "${local.cluster_pod_security_policy_enabled}" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9d6b123ac8..85b8b7a59b 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -284,3 +284,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} diff --git a/outputs.tf b/outputs.tf index aed604e3e6..6b9d5895ab 100644 --- a/outputs.tf +++ b/outputs.tf @@ -112,5 +112,3 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - - diff --git a/variables.tf b/variables.tf index 70af17bd71..a415672e88 100644 --- a/variables.tf +++ b/variables.tf @@ -237,8 +237,6 @@ variable "service_account" { default = "create" } - - variable "basic_auth_username" { description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = "" @@ -253,3 +251,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +}