Skip to content

Commit

Permalink
feat: Set boot_disk_kms_key cluster wide and for cluster_autoscaling (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
CPL-markus authored Jun 13, 2024
1 parent eec38a2 commit 654868e
Show file tree
Hide file tree
Showing 23 changed files with 78 additions and 5 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ Then perform the following commands on the root folder:
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br> enabled = bool<br> autoscaling_profile = string<br> min_cpu_cores = number<br> max_cpu_cores = number<br> min_memory_gb = number<br> max_memory_gb = number<br> gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))<br> auto_repair = bool<br> auto_upgrade = bool<br> disk_size = optional(number)<br> disk_type = optional(string)<br> image_type = optional(string)<br> strategy = optional(string)<br> max_surge = optional(number)<br> max_unavailable = optional(number)<br> node_pool_soak_duration = optional(string)<br> batch_soak_duration = optional(string)<br> batch_percentage = optional(number)<br> batch_node_count = optional(number)<br> enable_secure_boot = optional(bool, false)<br> enable_integrity_monitoring = optional(bool, true)<br> })</pre> | <pre>{<br> "auto_repair": true,<br> "auto_upgrade": true,<br> "autoscaling_profile": "BALANCED",<br> "disk_size": 100,<br> "disk_type": "pd-standard",<br> "enable_integrity_monitoring": true,<br> "enable_secure_boot": false,<br> "enabled": false,<br> "gpu_resources": [],<br> "image_type": "COS_CONTAINERD",<br> "max_cpu_cores": 0,<br> "max_memory_gb": 0,<br> "min_cpu_cores": 0,<br> "min_memory_gb": 0<br>}</pre> | no |
| cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no |
| cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no |
Expand Down
4 changes: 3 additions & 1 deletion autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ resource "google_container_cluster" "primary" {
service_account = local.service_account
oauth_scopes = local.node_pools_oauth_scopes["all"]

boot_disk_kms_key = var.boot_disk_kms_key

management {
auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true)
auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade",true)
Expand Down Expand Up @@ -524,7 +526,7 @@ resource "google_container_cluster" "primary" {
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")
boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)
{% endif %}

shielded_instance_config {
Expand Down
8 changes: 8 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,14 @@ variable "service_account_name" {
default = ""
}

{% if autopilot_cluster != true %}
variable "boot_disk_kms_key" {
type = string
description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption"
default = null
}

{% endif %}
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
Expand Down
2 changes: 2 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" {
service_account = local.service_account
oauth_scopes = local.node_pools_oauth_scopes["all"]

boot_disk_kms_key = var.boot_disk_kms_key

management {
auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true)
auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
Expand Down
1 change: 1 addition & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ Then perform the following commands on the root folder:
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br> enabled = bool<br> autoscaling_profile = string<br> min_cpu_cores = number<br> max_cpu_cores = number<br> min_memory_gb = number<br> max_memory_gb = number<br> gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))<br> auto_repair = bool<br> auto_upgrade = bool<br> disk_size = optional(number)<br> disk_type = optional(string)<br> image_type = optional(string)<br> strategy = optional(string)<br> max_surge = optional(number)<br> max_unavailable = optional(number)<br> node_pool_soak_duration = optional(string)<br> batch_soak_duration = optional(string)<br> batch_percentage = optional(number)<br> batch_node_count = optional(number)<br> enable_secure_boot = optional(bool, false)<br> enable_integrity_monitoring = optional(bool, true)<br> })</pre> | <pre>{<br> "auto_repair": true,<br> "auto_upgrade": true,<br> "autoscaling_profile": "BALANCED",<br> "disk_size": 100,<br> "disk_type": "pd-standard",<br> "enable_integrity_monitoring": true,<br> "enable_secure_boot": false,<br> "enabled": false,<br> "gpu_resources": [],<br> "image_type": "COS_CONTAINERD",<br> "max_cpu_cores": 0,<br> "max_memory_gb": 0,<br> "min_cpu_cores": 0,<br> "min_memory_gb": 0<br>}</pre> | no |
Expand Down
4 changes: 3 additions & 1 deletion modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" {
service_account = local.service_account
oauth_scopes = local.node_pools_oauth_scopes["all"]

boot_disk_kms_key = var.boot_disk_kms_key

management {
auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true)
auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
Expand Down Expand Up @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" {
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")
boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,12 @@ variable "service_account_name" {
default = ""
}

variable "boot_disk_kms_key" {
type = string
description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption"
default = null
}

variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
Expand Down
1 change: 1 addition & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ Then perform the following commands on the root folder:
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br> enabled = bool<br> autoscaling_profile = string<br> min_cpu_cores = number<br> max_cpu_cores = number<br> min_memory_gb = number<br> max_memory_gb = number<br> gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))<br> auto_repair = bool<br> auto_upgrade = bool<br> disk_size = optional(number)<br> disk_type = optional(string)<br> image_type = optional(string)<br> strategy = optional(string)<br> max_surge = optional(number)<br> max_unavailable = optional(number)<br> node_pool_soak_duration = optional(string)<br> batch_soak_duration = optional(string)<br> batch_percentage = optional(number)<br> batch_node_count = optional(number)<br> enable_secure_boot = optional(bool, false)<br> enable_integrity_monitoring = optional(bool, true)<br> })</pre> | <pre>{<br> "auto_repair": true,<br> "auto_upgrade": true,<br> "autoscaling_profile": "BALANCED",<br> "disk_size": 100,<br> "disk_type": "pd-standard",<br> "enable_integrity_monitoring": true,<br> "enable_secure_boot": false,<br> "enabled": false,<br> "gpu_resources": [],<br> "image_type": "COS_CONTAINERD",<br> "max_cpu_cores": 0,<br> "max_memory_gb": 0,<br> "min_cpu_cores": 0,<br> "min_memory_gb": 0<br>}</pre> | no |
Expand Down
4 changes: 3 additions & 1 deletion modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" {
service_account = local.service_account
oauth_scopes = local.node_pools_oauth_scopes["all"]

boot_disk_kms_key = var.boot_disk_kms_key

management {
auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true)
auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
Expand Down Expand Up @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" {
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")
boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,12 @@ variable "service_account_name" {
default = ""
}

variable "boot_disk_kms_key" {
type = string
description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption"
default = null
}

variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
Expand Down
1 change: 1 addition & 0 deletions modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ Then perform the following commands on the root folder:
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br> enabled = bool<br> autoscaling_profile = string<br> min_cpu_cores = number<br> max_cpu_cores = number<br> min_memory_gb = number<br> max_memory_gb = number<br> gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))<br> auto_repair = bool<br> auto_upgrade = bool<br> disk_size = optional(number)<br> disk_type = optional(string)<br> image_type = optional(string)<br> strategy = optional(string)<br> max_surge = optional(number)<br> max_unavailable = optional(number)<br> node_pool_soak_duration = optional(string)<br> batch_soak_duration = optional(string)<br> batch_percentage = optional(number)<br> batch_node_count = optional(number)<br> enable_secure_boot = optional(bool, false)<br> enable_integrity_monitoring = optional(bool, true)<br> })</pre> | <pre>{<br> "auto_repair": true,<br> "auto_upgrade": true,<br> "autoscaling_profile": "BALANCED",<br> "disk_size": 100,<br> "disk_type": "pd-standard",<br> "enable_integrity_monitoring": true,<br> "enable_secure_boot": false,<br> "enabled": false,<br> "gpu_resources": [],<br> "image_type": "COS_CONTAINERD",<br> "max_cpu_cores": 0,<br> "max_memory_gb": 0,<br> "min_cpu_cores": 0,<br> "min_memory_gb": 0<br>}</pre> | no |
Expand Down
4 changes: 3 additions & 1 deletion modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" {
service_account = local.service_account
oauth_scopes = local.node_pools_oauth_scopes["all"]

boot_disk_kms_key = var.boot_disk_kms_key

management {
auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true)
auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
Expand Down Expand Up @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" {
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")
boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-public-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,12 @@ variable "service_account_name" {
default = ""
}

variable "boot_disk_kms_key" {
type = string
description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption"
default = null
}

variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
Expand Down
Loading

0 comments on commit 654868e

Please sign in to comment.