Skip to content

Commit

Permalink
feat!: Add protect_config beta feature (#1617)
Browse files Browse the repository at this point in the history
feat!: add protect_config beta feature
  • Loading branch information
NissesSenap authored Jun 6, 2023
1 parent 2fe1715 commit d252579
Show file tree
Hide file tree
Showing 20 changed files with 138 additions and 0 deletions.
7 changes: 7 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,13 @@ resource "google_container_cluster" "primary" {

{% if beta_cluster %}
networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
{% endif %}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
Expand Down
11 changes: 11 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}
{% endif %}

variable "disable_default_snat" {
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,8 @@ Then perform the following commands on the root folder:
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" {
}

networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
11 changes: 11 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}

variable "disable_default_snat" {
type = bool
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ Then perform the following commands on the root folder:
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" {
}

networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
11 changes: 11 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}

variable "disable_default_snat" {
type = bool
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
datapath_provider = var.datapath_provider

networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
11 changes: 11 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}

variable "disable_default_snat" {
type = bool
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
datapath_provider = var.datapath_provider

networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
11 changes: 11 additions & 0 deletions modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}

variable "disable_default_snat" {
type = bool
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
datapath_provider = var.datapath_provider

networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
11 changes: 11 additions & 0 deletions modules/beta-public-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}

variable "disable_default_snat" {
type = bool
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
datapath_provider = var.datapath_provider

networking_mode = "VPC_NATIVE"

protect_config {
workload_config {
audit_mode = var.workload_config_audit_mode
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
11 changes: 11 additions & 0 deletions modules/beta-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,17 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}
variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
type = string
default = "DISABLED"
}

variable "disable_default_snat" {
type = bool
Expand Down

0 comments on commit d252579

Please sign in to comment.