From e51ec0624d6ff66ba8edc8f5b2d45a6d6b98a996 Mon Sep 17 00:00:00 2001 From: Martin Whittington Date: Wed, 26 Jun 2019 09:48:50 +0100 Subject: [PATCH 1/7] Adding cluster_ipv4_cidr parameter --- autogen/cluster_regional.tf | 2 +- autogen/cluster_zonal.tf | 2 +- autogen/variables.tf | 5 +++++ cluster_regional.tf | 2 +- cluster_zonal.tf | 2 +- modules/beta-private-cluster/cluster_regional.tf | 2 +- modules/beta-private-cluster/cluster_zonal.tf | 2 +- modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster/cluster_regional.tf | 2 +- modules/beta-public-cluster/cluster_zonal.tf | 2 +- modules/beta-public-cluster/variables.tf | 5 +++++ modules/private-cluster/cluster_regional.tf | 2 +- modules/private-cluster/cluster_zonal.tf | 2 +- modules/private-cluster/variables.tf | 5 +++++ 14 files changed, 30 insertions(+), 10 deletions(-) diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index bf7d39be3f..44e64047b0 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index d86342e1cc..3686ee3a71 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/autogen/variables.tf b/autogen/variables.tf index e1d1f50ee1..f5a6c9f823 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -315,3 +315,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} diff --git a/cluster_regional.tf b/cluster_regional.tf index 3cc1af3d5b..3e1c78c87c 100644 --- a/cluster_regional.tf +++ b/cluster_regional.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/cluster_zonal.tf b/cluster_zonal.tf index 5ab108cfa2..b37b8c3ff5 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/beta-private-cluster/cluster_regional.tf b/modules/beta-private-cluster/cluster_regional.tf index af580bf57e..f373d9a699 100644 --- a/modules/beta-private-cluster/cluster_regional.tf +++ b/modules/beta-private-cluster/cluster_regional.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf index bdac00bd0c..3adbeadddb 100644 --- a/modules/beta-private-cluster/cluster_zonal.tf +++ b/modules/beta-private-cluster/cluster_zonal.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index c435ddf265..4d8963225b 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -311,3 +311,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} \ No newline at end of file diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf index 438efff015..e67c9d1766 100644 --- a/modules/beta-public-cluster/cluster_regional.tf +++ b/modules/beta-public-cluster/cluster_regional.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf index d04c5b4d3e..c1c722f084 100644 --- a/modules/beta-public-cluster/cluster_zonal.tf +++ b/modules/beta-public-cluster/cluster_zonal.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 858b73ae87..a6ce0884ea 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -278,3 +278,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 5c0818a904..80465b866f 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 39fbcb6098..4849b50c04 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -28,7 +28,7 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - + cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9d6b123ac8..85b8b7a59b 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -284,3 +284,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} From fed3b026ca04bccab639b27f0e099fe397c9006c Mon Sep 17 00:00:00 2001 From: Martin Whittington Date: Wed, 26 Jun 2019 09:50:41 +0100 Subject: [PATCH 2/7] Adding cluster_ipv4_cidr parameter --- README.md | 1 + variables.tf | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index 99208648b4..957858a126 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o |------|-------------|:----:|:-----:|:-----:| | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | diff --git a/variables.tf b/variables.tf index 70af17bd71..7e47982e1e 100644 --- a/variables.tf +++ b/variables.tf @@ -253,3 +253,8 @@ variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = "false" } + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} From c674f93dbe0bcffa964c77aa6dff3b4e4ea0fdf1 Mon Sep 17 00:00:00 2001 From: Martin Whittington Date: Wed, 26 Jun 2019 10:05:09 +0100 Subject: [PATCH 3/7] Adding cluster_ipv4_cidr parameter --- README.md | 73 -------------------- modules/beta-private-cluster/README.md | 81 ----------------------- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster/README.md | 74 --------------------- modules/private-cluster/README.md | 76 --------------------- 5 files changed, 1 insertion(+), 305 deletions(-) diff --git a/README.md b/README.md index 957858a126..7a7f1e92c0 100644 --- a/README.md +++ b/README.md @@ -109,76 +109,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | -| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | -| description | The description of the cluster | string | `""` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | -| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | -| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | -| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | -| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | -| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | -| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | -| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | -| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | -| name | The name of the cluster (required) | string | n/a | yes | -| network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | string | `"false"` | no | -| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | -| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | -| node\_pools | List of maps containing node pools | list | `` | no | -| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | -| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | -| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | -| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | -| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | -| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | -| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | -| region | The region to host the cluster in (required) | string | n/a | yes | -| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | -| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | -| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | -| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | -| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | -| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| ca\_certificate | Cluster ca certificate (base64 encoded) | -| endpoint | Cluster endpoint | -| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | -| http\_load\_balancing\_enabled | Whether http load balancing enabled | -| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | -| location | Cluster location (region if regional cluster, zone if zonal cluster) | -| logging\_service | Logging service used | -| master\_authorized\_networks\_config | Networks from which access to master is permitted | -| master\_version | Current master kubernetes version | -| min\_master\_version | Minimum master kubernetes version | -| monitoring\_service | Monitoring service used | -| name | Cluster name | -| network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | -| region | Cluster region | -| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | -| type | Cluster type (regional / zonal) | -| zones | List of zones in which the cluster resides | - [^]: (autogen_docs_end) ## Requirements @@ -234,9 +164,6 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. -Note: The correct sequence to update the repo using autogen functionality is the run `make generate && make generate_docs`. This -will create the various Terraform files, and then generate the Terraform documentation using `terraform-docs`. - ## Testing ### Requirements diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 82d93ff45f..b0a2d8c176 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -116,87 +116,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | -| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | -| database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | -| description | The description of the cluster | string | `""` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | -| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | -| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | -| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | -| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | -| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | -| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | -| istio | (Beta) Enable Istio addon | string | `"false"` | no | -| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | -| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | -| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | -| name | The name of the cluster (required) | string | n/a | yes | -| network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | string | `"false"` | no | -| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | -| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | -| node\_pools | List of maps containing node pools | list | `` | no | -| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | -| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | -| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | -| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | -| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | -| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | -| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | -| region | The region to host the cluster in (required) | string | n/a | yes | -| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | -| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | -| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | -| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | -| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | -| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| ca\_certificate | Cluster ca certificate (base64 encoded) | -| cloudrun\_enabled | Whether CloudRun enabled | -| endpoint | Cluster endpoint | -| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | -| http\_load\_balancing\_enabled | Whether http load balancing enabled | -| istio\_enabled | Whether Istio is enabled | -| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | -| location | Cluster location (region if regional cluster, zone if zonal cluster) | -| logging\_service | Logging service used | -| master\_authorized\_networks\_config | Networks from which access to master is permitted | -| master\_version | Current master kubernetes version | -| min\_master\_version | Minimum master kubernetes version | -| monitoring\_service | Monitoring service used | -| name | Cluster name | -| network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | -| pod\_security\_policy\_enabled | Whether pod security policy is enabled | -| region | Cluster region | -| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | -| type | Cluster type (regional / zonal) | -| zones | List of zones in which the cluster resides | - [^]: (autogen_docs_end) ## Requirements diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 4d8963225b..398a6bd871 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -315,4 +315,4 @@ variable "issue_client_certificate" { variable "cluster_ipv4_cidr" { default = "" description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." -} \ No newline at end of file +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 30e8978bf4..f8a0ef16f7 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -111,80 +111,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | -| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | -| database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | -| description | The description of the cluster | string | `""` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | -| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | -| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | -| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | -| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | -| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | -| istio | (Beta) Enable Istio addon | string | `"false"` | no | -| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | -| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | -| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | -| name | The name of the cluster (required) | string | n/a | yes | -| network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | string | `"false"` | no | -| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | -| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | -| node\_pools | List of maps containing node pools | list | `` | no | -| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | -| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | -| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | -| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | -| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | -| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | -| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | -| region | The region to host the cluster in (required) | string | n/a | yes | -| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | -| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | -| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | -| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | -| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | -| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| ca\_certificate | Cluster ca certificate (base64 encoded) | -| cloudrun\_enabled | Whether CloudRun enabled | -| endpoint | Cluster endpoint | -| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | -| http\_load\_balancing\_enabled | Whether http load balancing enabled | -| istio\_enabled | Whether Istio is enabled | -| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | -| location | Cluster location (region if regional cluster, zone if zonal cluster) | -| logging\_service | Logging service used | -| master\_authorized\_networks\_config | Networks from which access to master is permitted | -| master\_version | Current master kubernetes version | -| min\_master\_version | Minimum master kubernetes version | -| monitoring\_service | Monitoring service used | -| name | Cluster name | -| network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | -| region | Cluster region | -| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | -| type | Cluster type (regional / zonal) | -| zones | List of zones in which the cluster resides | - [^]: (autogen_docs_end) ## Requirements diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0f173c16d6..7c83cbd35b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -114,82 +114,6 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | -| description | The description of the cluster | string | `""` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | -| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | -| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | -| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | -| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | -| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | -| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | -| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | -| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | -| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | -| name | The name of the cluster (required) | string | n/a | yes | -| network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | string | `"false"` | no | -| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | -| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | -| node\_pools | List of maps containing node pools | list | `` | no | -| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | -| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | -| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | -| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | -| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | -| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | -| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | -| region | The region to host the cluster in (required) | string | n/a | yes | -| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | -| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | -| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | -| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | -| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | -| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| ca\_certificate | Cluster ca certificate (base64 encoded) | -| endpoint | Cluster endpoint | -| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | -| http\_load\_balancing\_enabled | Whether http load balancing enabled | -| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | -| location | Cluster location (region if regional cluster, zone if zonal cluster) | -| logging\_service | Logging service used | -| master\_authorized\_networks\_config | Networks from which access to master is permitted | -| master\_version | Current master kubernetes version | -| min\_master\_version | Minimum master kubernetes version | -| monitoring\_service | Monitoring service used | -| name | Cluster name | -| network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | -| pod\_security\_policy\_enabled | Whether pod security policy is enabled | -| region | Cluster region | -| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | -| type | Cluster type (regional / zonal) | -| zones | List of zones in which the cluster resides | - [^]: (autogen_docs_end) ## Requirements From dc3602bb6fb138ff1534850cb398b2ee2d36b088 Mon Sep 17 00:00:00 2001 From: Martin Whittington Date: Wed, 26 Jun 2019 10:06:32 +0100 Subject: [PATCH 4/7] Adding cluster_ipv4_cidr parameter --- README.md | 70 ++++++++++++++++++++++ modules/beta-private-cluster/README.md | 82 ++++++++++++++++++++++++++ modules/beta-public-cluster/README.md | 75 +++++++++++++++++++++++ modules/private-cluster/README.md | 77 ++++++++++++++++++++++++ 4 files changed, 304 insertions(+) diff --git a/README.md b/README.md index 7a7f1e92c0..2d67693b64 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,76 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | +| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | +| description | The description of the cluster | string | `""` | no | +| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | +| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | +| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | +| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | +| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | +| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | +| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | +| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | +| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | +| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | +| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | +| name | The name of the cluster (required) | string | n/a | yes | +| network | The VPC network to host the cluster in (required) | string | n/a | yes | +| network\_policy | Enable network policy addon | string | `"false"` | no | +| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | +| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | +| node\_pools | List of maps containing node pools | list | `` | no | +| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | +| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | +| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | +| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | +| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | +| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | +| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | +| region | The region to host the cluster in (required) | string | n/a | yes | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | +| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | +| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | +| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | +| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | Cluster ca certificate (base64 encoded) | +| endpoint | Cluster endpoint | +| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | +| http\_load\_balancing\_enabled | Whether http load balancing enabled | +| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | +| location | Cluster location (region if regional cluster, zone if zonal cluster) | +| logging\_service | Logging service used | +| master\_authorized\_networks\_config | Networks from which access to master is permitted | +| master\_version | Current master kubernetes version | +| min\_master\_version | Minimum master kubernetes version | +| monitoring\_service | Monitoring service used | +| name | Cluster name | +| network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_names | List of node pools names | +| node\_pools\_versions | List of node pools versions | +| region | Cluster region | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| type | Cluster type (regional / zonal) | +| zones | List of zones in which the cluster resides | + [^]: (autogen_docs_end) ## Requirements diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b0a2d8c176..ed9c02c795 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -116,6 +116,88 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | +| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | +| database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | +| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | +| description | The description of the cluster | string | `""` | no | +| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | +| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | +| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | +| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | +| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | +| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | +| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | +| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | +| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | +| istio | (Beta) Enable Istio addon | string | `"false"` | no | +| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | +| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | +| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | +| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no | +| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | +| name | The name of the cluster (required) | string | n/a | yes | +| network | The VPC network to host the cluster in (required) | string | n/a | yes | +| network\_policy | Enable network policy addon | string | `"false"` | no | +| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | +| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | +| node\_pools | List of maps containing node pools | list | `` | no | +| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | +| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | +| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | +| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | +| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | +| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | +| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | +| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | +| region | The region to host the cluster in (required) | string | n/a | yes | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | +| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | +| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | +| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | +| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | Cluster ca certificate (base64 encoded) | +| cloudrun\_enabled | Whether CloudRun enabled | +| endpoint | Cluster endpoint | +| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | +| http\_load\_balancing\_enabled | Whether http load balancing enabled | +| istio\_enabled | Whether Istio is enabled | +| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | +| location | Cluster location (region if regional cluster, zone if zonal cluster) | +| logging\_service | Logging service used | +| master\_authorized\_networks\_config | Networks from which access to master is permitted | +| master\_version | Current master kubernetes version | +| min\_master\_version | Minimum master kubernetes version | +| monitoring\_service | Monitoring service used | +| name | Cluster name | +| network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_names | List of node pools names | +| node\_pools\_versions | List of node pools versions | +| pod\_security\_policy\_enabled | Whether pod security policy is enabled | +| region | Cluster region | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| type | Cluster type (regional / zonal) | +| zones | List of zones in which the cluster resides | + [^]: (autogen_docs_end) ## Requirements diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f8a0ef16f7..a3981efb62 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -111,6 +111,81 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | +| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | +| database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | +| description | The description of the cluster | string | `""` | no | +| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | +| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | +| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | +| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | +| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | +| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | +| istio | (Beta) Enable Istio addon | string | `"false"` | no | +| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | +| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | +| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | +| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | +| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | +| name | The name of the cluster (required) | string | n/a | yes | +| network | The VPC network to host the cluster in (required) | string | n/a | yes | +| network\_policy | Enable network policy addon | string | `"false"` | no | +| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | +| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | +| node\_pools | List of maps containing node pools | list | `` | no | +| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | +| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | +| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | +| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | +| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | +| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | +| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | +| region | The region to host the cluster in (required) | string | n/a | yes | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | +| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | +| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | +| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | +| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | Cluster ca certificate (base64 encoded) | +| cloudrun\_enabled | Whether CloudRun enabled | +| endpoint | Cluster endpoint | +| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | +| http\_load\_balancing\_enabled | Whether http load balancing enabled | +| istio\_enabled | Whether Istio is enabled | +| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | +| location | Cluster location (region if regional cluster, zone if zonal cluster) | +| logging\_service | Logging service used | +| master\_authorized\_networks\_config | Networks from which access to master is permitted | +| master\_version | Current master kubernetes version | +| min\_master\_version | Minimum master kubernetes version | +| monitoring\_service | Monitoring service used | +| name | Cluster name | +| network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_names | List of node pools names | +| node\_pools\_versions | List of node pools versions | +| region | Cluster region | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| type | Cluster type (regional / zonal) | +| zones | List of zones in which the cluster resides | + [^]: (autogen_docs_end) ## Requirements diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 7c83cbd35b..8f48f59b7a 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -114,6 +114,83 @@ Version 1.0.0 of this module introduces a breaking change: adding the `disable-l In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. [^]: (autogen_docs_start) + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | +| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `""` | no | +| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | +| description | The description of the cluster | string | `""` | no | +| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | +| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | +| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | +| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | +| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | +| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | +| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no | +| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | +| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | string | `"false"` | no | +| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no | +| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no | +| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | +| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)

### example format ### master_authorized_networks_config = [{ cidr_blocks = [{ cidr_block = "10.0.0.0/8" display_name = "example_network" }], }] | list | `` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no | +| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | +| name | The name of the cluster (required) | string | n/a | yes | +| network | The VPC network to host the cluster in (required) | string | n/a | yes | +| network\_policy | Enable network policy addon | string | `"false"` | no | +| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | +| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | +| node\_pools | List of maps containing node pools | list | `` | no | +| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | +| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `` | no | +| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map | `` | no | +| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `` | no | +| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | +| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | +| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | +| project\_id | The project ID to host the cluster in (required) | string | n/a | yes | +| region | The region to host the cluster in (required) | string | n/a | yes | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | +| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no | +| service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no | +| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `` | no | +| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | Cluster ca certificate (base64 encoded) | +| endpoint | Cluster endpoint | +| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | +| http\_load\_balancing\_enabled | Whether http load balancing enabled | +| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled | +| location | Cluster location (region if regional cluster, zone if zonal cluster) | +| logging\_service | Logging service used | +| master\_authorized\_networks\_config | Networks from which access to master is permitted | +| master\_version | Current master kubernetes version | +| min\_master\_version | Minimum master kubernetes version | +| monitoring\_service | Monitoring service used | +| name | Cluster name | +| network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_names | List of node pools names | +| node\_pools\_versions | List of node pools versions | +| pod\_security\_policy\_enabled | Whether pod security policy is enabled | +| region | Cluster region | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| type | Cluster type (regional / zonal) | +| zones | List of zones in which the cluster resides | + [^]: (autogen_docs_end) ## Requirements From 6bc917c44ba9271a5a5caf553d2d9358585e2619 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Wed, 26 Jun 2019 09:58:13 -0400 Subject: [PATCH 5/7] Add removed autogen note to README template --- autogen/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/autogen/README.md b/autogen/README.md index 77c45feee6..775c12b429 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -182,6 +182,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements From a9613ef2f6fd74fbea2861b97783dcbd471eaa7d Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Wed, 26 Jun 2019 10:23:30 -0400 Subject: [PATCH 6/7] Fix autogen formatting --- autogen/cluster_regional.tf | 9 ++++++--- autogen/cluster_zonal.tf | 9 ++++++--- autogen/main.tf | 26 ++++++++++++-------------- autogen/outputs.tf | 4 ++-- autogen/variables.tf | 4 ++-- 5 files changed, 28 insertions(+), 24 deletions(-) diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index 44e64047b0..e9ff964931 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -74,6 +74,7 @@ resource "google_container_cluster" "primary" { disabled = "${var.network_policy ? 0 : 1}" } {% if beta_cluster %} + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -114,12 +115,14 @@ resource "google_container_cluster" "primary" { } } {% if private_cluster %} + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } {% endif %} + remove_default_node_pool = "${var.remove_default_node_pool}" {% if beta_cluster %} database_encryption = ["${var.database_encryption}"] diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index 3686ee3a71..f899035a0d 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -74,6 +74,7 @@ resource "google_container_cluster" "zonal_primary" { disabled = "${var.network_policy ? 0 : 1}" } {% if beta_cluster %} + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -114,12 +115,14 @@ resource "google_container_cluster" "zonal_primary" { } } {% if private_cluster %} + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } {% endif %} + remove_default_node_pool = "${var.remove_default_node_pool}" {% if beta_cluster %} database_encryption = ["${var.database_encryption}"] diff --git a/autogen/main.tf b/autogen/main.tf index ba8bb1c329..9d0f2ab9c8 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -163,21 +163,19 @@ locals { cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" - # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" - + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/autogen/outputs.tf b/autogen/outputs.tf index 891b49a880..1c33f8236e 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -112,8 +112,8 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - {% if beta_cluster %} + output "istio_enabled" { description = "Whether Istio is enabled" value = "${local.cluster_istio_enabled}" @@ -124,8 +124,8 @@ output "cloudrun_enabled" { value = "${local.cluster_cloudrun_enabled}" } {% endif %} - {% if private_cluster %} + output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = "${local.cluster_pod_security_policy_enabled}" diff --git a/autogen/variables.tf b/autogen/variables.tf index f5a6c9f823..1bc3d3d89e 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -251,8 +251,8 @@ variable "service_account" { description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created." default = "create" } - {% if private_cluster %} + variable "deploy_using_private_endpoint" { description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = "false" @@ -273,8 +273,8 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } {% endif %} - {% if beta_cluster %} + variable "istio" { description = "(Beta) Enable Istio addon" default = false From 2c38f12576a23926bcf8b5a25a265a7c543af746 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Wed, 26 Jun 2019 10:23:48 -0400 Subject: [PATCH 7/7] Regenerate modules --- README.md | 5 ++++ cluster_regional.tf | 7 +++--- cluster_zonal.tf | 7 +++--- main.tf | 25 +++++++++---------- modules/beta-private-cluster/README.md | 5 ++++ .../beta-private-cluster/cluster_regional.tf | 9 ++++--- modules/beta-private-cluster/cluster_zonal.tf | 9 ++++--- modules/beta-private-cluster/main.tf | 24 +++++++++--------- modules/beta-public-cluster/README.md | 5 ++++ .../beta-public-cluster/cluster_regional.tf | 8 +++--- modules/beta-public-cluster/cluster_zonal.tf | 8 +++--- modules/beta-public-cluster/main.tf | 24 +++++++++--------- modules/beta-public-cluster/outputs.tf | 1 - modules/private-cluster/README.md | 5 ++++ modules/private-cluster/cluster_regional.tf | 8 +++--- modules/private-cluster/cluster_zonal.tf | 8 +++--- modules/private-cluster/main.tf | 25 +++++++++---------- modules/private-cluster/outputs.tf | 1 - outputs.tf | 2 -- variables.tf | 2 -- 20 files changed, 108 insertions(+), 80 deletions(-) diff --git a/README.md b/README.md index 2d67693b64..9130ebb172 100644 --- a/README.md +++ b/README.md @@ -234,6 +234,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/cluster_regional.tf b/cluster_regional.tf index 3e1c78c87c..124fd8b21b 100644 --- a/cluster_regional.tf +++ b/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -100,6 +100,7 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/cluster_zonal.tf b/cluster_zonal.tf index b37b8c3ff5..5f3735857e 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -100,6 +100,7 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/main.tf b/main.tf index e96d301c43..0b88544f21 100644 --- a/main.tf +++ b/main.tf @@ -128,19 +128,18 @@ locals { cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" - + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index ed9c02c795..00eb0bfb9b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -253,6 +253,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/modules/beta-private-cluster/cluster_regional.tf b/modules/beta-private-cluster/cluster_regional.tf index f373d9a699..39c4e3a899 100644 --- a/modules/beta-private-cluster/cluster_regional.tf +++ b/modules/beta-private-cluster/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -71,6 +71,7 @@ resource "google_container_cluster" "primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -109,11 +110,13 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf index 3adbeadddb..95697ce5b2 100644 --- a/modules/beta-private-cluster/cluster_zonal.tf +++ b/modules/beta-private-cluster/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -71,6 +71,7 @@ resource "google_container_cluster" "zonal_primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -109,11 +110,13 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 1694ce6007..f9ebd7f70a 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -151,18 +151,18 @@ locals { cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index a3981efb62..1e96939fb9 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -241,6 +241,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf index e67c9d1766..ad92b21d6e 100644 --- a/modules/beta-public-cluster/cluster_regional.tf +++ b/modules/beta-public-cluster/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -69,6 +69,7 @@ resource "google_container_cluster" "primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -107,6 +108,7 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf index c1c722f084..936c569c5a 100644 --- a/modules/beta-public-cluster/cluster_zonal.tf +++ b/modules/beta-public-cluster/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -69,6 +69,7 @@ resource "google_container_cluster" "zonal_primary" { network_policy_config { disabled = "${var.network_policy ? 0 : 1}" } + istio_config { disabled = "${var.istio ? 0 : 1}" } @@ -107,6 +108,7 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + remove_default_node_pool = "${var.remove_default_node_pool}" database_encryption = ["${var.database_encryption}"] } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 413da4e26c..83f4865b38 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -138,18 +138,18 @@ locals { cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 548ca02749..eb24b144e3 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -122,4 +122,3 @@ output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = "${local.cluster_cloudrun_enabled}" } - diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 8f48f59b7a..3bc7d89eb0 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -246,6 +246,11 @@ To more cleanly handle cases where desired functionality would require complex d The root module is generated by running `make generate`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. +Note: The correct sequence to update the repo using autogen +functionality is the run `make generate && make generate_docs`. This +will create the various Terraform files, and then generate the +Terraform documentation using `terraform-docs`. + ## Testing ### Requirements diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 80465b866f..a2c8fcf10d 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "primary" { description = "${var.description}" project = "${var.project_id}" - region = "${var.region}" - node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] + region = "${var.region}" + node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -102,11 +102,13 @@ resource "google_container_cluster" "primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 4849b50c04..1a824110df 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -26,10 +26,10 @@ resource "google_container_cluster" "zonal_primary" { description = "${var.description}" project = "${var.project_id}" - zone = "${var.zones[0]}" - node_locations = ["${slice(var.zones,1,length(var.zones))}"] + zone = "${var.zones[0]}" + node_locations = ["${slice(var.zones,1,length(var.zones))}"] cluster_ipv4_cidr = "${var.cluster_ipv4_cidr}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" network_policy { enabled = "${var.network_policy}" @@ -102,11 +102,13 @@ resource "google_container_cluster" "zonal_primary" { service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}" } } + private_cluster_config { enable_private_endpoint = "${var.enable_private_endpoint}" enable_private_nodes = "${var.enable_private_nodes}" master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" } + remove_default_node_pool = "${var.remove_default_node_pool}" } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 95e28ae4b3..ecb267e9ce 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -142,19 +142,18 @@ locals { cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" # cluster locals - cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" - cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" - cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" - cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" - cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" - cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" - cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" - cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" - cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" - cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" - cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" - cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" - + cluster_name = "${local.cluster_type_output_name[local.cluster_type]}" + cluster_location = "${local.cluster_type_output_location[local.cluster_type]}" + cluster_region = "${local.cluster_type_output_region[local.cluster_type]}" + cluster_zones = "${sort(local.cluster_type_output_zones[local.cluster_type])}" + cluster_endpoint = "${local.cluster_type_output_endpoint[local.cluster_type]}" + cluster_ca_certificate = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}" + cluster_master_version = "${local.cluster_type_output_master_version[local.cluster_type]}" + cluster_min_master_version = "${local.cluster_type_output_min_master_version[local.cluster_type]}" + cluster_logging_service = "${local.cluster_type_output_logging_service[local.cluster_type]}" + cluster_monitoring_service = "${local.cluster_type_output_monitoring_service[local.cluster_type]}" + cluster_node_pools_names = "${local.cluster_type_output_node_pools_names[local.cluster_type]}" + cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}" cluster_network_policy_enabled = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}" cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 7e31d6dcad..0cda908649 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -113,7 +113,6 @@ output "service_account" { value = "${local.service_account}" } - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = "${local.cluster_pod_security_policy_enabled}" diff --git a/outputs.tf b/outputs.tf index aed604e3e6..6b9d5895ab 100644 --- a/outputs.tf +++ b/outputs.tf @@ -112,5 +112,3 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - - diff --git a/variables.tf b/variables.tf index 7e47982e1e..a415672e88 100644 --- a/variables.tf +++ b/variables.tf @@ -237,8 +237,6 @@ variable "service_account" { default = "create" } - - variable "basic_auth_username" { description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = ""