Merge pull request terraform-google-modules#203 from marko7460/node_m…

…etadata

Restrict node access to cluster metadata service

.kitchen.yml

@@ -104,3 +104,10 @@ suites:
       systems:
         - name: stub_domains_private
           backend: local
+  - name: "workload_metadata_config"
+    driver:
+      root_module_directory: test/fixtures/workload_metadata_config
+    verifier:
+      systems:
+        - name: workload_metadata_config
+          backend: local

autogen/cluster_regional.tf

@@ -106,6 +106,9 @@ resource "google_container_cluster" "primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      {% if beta_cluster %}
+      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+      {% endif %}
     }
   }
 {% if private_cluster %}
@@ -168,6 +171,10 @@ resource "google_container_node_pool" "pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+    {% if beta_cluster %}
+
+    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+    {% endif %}
   }
 
   lifecycle {

autogen/cluster_zonal.tf

@@ -107,6 +107,9 @@ resource "google_container_cluster" "zonal_primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      {% if beta_cluster %}
+      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+      {% endif %}
     }
   }
 {% if private_cluster %}
@@ -169,6 +172,10 @@ resource "google_container_node_pool" "zonal_pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+    {% if beta_cluster %}
+
+    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
+    {% endif %}
   }
 
   lifecycle {

autogen/main.tf

@@ -52,7 +52,14 @@ locals {
     enabled  = [{disabled = "false"}]
     disabled = []
   }
+{% if beta_cluster %}
+
+  cluster_node_metadata_config = {
+    specified   = [{node_metadata = "${var.node_metadata}"}]
+    unspecified = []
+  }
 
+{% endif %}
   cluster_type_output_name = {
     regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
     zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"

autogen/variables.tf

@@ -300,6 +300,11 @@ variable "pod_security_policy_config" {
     "enabled" = false
   }]
 }
+
+variable "node_metadata" {
+  description = "Specifies how node metadata is exposed to the workload running on the node"
+  default     = "UNSPECIFIED"
+}
 {% endif %}
 
 variable "basic_auth_username" {

examples/workload_metadata_config/README.md

@@ -0,0 +1,46 @@
+# Workload Metadata Config Cluster
+
+This example illustrates how to use a cluster with `workload_metadata_config` defined.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
+| network | The VPC network to host the cluster in | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | n/a | yes |
+| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
+| zones | The zone to host the cluster in (required if is a zonal cluster) | list | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate |  |
+| client\_token |  |
+| cluster\_name | Cluster name |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| kubernetes\_endpoint |  |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| project\_id |  |
+| region |  |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/workload_metadata_config/main.tf

@@ -0,0 +1,57 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "workload-metadata-private"
+}
+
+provider "google-beta" {
+  version = "~> 2.9.0"
+  region  = "${var.region}"
+}
+
+data "google_compute_subnetwork" "subnetwork" {
+  name    = "${var.subnetwork}"
+  project = "${var.project_id}"
+  region  = "${var.region}"
+}
+
+module "gke" {
+  source                  = "../../modules/beta-private-cluster/"
+  project_id              = "${var.project_id}"
+  name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional                = false
+  region                  = "${var.region}"
+  zones                   = "${var.zones}"
+  network                 = "${var.network}"
+  subnetwork              = "${var.subnetwork}"
+  ip_range_pods           = "${var.ip_range_pods}"
+  ip_range_services       = "${var.ip_range_services}"
+  service_account         = "${var.compute_engine_service_account}"
+  enable_private_endpoint = true
+  enable_private_nodes    = true
+  master_ipv4_cidr_block  = "172.16.0.0/28"
+  node_metadata           = "SECURE"
+
+  master_authorized_networks_config = [{
+    cidr_blocks = [{
+      cidr_block   = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}"
+      display_name = "VPC"
+    }]
+  }]
+}
+
+data "google_client_config" "default" {}

examples/workload_metadata_config/outputs.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = "${module.gke.endpoint}"
+}
+
+output "client_token" {
+  sensitive = true
+  value     = "${base64encode(data.google_client_config.default.access_token)}"
+}
+
+output "ca_certificate" {
+  value = "${module.gke.ca_certificate}"
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}

examples/workload_metadata_config/test_outputs.tf

@@ -0,0 +1 @@
+../../test/fixtures/all_examples/test_outputs.tf

examples/workload_metadata_config/variables.tf

@@ -0,0 +1,53 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+}
+
+variable "cluster_name_suffix" {
+  description = "A suffix to append to the default cluster name"
+  default     = ""
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+}
+
+variable "zones" {
+  type        = "list"
+  description = "The zone to host the cluster in (required if is a zonal cluster)"
+}
+
+variable "network" {
+  description = "The VPC network to host the cluster in"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork to host the cluster in"
+}
+
+variable "ip_range_pods" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "ip_range_services" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
+}

modules/beta-private-cluster/README.md

@@ -154,6 +154,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | string | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
 | node\_pools | List of maps containing node pools | list | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |

modules/beta-private-cluster/cluster_regional.tf

@@ -102,6 +102,7 @@ resource "google_container_cluster" "primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
     }
   }
 
@@ -160,6 +161,8 @@ resource "google_container_node_pool" "pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {

modules/beta-private-cluster/cluster_zonal.tf

@@ -103,6 +103,7 @@ resource "google_container_cluster" "zonal_primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
     }
   }
 
@@ -161,6 +162,8 @@ resource "google_container_node_pool" "zonal_pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {

modules/beta-private-cluster/main.tf

@@ -59,6 +59,14 @@ locals {
     disabled = []
   }
 
+  cluster_node_metadata_config = {
+    specified = [{
+      node_metadata = "${var.node_metadata}"
+    }]
+
+    unspecified = []
+  }
+
   cluster_type_output_name = {
     regional = "${element(concat(google_container_cluster.primary.*.name, list("")), 0)}"
     zonal    = "${element(concat(google_container_cluster.zonal_primary.*.name, list("")), 0)}"

modules/beta-private-cluster/variables.tf

@@ -302,6 +302,11 @@ variable "pod_security_policy_config" {
   }]
 }
 
+variable "node_metadata" {
+  description = "Specifies how node metadata is exposed to the workload running on the node"
+  default     = "UNSPECIFIED"
+}
+
 variable "basic_auth_username" {
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""

modules/beta-public-cluster/README.md

@@ -145,6 +145,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | string | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
 | node\_pools | List of maps containing node pools | list | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |

modules/beta-public-cluster/cluster_regional.tf

@@ -102,6 +102,7 @@ resource "google_container_cluster" "primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
     }
   }
 
@@ -154,6 +155,8 @@ resource "google_container_node_pool" "pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {

modules/beta-public-cluster/cluster_zonal.tf

@@ -103,6 +103,7 @@ resource "google_container_cluster" "zonal_primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
     }
   }
 
@@ -155,6 +156,8 @@ resource "google_container_node_pool" "zonal_pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
   }
 
   lifecycle {