Merge pull request #3 from terraform-google-modules/master

Merge latest from upstream
abhinavrau · Jan 12, 2021 · 19a536e · 19a536e
2 parents 07b67a2 + 372a11c
commit 19a536e
Show file tree

Hide file tree

Showing 67 changed files with 520 additions and 205 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,16 @@ intended for Terraform 0.11.x is [3.0.0].
 There are multiple examples included in the [examples](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/examples) folder but simple usage is as follows:
 
 ```hcl
+# google_client_config and kubernetes provider must be explicitly specified like the following.
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                     = "terraform-google-modules/kubernetes-engine/google"
   project_id                 = "<PROJECT ID>"
@@ -146,6 +156,7 @@ Then perform the following commands on the root folder:
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no |
+| maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no |

diff --git a/auth.tf b/auth.tf
@@ -22,13 +22,3 @@
 data "google_client_config" "default" {
   provider = google
 }
-
-/******************************************
-  Configure provider
- *****************************************/
-provider "kubernetes" {
-  load_config_file       = false
-  host                   = "https://${local.cluster_endpoint}"
-  token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
-}
diff --git a/autogen/main/README.md b/autogen/main/README.md
@@ -51,6 +51,16 @@ intended for Terraform 0.11.x is [3.0.0].
 There are multiple examples included in the [examples](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/examples) folder but simple usage is as follows:
 
 ```hcl
+# google_client_config and kubernetes provider must be explicitly specified like the following.
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                     = "terraform-google-modules/kubernetes-engine/google{{ module_path }}"
   project_id                 = "<PROJECT ID>"

diff --git a/autogen/main/auth.tf.tmpl b/autogen/main/auth.tf.tmpl
@@ -26,13 +26,3 @@ data "google_client_config" "default" {
   provider = google
   {% endif %}
 }
-
-/******************************************
-  Configure provider
- *****************************************/
-provider "kubernetes" {
-  load_config_file       = false
-  host                   = "https://${local.cluster_endpoint}"
-  token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
-}
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -214,6 +214,16 @@ resource "google_container_cluster" "primary" {
         start_time = var.maintenance_start_time
       }
     }
+
+    dynamic "maintenance_exclusion" {
+      for_each = var.maintenance_exclusions
+      content {
+        exclusion_name = maintenance_exclusion.value.name
+        start_time     = maintenance_exclusion.value.start_time
+        end_time       = maintenance_exclusion.value.end_time
+      }
+    }
+
   {% else %}
     daily_maintenance_window {
       start_time = var.maintenance_start_time
@@ -365,6 +375,18 @@ resource "random_id" "name" {
         )
       )
     },
+    {
+      taints = join(",",
+        sort(
+          flatten(
+            concat(
+              [for all_taints in local.node_pools_taints["all"] : "all/${all_taints.key}/${all_taints.value}/${all_taints.effect}"],
+              [for each_pool_taint in local.node_pools_taints[each.value["name"]] : "${each.value["name"]}/${each_pool_taint.key}/${each_pool_taint.value}/${each_pool_taint.effect}"],
+            )
+          )
+        )
+      )
+    },
     {
       metadata = join(",",
         sort(

diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -114,6 +114,12 @@ variable "maintenance_start_time" {
   default     = "05:00"
 }
 
+variable "maintenance_exclusions" {
+  type        = list(object({ name = string, start_time = string, end_time = string }))
+  description = "List of maintenance exclusions. A cluster can have up to three"
+  default = []
+}
+
 {% if beta_cluster %}
 variable "maintenance_end_time" {
   type        = string

diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
@@ -19,7 +19,7 @@ terraform {
 
   required_providers {
 {% if beta_cluster %}
-    google-beta = ">= 3.42.0, <4.0.0"
+    google-beta = ">= 3.49.0, <4.0.0"
     kubernetes  = "~> 1.10, != 1.11.0"
 {% else %}
     google     = ">= 3.39.0, <4.0.0"

diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl
@@ -45,15 +45,6 @@ output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
   value       = module.gke.endpoint
-  depends_on = [
-    /* Nominally, the endpoint is populated as soon as it is known to Terraform.
-    * However, the cluster may not be in a usable state yet.  Therefore any
-    * resources dependent on the cluster being up will fail to deploy.  With
-    * this explicit dependency, dependent resources can wait for the cluster
-    * to be up.
-    */
-    module.gke
-  ]
 }
 
 output "min_master_version" {

diff --git a/docs/upgrading_to_v13.0.md b/docs/upgrading_to_v13.0.md
@@ -0,0 +1,37 @@
+# Upgrading to v13.0
+
+The v13.0 release of *kubernetes-engine* is a backwards incompatible
+release.
+
+### `kubernetes` provider removed from the module
+
+- `kubernetes` provider has been removed across all modules/submodules and need to be specified in the calling module.
+
+To leverage Terraform v0.13 features such as custom variable validation and using `count`, `for_each` or `depends_on` in modules,
+it is [required](https://www.terraform.io/docs/modules/providers.html#legacy-shared-modules-with-provider-configurations) that
+a module does not contain any nested provider configuration and receives all of its provider configurations from the calling
+module. This release adapts to this requirement.
+
+```diff
++  data "google_client_config" "default" {}
+
++  provider "kubernetes" {
++    load_config_file       = false
++    host                   = "https://${module.gke.endpoint}"
++    token                  = data.google_client_config.default.access_token
++    cluster_ca_certificate = base64decode(module.gke.ca_certificate)
++  }
+
+ module "gke" {
+   source                  = "terraform-google-modules/kubernetes-engine/google"
+-  version                 = "~> 12.0"
++  version                 = "~> 13.0"
+}
+```
+
+### ACM submodule `local_file` removed
+
+[ACM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/acm) no longer creates a local file called `operator_cr.yaml`.
+The yaml contents are rendered dynamically and passed via STDIN which fixes errors due to `operator_cr.yaml` file not being present between ephemeral pipeline runs.
+
+This is destructive and will result in deletion and recreation of the ACM operator.
diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf
@@ -23,16 +23,15 @@ provider "google" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
 provider "kubernetes" {
   load_config_file       = false
-  host                   = module.gke.endpoint
+  host                   = "https://${module.gke.endpoint}"
   token                  = data.google_client_config.default.access_token
   cluster_ca_certificate = base64decode(module.gke.ca_certificate)
 }
 
-data "google_client_config" "default" {
-}
-
 module "gke" {
   source     = "../../"
   project_id = var.project_id

diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf
@@ -23,6 +23,15 @@ provider "google" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source = "../../"
 
@@ -38,6 +47,3 @@ module "gke" {
   service_account          = var.compute_engine_service_account
   issue_client_certificate = false
 }
-
-data "google_client_config" "default" {
-}
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
@@ -19,10 +19,19 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.42.0"
+  version = "~> 3.49.0"
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                            = "../../modules/beta-public-cluster/"
   project_id                        = var.project_id
@@ -113,6 +122,3 @@ module "gke" {
     ]
   }
 }
-
-data "google_client_config" "default" {
-}
diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf
@@ -29,6 +29,15 @@ data "google_compute_subnetwork" "subnetwork" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                  = "../../modules/private-cluster-update-variant"
   project_id              = var.project_id
@@ -110,6 +119,3 @@ module "gke" {
     pool-02 = []
   }
 }
-
-data "google_client_config" "default" {
-}
diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.42.0"
+  version     = "~> 3.49.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
@@ -30,6 +30,15 @@ data "google_compute_subnetwork" "subnetwork" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                  = "../../modules/beta-private-cluster-update-variant"
   project_id              = var.project_id
@@ -129,6 +138,3 @@ module "gke" {
     pool-02 = []
   }
 }
-
-data "google_client_config" "default" {
-}
diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.42.0"
+  version     = "~> 3.49.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
@@ -30,6 +30,15 @@ data "google_compute_subnetwork" "subnetwork" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                 = "../../modules/beta-public-cluster-update-variant"
   project_id             = var.project_id
@@ -125,6 +134,3 @@ module "gke" {
     pool-02 = []
   }
 }
-
-data "google_client_config" "default" {
-}
diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf
@@ -14,6 +14,15 @@
  * limitations under the License.
  */
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gcp-network" {
   source       = "terraform-google-modules/network/google"
   version      = "~> 2.5"
@@ -74,6 +83,3 @@ module "gke" {
     },
   ]
 }
-
-data "google_client_config" "default" {
-}
diff --git a/examples/regional_private_node_pool_oauth_scopes/provider.tf b/examples/regional_private_node_pool_oauth_scopes/provider.tf
@@ -19,5 +19,14 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.42.0"
+  version = "~> 3.49.0"
+}
+
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
 }