diff --git a/.kitchen.yml b/.kitchen.yml index 9f5df5a03e..db8bf98549 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -38,13 +38,13 @@ suites: # systems: # - name: deploy_service # backend: local - - name: "disable_client_cert" - driver: - root_module_directory: test/fixtures/disable_client_cert - verifier: - systems: - - name: disable_client_cert - backend: local +# - name: "disable_client_cert" +# driver: +# root_module_directory: test/fixtures/disable_client_cert +# verifier: +# systems: +# - name: disable_client_cert +# backend: local # Disabled due to issue #274 # (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/274) # - name: "node_pool" @@ -54,54 +54,54 @@ suites: # systems: # - name: node_pool # backend: local - - name: "shared_vpc" - driver: - root_module_directory: test/fixtures/shared_vpc - verifier: - systems: - - name: shared_vpc - backend: local - - name: "simple_regional" - driver: - root_module_directory: test/fixtures/simple_regional - verifier: - systems: - - name: simple_regional - backend: local - - name: "simple_regional_private" - driver: - root_module_directory: test/fixtures/simple_regional_private - verifier: - systems: - - name: simple_regional_private - backend: local - - name: "simple_zonal" - driver: - root_module_directory: test/fixtures/simple_zonal - verifier: - systems: - - name: gcloud - backend: local - controls: - - gcloud - - name: gcp - backend: gcp - controls: - - gcp - - name: "simple_zonal_private" - driver: - root_module_directory: test/fixtures/simple_zonal_private - verifier: - systems: - - name: simple_zonal_private - backend: local - - name: "stub_domains" - driver: - root_module_directory: test/fixtures/stub_domains - verifier: - systems: - - name: stub_domains - backend: local +# - name: "shared_vpc" +# driver: +# root_module_directory: test/fixtures/shared_vpc +# verifier: +# systems: +# - name: shared_vpc +# backend: local +# - name: "simple_regional" +# driver: +# root_module_directory: test/fixtures/simple_regional +# verifier: +# systems: +# - name: simple_regional +# backend: local +# - name: "simple_regional_private" +# driver: +# root_module_directory: test/fixtures/simple_regional_private +# verifier: +# systems: +# - name: simple_regional_private +# backend: local +# - name: "simple_zonal" +# driver: +# root_module_directory: test/fixtures/simple_zonal +# verifier: +# systems: +# - name: gcloud +# backend: local +# controls: +# - gcloud +# - name: gcp +# backend: gcp +# controls: +# - gcp +# - name: "simple_zonal_private" +# driver: +# root_module_directory: test/fixtures/simple_zonal_private +# verifier: +# systems: +# - name: simple_zonal_private +# backend: local +# - name: "stub_domains" +# driver: +# root_module_directory: test/fixtures/stub_domains +# verifier: +# systems: +# - name: stub_domains +# backend: local # Disabled due to issue #264 # (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264) # - name: stub_domains_private @@ -110,24 +110,31 @@ suites: # systems: # - name: stub_domains_private # backend: local - - name: "upstream_nameservers" - driver: - root_module_directory: test/fixtures/upstream_nameservers - verifier: - systems: - - name: upstream_nameservers - backend: local - - name: "stub_domains_upstream_nameservers" - driver: - root_module_directory: test/fixtures/stub_domains_upstream_nameservers - verifier: - systems: - - name: stub_domains_upstream_nameservers - backend: local - - name: "workload_metadata_config" +# - name: "upstream_nameservers" +# driver: +# root_module_directory: test/fixtures/upstream_nameservers +# verifier: +# systems: +# - name: upstream_nameservers +# backend: local +# - name: "stub_domains_upstream_nameservers" +# driver: +# root_module_directory: test/fixtures/stub_domains_upstream_nameservers +# verifier: +# systems: +# - name: stub_domains_upstream_nameservers +# backend: local +# - name: "workload_metadata_config" +# driver: +# root_module_directory: test/fixtures/workload_metadata_config +# verifier: +# systems: +# - name: workload_metadata_config +# backend: local + - name: "simple_regional_skip_local_exec" driver: - root_module_directory: test/fixtures/workload_metadata_config + root_module_directory: test/fixtures/simple_regional_skip_local_exec verifier: systems: - - name: workload_metadata_config + - name: simple_regional_skip_local_exec backend: local diff --git a/README.md b/README.md index 50e2afd63b..7bbad87b34 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,22 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure +## Upgrade to v3.0.0 + +v3.0.0 is a breaking release. Refer to the +[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. + +## Upgrade to v2.0.0 + +v2.0.0 is a breaking release. Refer to the +[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. + +## Upgrade to v1.0.0 + +Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. + +In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. + ## Inputs @@ -153,6 +169,7 @@ Then perform the following commands on the root folder: | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `` | no | diff --git a/autogen/README.md b/autogen/README.md index 421e4a2605..9b926148f1 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -201,6 +201,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `` | no | diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 4e5fd74d55..95ca6a31b6 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -352,6 +352,7 @@ resource "google_container_node_pool" "pools" { } resource "null_resource" "wait_for_cluster" { + count = var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}" diff --git a/autogen/dns.tf b/autogen/dns.tf index d9d4a35395..731e010b0d 100644 --- a/autogen/dns.tf +++ b/autogen/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ resource "null_resource" "delete_default_kube_dns_configmap" { - count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0 + count = (local.custom_kube_dns_config || local.upstream_nameservers_config) || var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" diff --git a/autogen/variables.tf b/autogen/variables.tf index 0fedacb2af..72ef7a6652 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -304,6 +304,11 @@ variable "cluster_resource_labels" { default = {} } +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} {% if private_cluster %} variable "deploy_using_private_endpoint" { diff --git a/cluster.tf b/cluster.tf index ffdb27b0fc..40b5559703 100644 --- a/cluster.tf +++ b/cluster.tf @@ -227,6 +227,7 @@ resource "google_container_node_pool" "pools" { } resource "null_resource" "wait_for_cluster" { + count = var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}" diff --git a/dns.tf b/dns.tf index b240a23e65..f490c15504 100644 --- a/dns.tf +++ b/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ resource "null_resource" "delete_default_kube_dns_configmap" { - count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0 + count = (local.custom_kube_dns_config || local.upstream_nameservers_config) || var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" diff --git a/examples/simple_regional/README.md b/examples/simple_regional/README.md index fb209e47b5..ced6070bec 100644 --- a/examples/simple_regional/README.md +++ b/examples/simple_regional/README.md @@ -14,6 +14,7 @@ This example illustrates how to create a simple cluster. | network | The VPC network to host the cluster in | string | n/a | yes | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | n/a | yes | | subnetwork | The subnetwork to host the cluster in | string | n/a | yes | ## Outputs diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 4662435fbd..353ae91906 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -35,6 +35,7 @@ module "gke" { ip_range_services = var.ip_range_services create_service_account = false service_account = var.compute_engine_service_account + skip_provisioners = var.skip_provisioners } data "google_client_config" "default" { diff --git a/examples/simple_regional/variables.tf b/examples/simple_regional/variables.tf index 6121eab9ea..e7405d9e21 100644 --- a/examples/simple_regional/variables.tf +++ b/examples/simple_regional/variables.tf @@ -47,3 +47,8 @@ variable "compute_engine_service_account" { description = "Service account to associate to the nodes in the cluster" } +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 988d48ead8..0d97cd4cc6 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -194,6 +194,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index c481c69a35..bb19940d1f 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -328,6 +328,7 @@ resource "google_container_node_pool" "pools" { } resource "null_resource" "wait_for_cluster" { + count = var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}" diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index b240a23e65..f490c15504 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ resource "null_resource" "delete_default_kube_dns_configmap" { - count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0 + count = (local.custom_kube_dns_config || local.upstream_nameservers_config) || var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9a869a830f..209e270ab7 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -302,6 +302,11 @@ variable "cluster_resource_labels" { default = {} } +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} variable "deploy_using_private_endpoint" { type = bool diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7d59e927bf..fc71bb68a4 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -185,6 +185,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a264e932b9..e2e46ac862 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -323,6 +323,7 @@ resource "google_container_node_pool" "pools" { } resource "null_resource" "wait_for_cluster" { + count = var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}" diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index b240a23e65..f490c15504 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ resource "null_resource" "delete_default_kube_dns_configmap" { - count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0 + count = (local.custom_kube_dns_config || local.upstream_nameservers_config) || var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0ae2b75661..fca12a6625 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -302,6 +302,11 @@ variable "cluster_resource_labels" { default = {} } +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} variable "istio" { description = "(Beta) Enable Istio addon" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index d823f640fa..e57a11b90a 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -178,6 +178,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 412e8295ed..ab8b275ab1 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -232,6 +232,7 @@ resource "google_container_node_pool" "pools" { } resource "null_resource" "wait_for_cluster" { + count = var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}" diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index b240a23e65..f490c15504 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ resource "null_resource" "delete_default_kube_dns_configmap" { - count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0 + count = (local.custom_kube_dns_config || local.upstream_nameservers_config) || var.skip_provisioners ? 1 : 0 provisioner "local-exec" { command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 8008e08975..17f3c6f78f 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -292,6 +292,11 @@ variable "cluster_resource_labels" { default = {} } +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} variable "deploy_using_private_endpoint" { type = bool diff --git a/test/fixtures/simple_regional_skip_local_exec/example.tf b/test/fixtures/simple_regional_skip_local_exec/example.tf new file mode 100644 index 0000000000..82212d69af --- /dev/null +++ b/test/fixtures/simple_regional_skip_local_exec/example.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "example" { + source = "../../../examples/simple_regional" + + project_id = var.project_id + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + compute_engine_service_account = var.compute_engine_service_account + skip_provisioners = true +} diff --git a/test/fixtures/simple_regional_skip_local_exec/network.tf b/test/fixtures/simple_regional_skip_local_exec/network.tf new file mode 100644 index 0000000000..e1292eae3b --- /dev/null +++ b/test/fixtures/simple_regional_skip_local_exec/network.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +provider "google" { + project = var.project_id +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} + diff --git a/test/fixtures/simple_regional_skip_local_exec/outputs.tf b/test/fixtures/simple_regional_skip_local_exec/outputs.tf new file mode 120000 index 0000000000..726bdc722f --- /dev/null +++ b/test/fixtures/simple_regional_skip_local_exec/outputs.tf @@ -0,0 +1 @@ +../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/simple_regional_skip_local_exec/variables.tf b/test/fixtures/simple_regional_skip_local_exec/variables.tf new file mode 120000 index 0000000000..c113c00a3d --- /dev/null +++ b/test/fixtures/simple_regional_skip_local_exec/variables.tf @@ -0,0 +1 @@ +../shared/variables.tf \ No newline at end of file diff --git a/test/integration/simple_regional_skip_local_exec/controls/gcloud.rb b/test/integration/simple_regional_skip_local_exec/controls/gcloud.rb new file mode 100644 index 0000000000..e6bbcfc047 --- /dev/null +++ b/test/integration/simple_regional_skip_local_exec/controls/gcloud.rb @@ -0,0 +1,172 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +location = attribute('location') +cluster_name = attribute('cluster_name') + +control "gcloud" do + title "Google Compute Engine GKE configuration" + describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "cluster" do + it "is running" do + expect(data['status']).to eq 'RUNNING' + end + + it "is regional" do + expect(data['location']).to match(/^.*[1-9]$/) + end + + it "uses public nodes and master endpoint" do + expect(data['privateClusterConfig']).to eq nil + end + + it "has the expected addon settings" do + expect(data['addonsConfig']).to eq({ + "horizontalPodAutoscaling" => {}, + "httpLoadBalancing" => {}, + "kubernetesDashboard" => { + "disabled" => true, + }, + "networkPolicyConfig" => { + "disabled" => true, + }, + }) + end + end + + describe "default node pool" do + let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } + + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "default-pool", + ) + ) + end + end + + describe "node pool" do + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + + it "has autoscaling enabled" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "enabled" => true, + ), + ) + ) + end + + it "has the expected minimum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "minNodeCount" => 1, + ), + ) + ) + end + + it "has the expected maximum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "maxNodeCount" => 100, + ), + ) + ) + end + + it "is the expected machine type" do + expect(node_pools).to include( + including( + "config" => including( + "machineType" => "n1-standard-2", + ), + ) + ) + end + + it "has the expected disk size" do + expect(node_pools).to include( + including( + "config" => including( + "diskSizeGb" => 100, + ), + ) + ) + end + + it "has the expected labels" do + expect(node_pools).to include( + including( + "config" => including( + "labels" => including( + "cluster_name" => cluster_name, + "node_pool" => "default-node-pool", + ), + ), + ) + ) + end + + it "has the expected network tags" do + expect(node_pools).to include( + including( + "config" => including( + "tags" => match_array([ + "gke-#{cluster_name}", + "gke-#{cluster_name}-default-node-pool", + ]), + ), + ) + ) + end + + it "has autorepair enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoRepair" => true, + ), + ) + ) + end + + it "has autoupgrade enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoUpgrade" => true, + ), + ) + ) + end + end + end +end diff --git a/test/integration/simple_regional_skip_local_exec/inspec.yml b/test/integration/simple_regional_skip_local_exec/inspec.yml new file mode 100644 index 0000000000..b4b455a341 --- /dev/null +++ b/test/integration/simple_regional_skip_local_exec/inspec.yml @@ -0,0 +1,17 @@ +name: simple_regional +attributes: + - name: project_id + required: true + type: string + - name: location + required: true + type: string + - name: cluster_name + required: true + type: string + - name: kubernetes_endpoint + required: true + type: string + - name: client_token + required: true + type: string diff --git a/variables.tf b/variables.tf index 460bdeaeff..a12cf97787 100644 --- a/variables.tf +++ b/variables.tf @@ -292,3 +292,8 @@ variable "cluster_resource_labels" { default = {} } +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +}