feat: Add protect_config to beta clusters

Signed-off-by: Edvin Norling <edvin.norling@kognic.com>

autogen/main/cluster.tf.tmpl

@@ -315,6 +315,13 @@ resource "google_container_cluster" "primary" {
 
   {% if beta_cluster %}
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   {% endif %}
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

autogen/main/variables.tf.tmpl

@@ -760,5 +760,23 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "protect_config" {
+  description = "(beta) Enable/Disable Protect API features for the cluster."
+  type = object({
+    workload_vulnerability_mode = string,
+    workload_config = object({
+      audit_mode = string
+    })
+    }
+  )
+
+  default = {
+    workload_vulnerability_mode = ""
+    workload_config = {
+      audit_mode = "MODE_UNSPECIFIED"
+    }
+  }
+}
   {% endif %}
 {% endif %}

autogen/main/versions.tf.tmpl

@@ -24,11 +24,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-autopilot-private-cluster/cluster.tf

@@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" {
   }
 
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods
     services_secondary_range_name = var.ip_range_services

modules/beta-autopilot-private-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-autopilot-public-cluster/cluster.tf

@@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" {
   }
 
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods
     services_secondary_range_name = var.ip_range_services

modules/beta-autopilot-public-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster-update-variant/README.md

@@ -247,6 +247,7 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
+| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods
     services_secondary_range_name = var.ip_range_services

modules/beta-private-cluster-update-variant/variables.tf

@@ -719,3 +719,21 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "protect_config" {
+  description = "(beta) Enable/Disable Protect API features for the cluster."
+  type = object({
+    workload_vulnerability_mode = string,
+    workload_config = object({
+      audit_mode = string
+    })
+    }
+  )
+
+  default = {
+    workload_vulnerability_mode = ""
+    workload_config = {
+      audit_mode = "MODE_UNSPECIFIED"
+    }
+  }
+}

modules/beta-private-cluster-update-variant/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster/README.md

@@ -225,6 +225,7 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
+| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

modules/beta-private-cluster/cluster.tf

@@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods
     services_secondary_range_name = var.ip_range_services

modules/beta-private-cluster/variables.tf

@@ -719,3 +719,21 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "protect_config" {
+  description = "(beta) Enable/Disable Protect API features for the cluster."
+  type = object({
+    workload_vulnerability_mode = string,
+    workload_config = object({
+      audit_mode = string
+    })
+    }
+  )
+
+  default = {
+    workload_vulnerability_mode = ""
+    workload_config = {
+      audit_mode = "MODE_UNSPECIFIED"
+    }
+  }
+}

modules/beta-private-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-public-cluster-update-variant/README.md

@@ -236,6 +236,7 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
+| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

modules/beta-public-cluster-update-variant/cluster.tf

@@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods
     services_secondary_range_name = var.ip_range_services

modules/beta-public-cluster-update-variant/variables.tf

@@ -689,3 +689,21 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "protect_config" {
+  description = "(beta) Enable/Disable Protect API features for the cluster."
+  type = object({
+    workload_vulnerability_mode = string,
+    workload_config = object({
+      audit_mode = string
+    })
+    }
+  )
+
+  default = {
+    workload_vulnerability_mode = ""
+    workload_config = {
+      audit_mode = "MODE_UNSPECIFIED"
+    }
+  }
+}

modules/beta-public-cluster-update-variant/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-public-cluster/README.md

@@ -214,6 +214,7 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
+| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

modules/beta-public-cluster/cluster.tf

@@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" {
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"
+
+  protect_config {
+    workload_config {
+      audit_mode = var.protect_config.workload_config.audit_mode
+    }
+    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+  }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods
     services_secondary_range_name = var.ip_range_services

modules/beta-public-cluster/variables.tf

@@ -689,3 +689,21 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "protect_config" {
+  description = "(beta) Enable/Disable Protect API features for the cluster."
+  type = object({
+    workload_vulnerability_mode = string,
+    workload_config = object({
+      audit_mode = string
+    })
+    }
+  )
+
+  default = {
+    workload_vulnerability_mode = ""
+    workload_config = {
+      audit_mode = "MODE_UNSPECIFIED"
+    }
+  }
+}

modules/beta-public-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.51.0, < 5.0"
+      version = ">= 4.63.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"