diff --git a/README.md b/README.md
index de217ce126..bb6eb88f0e 100644
--- a/README.md
+++ b/README.md
@@ -196,6 +196,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
diff --git a/docs/private_clusters.md b/docs/private_clusters.md
index 57ae2f4c1c..2f3b57fbbb 100644
--- a/docs/private_clusters.md
+++ b/docs/private_clusters.md
@@ -28,7 +28,7 @@ module "gke" {
add_shadow_firewall_rules = true
shadow_firewall_rules_log_config = null # to save some $ on logs
}
-```
+```
## Troubleshooting
diff --git a/firewall.tf b/firewall.tf
index 107fc33d13..a754fda5c6 100644
--- a/firewall.tf
+++ b/firewall.tf
@@ -111,8 +111,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -134,8 +137,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -166,8 +172,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -178,7 +187,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -190,8 +199,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -202,7 +214,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -213,7 +225,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index edc894d1fe..5b0e80e361 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -125,6 +125,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
diff --git a/modules/beta-autopilot-private-cluster/firewall.tf b/modules/beta-autopilot-private-cluster/firewall.tf
index 5dbfe431e7..96eecab803 100644
--- a/modules/beta-autopilot-private-cluster/firewall.tf
+++ b/modules/beta-autopilot-private-cluster/firewall.tf
@@ -138,8 +138,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -161,8 +164,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -193,8 +199,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -205,7 +214,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -217,8 +226,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -229,7 +241,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -240,7 +252,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index 88267be7d8..3be57a3faa 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -357,6 +357,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
variable "enable_confidential_nodes" {
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index 14c6eb91f3..274dc7faaf 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -114,6 +114,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
diff --git a/modules/beta-autopilot-public-cluster/firewall.tf b/modules/beta-autopilot-public-cluster/firewall.tf
index e31cf545cb..df15a02367 100644
--- a/modules/beta-autopilot-public-cluster/firewall.tf
+++ b/modules/beta-autopilot-public-cluster/firewall.tf
@@ -147,8 +147,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -170,8 +173,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -202,8 +208,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -214,7 +223,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -226,8 +235,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -238,7 +250,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -249,7 +261,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index e465277f65..e4f4bac2ae 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -327,6 +327,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
variable "enable_confidential_nodes" {
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 80b7d787a4..7ce4529932 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -254,6 +254,7 @@ Then perform the following commands on the root folder:
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
@@ -342,7 +343,7 @@ The node_pools variable takes the following parameters:
| min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true | 1 | Optional |
| name | The name of the node pool | | Required |
| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional |
-| pod_range | The ID of the secondary range for pod IPs. | | Optional |
+| pod_range | The name of the secondary range for pod IPs. | | Optional |
| node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required |
| node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
| node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |
diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf
index 5dbfe431e7..96eecab803 100644
--- a/modules/beta-private-cluster-update-variant/firewall.tf
+++ b/modules/beta-private-cluster-update-variant/firewall.tf
@@ -138,8 +138,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -161,8 +164,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -193,8 +199,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -205,7 +214,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -217,8 +226,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -229,7 +241,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -240,7 +252,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index de952e9195..b04eb3e50f 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -460,6 +460,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
variable "enable_confidential_nodes" {
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 06f0beb5c6..d991c2e0b7 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -232,6 +232,7 @@ Then perform the following commands on the root folder:
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
@@ -320,7 +321,7 @@ The node_pools variable takes the following parameters:
| min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true | 1 | Optional |
| name | The name of the node pool | | Required |
| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional |
-| pod_range | The ID of the secondary range for pod IPs. | | Optional |
+| pod_range | The name of the secondary range for pod IPs. | | Optional |
| node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required |
| node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
| node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |
diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf
index 5dbfe431e7..96eecab803 100644
--- a/modules/beta-private-cluster/firewall.tf
+++ b/modules/beta-private-cluster/firewall.tf
@@ -138,8 +138,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -161,8 +164,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -193,8 +199,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -205,7 +214,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -217,8 +226,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -229,7 +241,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -240,7 +252,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index de952e9195..b04eb3e50f 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -460,6 +460,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
variable "enable_confidential_nodes" {
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index edd667ad70..c11b812c0f 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -243,6 +243,7 @@ Then perform the following commands on the root folder:
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
@@ -329,7 +330,7 @@ The node_pools variable takes the following parameters:
| min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true | 1 | Optional |
| name | The name of the node pool | | Required |
| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional |
-| pod_range | The ID of the secondary range for pod IPs. | | Optional |
+| pod_range | The name of the secondary range for pod IPs. | | Optional |
| node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required |
| node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
| node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |
diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf
index e31cf545cb..df15a02367 100644
--- a/modules/beta-public-cluster-update-variant/firewall.tf
+++ b/modules/beta-public-cluster-update-variant/firewall.tf
@@ -147,8 +147,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -170,8 +173,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -202,8 +208,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -214,7 +223,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -226,8 +235,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -238,7 +250,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -249,7 +261,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index 65ced56983..b9c83f530e 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -430,6 +430,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
variable "enable_confidential_nodes" {
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 66fd8e6fc4..d964ae7c99 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -221,6 +221,7 @@ Then perform the following commands on the root folder:
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
@@ -307,7 +308,7 @@ The node_pools variable takes the following parameters:
| min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true | 1 | Optional |
| name | The name of the node pool | | Required |
| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional |
-| pod_range | The ID of the secondary range for pod IPs. | | Optional |
+| pod_range | The name of the secondary range for pod IPs. | | Optional |
| node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required |
| node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
| node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |
diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf
index e31cf545cb..df15a02367 100644
--- a/modules/beta-public-cluster/firewall.tf
+++ b/modules/beta-public-cluster/firewall.tf
@@ -147,8 +147,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -170,8 +173,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -202,8 +208,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -214,7 +223,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -226,8 +235,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -238,7 +250,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -249,7 +261,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index 65ced56983..b9c83f530e 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -430,6 +430,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
variable "enable_confidential_nodes" {
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index 9e282c0021..7a49c5c019 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -229,6 +229,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf
index d7a4ba75e7..d9507532c3 100644
--- a/modules/private-cluster-update-variant/firewall.tf
+++ b/modules/private-cluster-update-variant/firewall.tf
@@ -105,8 +105,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -128,8 +131,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -160,8 +166,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -172,7 +181,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -184,8 +193,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -196,7 +208,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -207,7 +219,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index c3d3bb511d..97ed41e92c 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -441,6 +441,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index a336389570..c30c1bc9c3 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -207,6 +207,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | object({
metadata = string
}) | {
"metadata": "INCLUDE_ALL_METADATA"
} | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf
index d7a4ba75e7..d9507532c3 100644
--- a/modules/private-cluster/firewall.tf
+++ b/modules/private-cluster/firewall.tf
@@ -105,8 +105,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
allow { protocol = "esp" }
allow { protocol = "ah" }
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -128,8 +131,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
ports = ["10250", "443"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -160,8 +166,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
ports = ["1-65535"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -172,7 +181,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
project = local.network_project_id
network = var.network
- priority = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+ priority = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
direction = "INGRESS"
source_ranges = local.pod_all_ip_ranges
@@ -184,8 +193,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
@@ -196,7 +208,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
project = local.network_project_id
network = var.network
- priority = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+ priority = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
@@ -207,7 +219,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
ports = ["10255"]
}
- log_config {
- metadata = "INCLUDE_ALL_METADATA"
+ dynamic "log_config" {
+ for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+ content {
+ metadata = log_config.value.metadata
+ }
}
}
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index c3d3bb511d..97ed41e92c 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -441,6 +441,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}
diff --git a/variables.tf b/variables.tf
index a691783262..5f68841cf5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -411,6 +411,20 @@ variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
+ validation {
+ condition = var.shadow_firewall_rules_priority < 1000
+ error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+ }
+}
+
+variable "shadow_firewall_rules_log_config" {
+ type = object({
+ metadata = string
+ })
+ description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+ default = {
+ metadata = "INCLUDE_ALL_METADATA"
+ }
}