update typos in the variable description

README.md

@@ -113,8 +113,8 @@ Then perform the following commands on the root folder:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
 | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled       = bool<br>    min_cpu_cores = number<br>    max_cpu_cores = number<br>    min_memory_gb = number<br>    max_memory_gb = number<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
@@ -132,7 +132,7 @@ Then perform the following commands on the root folder:
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -171,7 +171,7 @@ Then perform the following commands on the root folder:
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |

autogen/main/firewall.tf.tmpl

@@ -96,7 +96,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority
@@ -122,7 +122,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority
@@ -145,7 +145,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority

autogen/main/variables.tf.tmpl

@@ -539,13 +539,13 @@ variable "enable_binary_authorization" {
 
 variable "add_cluster_firewall_rules" {
   type        = bool
-  description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+  description = "Create additional firewall rules"
   default     = false
 }
 
 variable "firewall_priority" {
   type        = number
-  description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+  description = "Priority rule for firewall rules"
   default     = 1000
 }
 
@@ -563,13 +563,13 @@ variable "gcloud_upgrade" {
 
 variable "add_shadow_firewall_rules" {
   type = bool
-  description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+  description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
   default = false
 }
 
 variable "shadow_firewall_rules_priority" {
   type = number
-  description = "Priority for the shadow ingress firewall rules."
+  description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
   default = 999
 }
 

firewall.tf

@@ -92,7 +92,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority
@@ -118,7 +118,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority
@@ -141,7 +141,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority

modules/beta-private-cluster-update-variant/README.md

@@ -144,8 +144,8 @@ Then perform the following commands on the root folder:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
@@ -176,7 +176,7 @@ Then perform the following commands on the root folder:
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
@@ -225,7 +225,7 @@ Then perform the following commands on the root folder:
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |

modules/beta-private-cluster-update-variant/firewall.tf

@@ -86,7 +86,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority
@@ -112,7 +112,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority
@@ -135,7 +135,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
   count = var.add_shadow_firewall_rules ? 1 : 0
 
   name        = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
-  description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
   project     = local.network_project_id
   network     = var.network
   priority    = var.shadow_firewall_rules_priority

modules/beta-private-cluster-update-variant/variables.tf

@@ -523,13 +523,13 @@ variable "enable_binary_authorization" {
 
 variable "add_cluster_firewall_rules" {
   type        = bool
-  description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+  description = "Create additional firewall rules"
   default     = false
 }
 
 variable "firewall_priority" {
   type        = number
-  description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+  description = "Priority rule for firewall rules"
   default     = 1000
 }
 
@@ -547,13 +547,13 @@ variable "gcloud_upgrade" {
 
 variable "add_shadow_firewall_rules" {
   type        = bool
-  description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+  description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
   default     = false
 }
 
 variable "shadow_firewall_rules_priority" {
   type        = number
-  description = "Priority for the shadow ingress firewall rules."
+  description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
   default     = 999
 }
 

modules/beta-private-cluster/README.md

@@ -122,8 +122,8 @@ Then perform the following commands on the root folder:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
@@ -154,7 +154,7 @@ Then perform the following commands on the root folder:
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
@@ -203,7 +203,7 @@ Then perform the following commands on the root folder:
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |