From 7531f90c943e01238180f0afdc3f0d43b0f04c59 Mon Sep 17 00:00:00 2001
From: Jason Berlinsky <jason@barefootcoders.com>
Date: Sun, 16 May 2021 23:50:29 -0400
Subject: [PATCH] feat!: Add support for `enable_l4_ilb_subsetting` flag (#896)

* Add support for enable_l4_ilb_subsetting flag

* Fix typo

* Bump minimum google-beta provider version

* Bump google-provider-beta version in test definitions

* Update autogen/main/variables.tf.tmpl

Remove unnecessary mention of `enabled` RE: `enable_l4_ilb_subsetting` variable

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

* Remove unnecessary `enabled` identifier in description

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
---
 autogen/main/cluster.tf.tmpl                                | 2 ++
 autogen/main/variables.tf.tmpl                              | 6 ++++++
 autogen/main/versions.tf.tmpl                               | 2 +-
 examples/node_pool/main.tf                                  | 2 +-
 examples/node_pool_update_variant_beta/main.tf              | 2 +-
 examples/node_pool_update_variant_public_beta/main.tf       | 2 +-
 .../regional_private_node_pool_oauth_scopes/provider.tf     | 2 +-
 examples/safer_cluster/main.tf                              | 2 +-
 examples/safer_cluster_iap_bastion/provider.tf              | 2 +-
 examples/simple_regional_beta/main.tf                       | 2 +-
 examples/simple_regional_private_beta/main.tf               | 2 +-
 examples/simple_zonal_with_asm/main.tf                      | 2 +-
 examples/workload_metadata_config/main.tf                   | 2 +-
 modules/beta-private-cluster-update-variant/README.md       | 1 +
 modules/beta-private-cluster-update-variant/cluster.tf      | 2 ++
 modules/beta-private-cluster-update-variant/variables.tf    | 6 ++++++
 modules/beta-private-cluster-update-variant/versions.tf     | 2 +-
 modules/beta-private-cluster/README.md                      | 1 +
 modules/beta-private-cluster/cluster.tf                     | 2 ++
 modules/beta-private-cluster/variables.tf                   | 6 ++++++
 modules/beta-private-cluster/versions.tf                    | 2 +-
 modules/beta-public-cluster-update-variant/README.md        | 1 +
 modules/beta-public-cluster-update-variant/cluster.tf       | 2 ++
 modules/beta-public-cluster-update-variant/variables.tf     | 6 ++++++
 modules/beta-public-cluster-update-variant/versions.tf      | 2 +-
 modules/beta-public-cluster/README.md                       | 1 +
 modules/beta-public-cluster/cluster.tf                      | 2 ++
 modules/beta-public-cluster/variables.tf                    | 6 ++++++
 modules/beta-public-cluster/versions.tf                     | 2 +-
 test/bundle.hcl                                             | 2 +-
 30 files changed, 60 insertions(+), 16 deletions(-)

diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 65a3c2565..1a1b7cdd6 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 {% endif %}
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index aef40e21c..44f87000f 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -505,6 +505,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
index d500e8f27..4c8df98da 100644
--- a/autogen/main/versions.tf.tmpl
+++ b/autogen/main/versions.tf.tmpl
@@ -24,7 +24,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
index a0153ebfb..d06a1ead2 100644
--- a/examples/node_pool/main.tf
+++ b/examples/node_pool/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 
diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf
index a8ec291d9..3cf740b5a 100644
--- a/examples/node_pool_update_variant_beta/main.tf
+++ b/examples/node_pool_update_variant_beta/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.49.0"
+  version     = "~> 3.63.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf
index f7305da11..80441be42 100644
--- a/examples/node_pool_update_variant_public_beta/main.tf
+++ b/examples/node_pool_update_variant_public_beta/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.49.0"
+  version     = "~> 3.63.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
diff --git a/examples/regional_private_node_pool_oauth_scopes/provider.tf b/examples/regional_private_node_pool_oauth_scopes/provider.tf
index 8703edccf..4bf24c74b 100644
--- a/examples/regional_private_node_pool_oauth_scopes/provider.tf
+++ b/examples/regional_private_node_pool_oauth_scopes/provider.tf
@@ -19,7 +19,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
 }
 
 data "google_client_config" "default" {}
diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf
index 7fd06bafd..8d9fd46cd 100644
--- a/examples/safer_cluster/main.tf
+++ b/examples/safer_cluster/main.tf
@@ -35,7 +35,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
 }
 
 data "google_client_config" "default" {}
diff --git a/examples/safer_cluster_iap_bastion/provider.tf b/examples/safer_cluster_iap_bastion/provider.tf
index 04c7d6d66..823e3a20b 100644
--- a/examples/safer_cluster_iap_bastion/provider.tf
+++ b/examples/safer_cluster_iap_bastion/provider.tf
@@ -19,7 +19,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
 }
 
 data "google_client_config" "default" {}
diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
index e79e7275e..e19598657 100644
--- a/examples/simple_regional_beta/main.tf
+++ b/examples/simple_regional_beta/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 
diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf
index 642084af8..7fabdf906 100644
--- a/examples/simple_regional_private_beta/main.tf
+++ b/examples/simple_regional_private_beta/main.tf
@@ -24,7 +24,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 
diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf
index b4f3cf5d0..304301a1c 100644
--- a/examples/simple_zonal_with_asm/main.tf
+++ b/examples/simple_zonal_with_asm/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 
diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf
index 27e05448c..c9d790939 100644
--- a/examples/workload_metadata_config/main.tf
+++ b/examples/workload_metadata_config/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index b779cf71d..322dd61a0 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -180,6 +180,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index 9ca9ab289..7b2b5f5f5 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index 384860a35..0cf9849bc 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -486,6 +486,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf
index f88836f7b..c9b3ab1cc 100644
--- a/modules/beta-private-cluster-update-variant/versions.tf
+++ b/modules/beta-private-cluster-update-variant/versions.tf
@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index fc2a207a3..4491df49c 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -158,6 +158,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index d7d1087ee..119b2bc8e 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index 384860a35..0cf9849bc 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -486,6 +486,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
index 857ff576e..e367f4e21 100644
--- a/modules/beta-private-cluster/versions.tf
+++ b/modules/beta-private-cluster/versions.tf
@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index 8de63af33..339d449bc 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -173,6 +173,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index d7b527942..137426e2e 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index e449ed8e6..27c22519c 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -455,6 +455,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf
index 20cfc17e4..afd9b6d19 100644
--- a/modules/beta-public-cluster-update-variant/versions.tf
+++ b/modules/beta-public-cluster-update-variant/versions.tf
@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 73d416f82..ab8fbe2d6 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -151,6 +151,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index b5cc56768..783c5ed01 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index e449ed8e6..27c22519c 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -455,6 +455,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
index 011b2cd17..78c3a767f 100644
--- a/modules/beta-public-cluster/versions.tf
+++ b/modules/beta-public-cluster/versions.tf
@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/test/bundle.hcl b/test/bundle.hcl
index dd8b451cf..68d32feaf 100644
--- a/test/bundle.hcl
+++ b/test/bundle.hcl
@@ -8,7 +8,7 @@ providers {
     source  = "hashicorp/google"
   }
   google-beta = {
-    version = "~> 3.49.0"
+    version = "~> 3.63.0"
     source  = "hashicorp/google-beta"
   }
   external = {