From 791421bcb73fdcdb89ef9315027cbbba063c2972 Mon Sep 17 00:00:00 2001 From: IIBenII Date: Tue, 3 Jan 2023 15:45:02 +0100 Subject: [PATCH] Take feedback and improve montiroing handling for autopilot clusters --- README.md | 1 - autogen/main/cluster.tf.tmpl | 10 +++++++- autogen/main/main.tf.tmpl | 7 ++++-- autogen/main/variables.tf.tmpl | 4 +++ cluster.tf | 4 +-- main.tf | 4 +-- .../beta-autopilot-private-cluster/README.md | 3 --- .../beta-autopilot-private-cluster/cluster.tf | 25 ------------------- .../beta-autopilot-private-cluster/main.tf | 4 +-- .../variables.tf | 17 ------------- .../beta-autopilot-public-cluster/README.md | 3 --- .../beta-autopilot-public-cluster/cluster.tf | 25 ------------------- modules/beta-autopilot-public-cluster/main.tf | 4 +-- .../variables.tf | 17 ------------- .../main.tf | 5 ++-- modules/beta-private-cluster/main.tf | 5 ++-- .../main.tf | 5 ++-- modules/beta-public-cluster/main.tf | 5 ++-- .../private-cluster-update-variant/README.md | 1 - .../private-cluster-update-variant/cluster.tf | 4 +-- .../private-cluster-update-variant/main.tf | 4 +-- .../variables.tf | 5 ---- modules/private-cluster/README.md | 1 - modules/private-cluster/cluster.tf | 4 +-- modules/private-cluster/main.tf | 4 +-- modules/private-cluster/variables.tf | 5 ---- variables.tf | 5 ---- 27 files changed, 46 insertions(+), 135 deletions(-) diff --git a/README.md b/README.md index 1dcdaeabef..b3974bbdda 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,6 @@ Then perform the following commands on the root folder: | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index dd70949224..be6acef286 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -84,8 +84,13 @@ resource "google_container_cluster" "primary" { } } {% endif %} + {% if autopilot_cluster != true %} # only one of logging/monitoring_service or logging/monitoring_config can be specified + {% if beta_cluster %} logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service + {% else %} + logging_service = local.logmon_config_is_set ? null : var.logging_service + {% endif %} dynamic "logging_config" { for_each = length(var.logging_enabled_components) > 0 ? [1] : [] @@ -93,7 +98,11 @@ resource "google_container_cluster" "primary" { enable_components = var.logging_enabled_components } } + {% if beta_cluster %} monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service + {% else %} + monitoring_service = local.logmon_config_is_set ? null : var.monitoring_service + {% endif %} dynamic "monitoring_config" { for_each = length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus ? [1] : [] @@ -109,7 +118,6 @@ resource "google_container_cluster" "primary" { } } } - {% if autopilot_cluster != true %} cluster_autoscaling { enabled = var.cluster_autoscaling.enabled dynamic "auto_provisioning_defaults" { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index f0011619c0..a26f9a8ed8 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -117,7 +117,10 @@ locals { cluster_cloudrun_enabled = var.cloudrun gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] {% endif %} - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + {% if autopilot_cluster != true %} + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + {% endif %} cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -223,10 +226,10 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features {% endif %} - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 6391940752..b79cf76677 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -326,11 +326,13 @@ variable "configure_ip_masq" { default = false } +{% if beta_cluster %} variable "cluster_telemetry_type" { type = string description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" default = null } +{% endif %} variable "logging_service" { type = string @@ -644,6 +646,7 @@ variable "timeouts" { } } +{% if autopilot_cluster != true %} variable "monitoring_enable_managed_prometheus" { type = bool description = "Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled." @@ -661,6 +664,7 @@ variable "logging_enabled_components" { description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } +{% endif %} {% if beta_cluster %} {% if autopilot_cluster != true %} diff --git a/cluster.tf b/cluster.tf index 86ad59eac5..337942e4cc 100644 --- a/cluster.tf +++ b/cluster.tf @@ -63,7 +63,7 @@ resource "google_container_cluster" "primary" { min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null # only one of logging/monitoring_service or logging/monitoring_config can be specified - logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service + logging_service = local.logmon_config_is_set ? null : var.logging_service dynamic "logging_config" { for_each = length(var.logging_enabled_components) > 0 ? [1] : [] @@ -71,7 +71,7 @@ resource "google_container_cluster" "primary" { enable_components = var.logging_enabled_components } } - monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service + monitoring_service = local.logmon_config_is_set ? null : var.monitoring_service dynamic "monitoring_config" { for_each = length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus ? [1] : [] diff --git a/main.tf b/main.tf index 13f6eb190f..23db4f65db 100644 --- a/main.tf +++ b/main.tf @@ -83,7 +83,8 @@ locals { provider = null }] cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -156,7 +157,6 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 929be11db2..2b316c9c3b 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -102,7 +102,6 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -111,8 +110,6 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | -| monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index d899be209d..f289198e7e 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -60,31 +60,6 @@ resource "google_container_cluster" "primary" { min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null - # only one of logging/monitoring_service or logging/monitoring_config can be specified - logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service - dynamic "logging_config" { - for_each = length(var.logging_enabled_components) > 0 ? [1] : [] - - content { - enable_components = var.logging_enabled_components - } - } - monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service - dynamic "monitoring_config" { - for_each = length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus ? [1] : [] - - content { - enable_components = length(var.monitoring_enabled_components) > 0 ? var.monitoring_enabled_components : [] - - dynamic "managed_prometheus" { - for_each = var.monitoring_enable_managed_prometheus ? [1] : [] - - content { - enabled = var.monitoring_enable_managed_prometheus - } - } - } - } cluster_autoscaling { dynamic "auto_provisioning_defaults" { for_each = var.create_service_account ? [1] : [] diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index f68e1e64dd..14bf4bfe1f 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -62,7 +62,7 @@ locals { cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : [] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -130,9 +130,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 4fc08f6cd2..3a7bd809c8 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -417,21 +417,4 @@ variable "timeouts" { } } -variable "monitoring_enable_managed_prometheus" { - type = bool - description = "Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled." - default = false -} - -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 979bcb2030..e15e638acd 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -93,15 +93,12 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 3d851f71a3..949a3fa6e1 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -60,31 +60,6 @@ resource "google_container_cluster" "primary" { min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null - # only one of logging/monitoring_service or logging/monitoring_config can be specified - logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service - dynamic "logging_config" { - for_each = length(var.logging_enabled_components) > 0 ? [1] : [] - - content { - enable_components = var.logging_enabled_components - } - } - monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service - dynamic "monitoring_config" { - for_each = length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus ? [1] : [] - - content { - enable_components = length(var.monitoring_enabled_components) > 0 ? var.monitoring_enabled_components : [] - - dynamic "managed_prometheus" { - for_each = var.monitoring_enable_managed_prometheus ? [1] : [] - - content { - enabled = var.monitoring_enable_managed_prometheus - } - } - } - } cluster_autoscaling { dynamic "auto_provisioning_defaults" { for_each = var.create_service_account ? [1] : [] diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index a7904bd5fe..d1dafe5dd3 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -62,7 +62,7 @@ locals { cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} pod_all_ip_ranges = var.add_cluster_firewall_rules ? [local.cluster_alias_ranges_cidr[var.ip_range_pods]] : [] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -129,9 +129,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 00c6e6ff3e..01ba20e11c 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -387,21 +387,4 @@ variable "timeouts" { } } -variable "monitoring_enable_managed_prometheus" { - type = bool - description = "Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled." - default = false -} - -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index e7abcca34a..5d4a27b1ca 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -97,7 +97,8 @@ locals { ] : [] cluster_cloudrun_enabled = var.cloudrun gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -184,9 +185,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index e7abcca34a..5d4a27b1ca 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -97,7 +97,8 @@ locals { ] : [] cluster_cloudrun_enabled = var.cloudrun gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -184,9 +185,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 05bc6a0e24..86bf9aa2d4 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -97,7 +97,8 @@ locals { ] : [] cluster_cloudrun_enabled = var.cloudrun gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -183,9 +184,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 05bc6a0e24..86bf9aa2d4 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -97,7 +97,8 @@ locals { ] : [] cluster_cloudrun_enabled = var.cloudrun gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -183,9 +184,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_telemetry_type_is_set = var.cluster_telemetry_type != null # /BETA features - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 669605bc10..10efbcf0bc 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -165,7 +165,6 @@ Then perform the following commands on the root folder: | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index c843c93f60..4ae6de7edf 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -63,7 +63,7 @@ resource "google_container_cluster" "primary" { min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null # only one of logging/monitoring_service or logging/monitoring_config can be specified - logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service + logging_service = local.logmon_config_is_set ? null : var.logging_service dynamic "logging_config" { for_each = length(var.logging_enabled_components) > 0 ? [1] : [] @@ -71,7 +71,7 @@ resource "google_container_cluster" "primary" { enable_components = var.logging_enabled_components } } - monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service + monitoring_service = local.logmon_config_is_set ? null : var.monitoring_service dynamic "monitoring_config" { for_each = length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus ? [1] : [] diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 0724c71e08..171e848b19 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -83,7 +83,8 @@ locals { provider = null }] cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -157,7 +158,6 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 8a4d1f6e2b..cd6614ab6a 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -303,11 +303,6 @@ variable "configure_ip_masq" { default = false } -variable "cluster_telemetry_type" { - type = string - description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" - default = null -} variable "logging_service" { type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index f37929356c..c9a40e159e 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -143,7 +143,6 @@ Then perform the following commands on the root folder: | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index d61cce1971..6e48b615e7 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -63,7 +63,7 @@ resource "google_container_cluster" "primary" { min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null # only one of logging/monitoring_service or logging/monitoring_config can be specified - logging_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.logging_service + logging_service = local.logmon_config_is_set ? null : var.logging_service dynamic "logging_config" { for_each = length(var.logging_enabled_components) > 0 ? [1] : [] @@ -71,7 +71,7 @@ resource "google_container_cluster" "primary" { enable_components = var.logging_enabled_components } } - monitoring_service = local.cluster_telemetry_type_is_set || local.logmon_config_is_set ? null : var.monitoring_service + monitoring_service = local.logmon_config_is_set ? null : var.monitoring_service dynamic "monitoring_config" { for_each = length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus ? [1] : [] diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 0724c71e08..171e848b19 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -83,7 +83,8 @@ locals { provider = null }] cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus + + logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group @@ -157,7 +158,6 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 8a4d1f6e2b..cd6614ab6a 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -303,11 +303,6 @@ variable "configure_ip_masq" { default = false } -variable "cluster_telemetry_type" { - type = string - description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" - default = null -} variable "logging_service" { type = string diff --git a/variables.tf b/variables.tf index 92717ea8c7..0714e528a9 100644 --- a/variables.tf +++ b/variables.tf @@ -303,11 +303,6 @@ variable "configure_ip_masq" { default = false } -variable "cluster_telemetry_type" { - type = string - description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY" - default = null -} variable "logging_service" { type = string