feat: Update modules to use new kubectl module (#602)

BREAKING CHANGE: In-cluster resources have been updated to use the [kubectl wrapper](https://github.com/terraform-google-modules/terraform-google-gcloud/tree/master/modules/kubectl-wrapper) module. See the upgrade guide for details.

autogen/main/dns.tf.tmpl

@@ -20,16 +20,18 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.3.0"
-  enabled               = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  additional_components = ["kubectl"]
-
-  upgrade       = var.gcloud_upgrade
-  skip_download = var.gcloud_skip_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version          = "~> 1.4"
+  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name     = google_container_cluster.primary.name
+  cluster_location = google_container_cluster.primary.location
+  project_id       = var.project_id
+  upgrade          = var.gcloud_upgrade
+  skip_download    = var.gcloud_skip_download
+
+
+  kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  kubectl_destroy_command = ""
 
   module_depends_on = concat(
     [data.google_client_config.default.access_token],

dns.tf

@@ -20,16 +20,18 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.3.0"
-  enabled               = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  additional_components = ["kubectl"]
-
-  upgrade       = var.gcloud_upgrade
-  skip_download = var.gcloud_skip_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version          = "~> 1.4"
+  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name     = google_container_cluster.primary.name
+  cluster_location = google_container_cluster.primary.location
+  project_id       = var.project_id
+  upgrade          = var.gcloud_upgrade
+  skip_download    = var.gcloud_skip_download
+
+
+  kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  kubectl_destroy_command = ""
 
   module_depends_on = concat(
     [data.google_client_config.default.access_token],

examples/simple_zonal_with_asm/main.tf

@@ -54,12 +54,11 @@ module "gke" {
 }
 
 module "asm" {
-  source                            = "../../modules/asm"
-  cluster_name                      = module.gke.name
-  cluster_endpoint                  = module.gke.endpoint
-  project_id                        = var.project_id
-  location                          = module.gke.location
-  use_tf_google_credentials_env_var = true
+  source           = "../../modules/asm"
+  cluster_name     = module.gke.name
+  cluster_endpoint = module.gke.endpoint
+  project_id       = var.project_id
+  location         = module.gke.location
 }
 
 data "google_client_config" "default" {

modules/acm/README.md

@@ -54,7 +54,7 @@ By default, this module will attempt to download the ACM operator from Google di
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | `"ssh"` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no |
 | sync\_repo | ACM Git repo address | string | n/a | yes |

modules/acm/variables.tf

@@ -90,5 +90,5 @@ variable "install_template_library" {
 variable "skip_gcloud_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)"
   type        = bool
-  default     = false
+  default     = true
 }

modules/asm/README.md

@@ -46,9 +46,9 @@ To deploy this config:
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | string | `"296.0.1"` | no |
 | gke\_hub\_membership\_name | Memebership name that uniquely represents the cluster being registered on the Hub | string | `"gke-asm-membership"` | no |
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no |
+| internal\_ip | Use internal ip for the cluster endpoint. | bool | `"false"` | no |
 | location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
 | project\_id | The project in which the resource belongs. | string | n/a | yes |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
-| use\_tf\_google\_credentials\_env\_var | Optional GOOGLE_CREDENTIALS environment variable to be activated. | bool | `"false"` | no |
 
  <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/asm/main.tf

@@ -18,31 +18,22 @@ locals {
   gke_hub_sa_key = var.enable_gke_hub_registration ? google_service_account_key.gke_hub_key[0].private_key : ""
 }
 
-data "google_container_cluster" "primary" {
-  name     = var.cluster_name
-  project  = var.project_id
-  location = var.location
-}
-
-data "google_client_config" "default" {
-}
-
 module "asm_install" {
-  source            = "terraform-google-modules/gcloud/google"
-  version           = "~> 1.0"
+  source            = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version           = "~> 1.4"
   module_depends_on = [var.cluster_endpoint]
 
-  platform                          = "linux"
-  gcloud_sdk_version                = var.gcloud_sdk_version
-  skip_download                     = var.skip_gcloud_download
-  upgrade                           = true
-  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
-  additional_components             = ["kubectl", "kpt"]
+  gcloud_sdk_version    = var.gcloud_sdk_version
+  skip_download         = var.skip_gcloud_download
+  upgrade               = true
+  additional_components = ["kubectl", "kpt", "beta", "kustomize"]
+  cluster_name          = var.cluster_name
+  cluster_location      = var.location
+  project_id            = var.project_id
+
 
-  create_cmd_entrypoint  = "${path.module}/scripts/install_asm.sh"
-  create_cmd_body        = "${var.project_id} ${var.cluster_name} ${var.location}"
-  destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "https://${var.cluster_endpoint} ${data.google_client_config.default.access_token} ${data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate} kubectl delete ns istio-system"
+  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location}"
+  kubectl_destroy_command = "kubectl delete ns istio-system"
 }
 
 resource "google_service_account" "gke_hub_sa" {
@@ -66,15 +57,14 @@ resource "google_service_account_key" "gke_hub_key" {
 
 module "gke_hub_registration" {
   source  = "terraform-google-modules/gcloud/google"
-  version = "~> 1.0"
+  version = "~> 1.2"
 
-  platform                          = "linux"
-  gcloud_sdk_version                = var.gcloud_sdk_version
-  skip_download                     = var.skip_gcloud_download
-  upgrade                           = true
-  enabled                           = var.enable_gke_hub_registration
-  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
-  module_depends_on                 = [module.asm_install.wait]
+  platform           = "linux"
+  gcloud_sdk_version = var.gcloud_sdk_version
+  skip_download      = var.skip_gcloud_download
+  upgrade            = true
+  enabled            = var.enable_gke_hub_registration
+  module_depends_on  = [module.asm_install.wait]
 
   create_cmd_entrypoint  = "${path.module}/scripts/gke_hub_registration.sh"
   create_cmd_body        = "${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${local.gke_hub_sa_key}"

modules/asm/variables.tf

@@ -40,12 +40,6 @@ variable "skip_gcloud_download" {
   default     = true
 }
 
-variable "use_tf_google_credentials_env_var" {
-  description = "Optional GOOGLE_CREDENTIALS environment variable to be activated."
-  type        = bool
-  default     = false
-}
-
 variable "gcloud_sdk_version" {
   description = "The gcloud sdk version to use. Minimum required version is 293.0.0"
   type        = string
@@ -69,3 +63,9 @@ variable "gke_hub_membership_name" {
   type        = string
   default     = "gke-asm-membership"
 }
+
+variable "internal_ip" {
+  description = "Use internal ip for the cluster endpoint."
+  type        = bool
+  default     = false
+}

modules/beta-private-cluster-update-variant/dns.tf

@@ -20,16 +20,18 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.3.0"
-  enabled               = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  additional_components = ["kubectl"]
-
-  upgrade       = var.gcloud_upgrade
-  skip_download = var.gcloud_skip_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version          = "~> 1.4"
+  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name     = google_container_cluster.primary.name
+  cluster_location = google_container_cluster.primary.location
+  project_id       = var.project_id
+  upgrade          = var.gcloud_upgrade
+  skip_download    = var.gcloud_skip_download
+
+
+  kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  kubectl_destroy_command = ""
 
   module_depends_on = concat(
     [data.google_client_config.default.access_token],

modules/beta-private-cluster/dns.tf

@@ -20,16 +20,18 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.3.0"
-  enabled               = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  additional_components = ["kubectl"]
-
-  upgrade       = var.gcloud_upgrade
-  skip_download = var.gcloud_skip_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version          = "~> 1.4"
+  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name     = google_container_cluster.primary.name
+  cluster_location = google_container_cluster.primary.location
+  project_id       = var.project_id
+  upgrade          = var.gcloud_upgrade
+  skip_download    = var.gcloud_skip_download
+
+
+  kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  kubectl_destroy_command = ""
 
   module_depends_on = concat(
     [data.google_client_config.default.access_token],

modules/beta-public-cluster-update-variant/dns.tf

@@ -20,16 +20,18 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.3.0"
-  enabled               = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  additional_components = ["kubectl"]
-
-  upgrade       = var.gcloud_upgrade
-  skip_download = var.gcloud_skip_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version          = "~> 1.4"
+  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name     = google_container_cluster.primary.name
+  cluster_location = google_container_cluster.primary.location
+  project_id       = var.project_id
+  upgrade          = var.gcloud_upgrade
+  skip_download    = var.gcloud_skip_download
+
+
+  kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  kubectl_destroy_command = ""
 
   module_depends_on = concat(
     [data.google_client_config.default.access_token],

modules/beta-public-cluster/dns.tf

@@ -20,16 +20,18 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.3.0"
-  enabled               = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
-  additional_components = ["kubectl"]
-
-  upgrade       = var.gcloud_upgrade
-  skip_download = var.gcloud_skip_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  source           = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version          = "~> 1.4"
+  enabled          = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners
+  cluster_name     = google_container_cluster.primary.name
+  cluster_location = google_container_cluster.primary.location
+  project_id       = var.project_id
+  upgrade          = var.gcloud_upgrade
+  skip_download    = var.gcloud_skip_download
+
+
+  kubectl_create_command  = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
+  kubectl_destroy_command = ""
 
   module_depends_on = concat(
     [data.google_client_config.default.access_token],

modules/config-sync/README.md

@@ -55,7 +55,7 @@ To deploy this config:
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | credential secret type, passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | n/a | yes |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no |
 | sync\_repo | ACM Git repo address | string | n/a | yes |

modules/config-sync/variables.tf

@@ -77,5 +77,5 @@ variable "ssh_auth_key" {
 variable "skip_gcloud_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)"
   type        = bool
-  default     = false
+  default     = true
 }