Merge branch 'master' into add_storage_viewer_role_to_sa

CHANGELOG.md

@@ -9,10 +9,10 @@ Extending the adopted spec, each change should have a link to its corresponding
 ## [Unreleased]
 ### Added
 
-* Added `grant_registry_access` variable to grant `roles/storage.objectViewer` to created SA [#236]
-
+* Added `grant_registry_access` variable to grant Container Registry access to created SA [#236]
 * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216]
 * Support for Workload Identity beta feature [#234]
+* Support for Google Groups based RBAC beta feature [#217]
 
 ## [v4.1.0] 2019-07-24
 
@@ -171,6 +171,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236
+[#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217
+[#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234
 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216
 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214
 [#210]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/210

autogen/cluster.tf

@@ -182,8 +182,19 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  workload_identity_config {
-    identity_namespace = var.identity_namespace
+  dynamic "workload_identity_config" {
+    for_each = local.cluster_workload_identity_config
+
+    content {
+      identity_namespace = workload_identity_config.value.identity_namespace
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
   }
 {% endif %}
 }

autogen/main.tf

@@ -71,6 +71,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 {% endif %}
 
   cluster_output_name           = google_container_cluster.primary.name
@@ -136,6 +140,9 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+  cluster_workload_identity_config         = var.identity_namespace == "" ? [] : [{
+    identity_namespace = var.identity_namespace
+  }]
   # /BETA features
 {% endif %}
 }

autogen/variables.tf

@@ -384,9 +384,15 @@ variable "enable_intranode_visibility" {
 }
 
 variable "identity_namespace" {
-  type        = string
   description = "Workload Identity namespace"
+  type        = string
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
+
 {% endif %}

examples/deploy_service/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/disable_client_cert/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/node_pool/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/shared_vpc/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/simple_regional/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/simple_regional_beta/main.tf

@@ -19,13 +19,13 @@ locals {
 }
 
 provider "google" {
-  version     = "~> 2.9.0"
+  version     = "~> 2.12.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
 
 provider "google-beta" {
-  version     = "~> 2.9.0"
+  version     = "~> 2.12.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/simple_regional_private/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/simple_regional_private_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 2.9.0"
+  version     = "~> 2.12.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/simple_zonal/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/simple_zonal_private/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/stub_domains/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/stub_domains_private/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/stub_domains_upstream_nameservers/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/upstream_nameservers/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

examples/workload_metadata_config/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 

modules/beta-private-cluster/README.md

@@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |

modules/beta-private-cluster/cluster.tf

@@ -169,8 +169,19 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  workload_identity_config {
-    identity_namespace = var.identity_namespace
+  dynamic "workload_identity_config" {
+    for_each = local.cluster_workload_identity_config
+
+    content {
+      identity_namespace = workload_identity_config.value.identity_namespace
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
   }
 }
 

modules/beta-private-cluster/main.tf

@@ -66,6 +66,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
@@ -123,6 +127,9 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+  cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{
+    identity_namespace = var.identity_namespace
+  }]
   # /BETA features
 }
 

modules/beta-private-cluster/variables.tf

@@ -381,8 +381,14 @@ variable "enable_vertical_pod_autoscaling" {
 }
 
 variable "identity_namespace" {
-  type        = string
   description = "Workload Identity namespace"
+  type        = string
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
+

modules/beta-public-cluster/README.md

@@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |

modules/beta-public-cluster/cluster.tf

@@ -164,8 +164,19 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  workload_identity_config {
-    identity_namespace = var.identity_namespace
+  dynamic "workload_identity_config" {
+    for_each = local.cluster_workload_identity_config
+
+    content {
+      identity_namespace = workload_identity_config.value.identity_namespace
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
   }
 }
 

modules/beta-public-cluster/main.tf

@@ -66,6 +66,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
@@ -123,6 +127,9 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+  cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{
+    identity_namespace = var.identity_namespace
+  }]
   # /BETA features
 }