diff --git a/CHANGELOG.md b/CHANGELOG.md index a926f5078f..706682fbf1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,10 +9,10 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added -* Added `grant_registry_access` variable to grant `roles/storage.objectViewer` to created SA [#236] - +* Added `grant_registry_access` variable to grant Container Registry access to created SA [#236] * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] +* Support for Google Groups based RBAC beta feature [#217] ## [v4.1.0] 2019-07-24 @@ -171,6 +171,8 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 +[#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 +[#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214 [#210]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/210 diff --git a/autogen/cluster.tf b/autogen/cluster.tf index f69445e8a6..664de67855 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -182,8 +182,19 @@ resource "google_container_cluster" "primary" { } } - workload_identity_config { - identity_namespace = var.identity_namespace + dynamic "workload_identity_config" { + for_each = local.cluster_workload_identity_config + + content { + identity_namespace = workload_identity_config.value.identity_namespace + } + } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } } {% endif %} } diff --git a/autogen/main.tf b/autogen/main.tf index 170b1570a9..9d6476b916 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -71,6 +71,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + {% endif %} cluster_output_name = google_container_cluster.primary.name @@ -136,6 +140,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled + cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ + identity_namespace = var.identity_namespace + }] # /BETA features {% endif %} } diff --git a/autogen/variables.tf b/autogen/variables.tf index 581be9b31c..9a956194e0 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -384,9 +384,15 @@ variable "enable_intranode_visibility" { } variable "identity_namespace" { - type = string description = "Workload Identity namespace" + type = string default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} + {% endif %} diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 76c6993459..10bce771ef 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index e08e132216..c64f09fd67 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index df0761466a..2fb447fbb3 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index c3dc9ee9cd..a0221ca360 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 506f4337b1..bd42f43d1a 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 0de45757a7..9eaf2b6117 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -19,13 +19,13 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" credentials = file(var.credentials_path) region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index 6413c4d70b..b79c21c770 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 406228a1a9..0ca1873d86 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/simple_zonal/main.tf b/examples/simple_zonal/main.tf index 0d44fabcd9..7e04d7e4fe 100644 --- a/examples/simple_zonal/main.tf +++ b/examples/simple_zonal/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index 0c9f4d1ce8..2192787516 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index f8d12abaa6..4227aac952 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index 6c4005de7b..046f9838c0 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -15,7 +15,7 @@ */ provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 253cb56742..42f3967d5a 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index af7a9821fa..8a997e8c7a 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index e5e0c6d811..11cae808d4 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 2.9.0" + version = "~> 2.12.0" region = var.region } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6221322ced..eba9f48d31 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 7ea397e728..d887d332ed 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -169,8 +169,19 @@ resource "google_container_cluster" "primary" { } } - workload_identity_config { - identity_namespace = var.identity_namespace + dynamic "workload_identity_config" { + for_each = local.cluster_workload_identity_config + + content { + identity_namespace = workload_identity_config.value.identity_namespace + } + } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index ede006d3e2..43fea3b6dc 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,6 +66,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location @@ -123,6 +127,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled + cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ + identity_namespace = var.identity_namespace + }] # /BETA features } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 54ac3edb25..6aa50eafff 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -381,8 +381,14 @@ variable "enable_vertical_pod_autoscaling" { } variable "identity_namespace" { - type = string description = "Workload Identity namespace" + type = string default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} + diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 9738ebb6d6..49ffddedc1 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 9afab3113d..c26d85ff50 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -164,8 +164,19 @@ resource "google_container_cluster" "primary" { } } - workload_identity_config { - identity_namespace = var.identity_namespace + dynamic "workload_identity_config" { + for_each = local.cluster_workload_identity_config + + content { + identity_namespace = workload_identity_config.value.identity_namespace + } + } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 5e165d4a3b..db5138e99f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,6 +66,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location @@ -123,6 +127,9 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled + cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ + identity_namespace = var.identity_namespace + }] # /BETA features } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 27682fa575..d8b68de69b 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -357,8 +357,14 @@ variable "enable_vertical_pod_autoscaling" { } variable "identity_namespace" { - type = string description = "Workload Identity namespace" + type = string default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} +