diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 6f9f52209..7b40f50a3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -252,6 +252,13 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + {% if beta_cluster %} + image_type = lookup(var.node_pools[0], "image_type", lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") + {% else %} + image_type = lookup(var.node_pools[0], "image_type", "COS") + {% endif %} + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -263,6 +270,22 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + {% if beta_cluster %} + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + {% endif %} + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -635,4 +658,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/cluster.tf b/cluster.tf index 3b829768f..ccf8b2c8b 100644 --- a/cluster.tf +++ b/cluster.tf @@ -138,6 +138,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -149,6 +152,12 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -330,4 +339,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 970b4568c..a21cb6add 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -225,6 +225,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -236,6 +239,20 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -578,4 +595,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 04aa845ab..54f300f66 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -225,6 +225,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -236,6 +239,20 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -493,4 +510,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index fbde380f5..eea276e79 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -225,6 +225,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -236,6 +239,20 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -559,4 +576,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1268d04d4..ddbb25512 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -225,6 +225,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -236,6 +239,20 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -474,4 +491,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ce1342b05..b9b5dd864 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -138,6 +138,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -149,6 +152,12 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -428,4 +437,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } - diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 1ec65d0ce..182f86bca 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -138,6 +138,9 @@ resource "google_container_cluster" "primary" { initial_node_count = var.initial_node_count node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + service_account = lookup(var.node_pools[0], "service_account", local.service_account) dynamic "workload_metadata_config" { @@ -149,6 +152,12 @@ resource "google_container_cluster" "primary" { } metadata = local.node_pools_metadata["all"] + + + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } } } @@ -343,4 +352,3 @@ resource "google_container_node_pool" "pools" { delete = "45m" } } -