autogen

README.md

@@ -196,6 +196,7 @@ Then perform the following commands on the root folder:
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
 | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | <pre>object({<br>    metadata = string<br>  })</pre> | <pre>{<br>  "metadata": "INCLUDE_ALL_METADATA"<br>}</pre> | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |

firewall.tf

@@ -111,8 +111,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -134,8 +137,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
     ports    = ["10250", "443"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -166,8 +172,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     ports    = ["1-65535"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -178,7 +187,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  priority    = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
   direction   = "INGRESS"
 
   source_ranges = local.pod_all_ip_ranges
@@ -190,8 +199,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -202,7 +214,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  priority    = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
   direction   = "INGRESS"
 
   source_ranges = ["0.0.0.0/0"]
@@ -213,7 +225,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }

modules/beta-autopilot-private-cluster/README.md

@@ -125,6 +125,7 @@ Then perform the following commands on the root folder:
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
 | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | <pre>object({<br>    metadata = string<br>  })</pre> | <pre>{<br>  "metadata": "INCLUDE_ALL_METADATA"<br>}</pre> | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |

modules/beta-autopilot-private-cluster/firewall.tf

@@ -138,8 +138,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -161,8 +164,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
     ports    = ["10250", "443"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -193,8 +199,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     ports    = ["1-65535"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -205,7 +214,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  priority    = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
   direction   = "INGRESS"
 
   source_ranges = local.pod_all_ip_ranges
@@ -217,8 +226,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -229,7 +241,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  priority    = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
   direction   = "INGRESS"
 
   source_ranges = ["0.0.0.0/0"]
@@ -240,7 +252,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }

modules/beta-autopilot-private-cluster/variables.tf

@@ -357,6 +357,20 @@ variable "shadow_firewall_rules_priority" {
   type        = number
   description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
   default     = 999
+  validation {
+    condition     = var.shadow_firewall_rules_priority < 1000
+    error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+  }
+}
+
+variable "shadow_firewall_rules_log_config" {
+  type = object({
+    metadata = string
+  })
+  description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+  default = {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
 }
 
 variable "enable_confidential_nodes" {

modules/beta-autopilot-public-cluster/README.md

@@ -114,6 +114,7 @@ Then perform the following commands on the root folder:
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
 | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | <pre>object({<br>    metadata = string<br>  })</pre> | <pre>{<br>  "metadata": "INCLUDE_ALL_METADATA"<br>}</pre> | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |

modules/beta-autopilot-public-cluster/firewall.tf

@@ -147,8 +147,11 @@ resource "google_compute_firewall" "shadow_allow_pods" {
   allow { protocol = "esp" }
   allow { protocol = "ah" }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -170,8 +173,11 @@ resource "google_compute_firewall" "shadow_allow_master" {
     ports    = ["10250", "443"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -202,8 +208,11 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
     ports    = ["1-65535"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -214,7 +223,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(998, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 999
+  priority    = var.shadow_firewall_rules_priority - 1 # rule created by GKE robot have prio 999
   direction   = "INGRESS"
 
   source_ranges = local.pod_all_ip_ranges
@@ -226,8 +235,11 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }
 
@@ -238,7 +250,7 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
   description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet."
   project     = local.network_project_id
   network     = var.network
-  priority    = min(999, var.shadow_firewall_rules_priority) # rule created by GKE robot have prio 1000
+  priority    = var.shadow_firewall_rules_priority # rule created by GKE robot have prio 1000
   direction   = "INGRESS"
 
   source_ranges = ["0.0.0.0/0"]
@@ -249,7 +261,10 @@ resource "google_compute_firewall" "shadow_deny_exkubelet" {
     ports    = ["10255"]
   }
 
-  log_config {
-    metadata = "INCLUDE_ALL_METADATA"
+  dynamic "log_config" {
+    for_each = var.shadow_firewall_rules_log_config == null ? [] : [var.shadow_firewall_rules_log_config]
+    content {
+      metadata = log_config.value.metadata
+    }
   }
 }

modules/beta-autopilot-public-cluster/variables.tf

@@ -327,6 +327,20 @@ variable "shadow_firewall_rules_priority" {
   type        = number
   description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
   default     = 999
+  validation {
+    condition     = var.shadow_firewall_rules_priority < 1000
+    error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
+  }
+}
+
+variable "shadow_firewall_rules_log_config" {
+  type = object({
+    metadata = string
+  })
+  description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
+  default = {
+    metadata = "INCLUDE_ALL_METADATA"
+  }
 }
 
 variable "enable_confidential_nodes" {

modules/beta-private-cluster-update-variant/README.md

@@ -254,6 +254,7 @@ Then perform the following commands on the root folder:
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
 | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
+| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | <pre>object({<br>    metadata = string<br>  })</pre> | <pre>{<br>  "metadata": "INCLUDE_ALL_METADATA"<br>}</pre> | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
@@ -342,7 +343,7 @@ The node_pools variable takes the following parameters:
 | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true | 1 | Optional |
 | name | The name of the node pool |  | Required |
 | placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional |
-| pod_range |  The ID of the secondary range for pod IPs. |  | Optional |
+| pod_range |  The name of the secondary range for pod IPs. |  | Optional |
 | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters |  | Required |
 | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
 | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |