feat: expose disable_default_snat in GA modules (#1336)

* fix: added snat code

* fix: updated readme

* fix: added snat variable

* fix: whitespaces

* fix readmebuild

* fix: removed conditional beta code

* removed beta variable

* fix readme

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>

README.md

@@ -144,6 +144,7 @@ Then perform the following commands on the root folder:
 | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no |
 | description | The description of the cluster | `string` | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |

autogen/main/cluster.tf.tmpl

@@ -64,11 +64,10 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
-{% if beta_cluster %}
   default_snat_status {
     disabled = var.disable_default_snat
   }
-{% endif %}
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
 {% if beta_cluster and autopilot_cluster != true %}

autogen/main/variables.tf.tmpl

@@ -474,13 +474,13 @@ variable "enable_confidential_nodes" {
   description = "An optional flag to enable confidential node config."
   default = false
 }
+{% endif %}
 
 variable "disable_default_snat" {
   type        = bool
   description = "Whether to disable the default SNAT to support the private use of public IP addresses"
   default     = false
 }
-{% endif %}
 
 {% if beta_cluster %}
 variable "notification_config_topic" {

cluster.tf

@@ -50,6 +50,10 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   logging_service    = var.logging_service

modules/beta-autopilot-private-cluster/cluster.tf

@@ -51,6 +51,7 @@ resource "google_container_cluster" "primary" {
   default_snat_status {
     disabled = var.disable_default_snat
   }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   logging_service    = var.logging_service

modules/beta-autopilot-public-cluster/cluster.tf

@@ -51,6 +51,7 @@ resource "google_container_cluster" "primary" {
   default_snat_status {
     disabled = var.disable_default_snat
   }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   logging_service    = var.logging_service

modules/beta-private-cluster-update-variant/cluster.tf

@@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" {
   default_snat_status {
     disabled = var.disable_default_snat
   }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   dynamic "cluster_telemetry" {

modules/beta-private-cluster/cluster.tf

@@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" {
   default_snat_status {
     disabled = var.disable_default_snat
   }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   dynamic "cluster_telemetry" {

modules/beta-public-cluster-update-variant/cluster.tf

@@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" {
   default_snat_status {
     disabled = var.disable_default_snat
   }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   dynamic "cluster_telemetry" {

modules/beta-public-cluster/cluster.tf

@@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" {
   default_snat_status {
     disabled = var.disable_default_snat
   }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   dynamic "cluster_telemetry" {

modules/private-cluster-update-variant/README.md

@@ -173,6 +173,7 @@ Then perform the following commands on the root folder:
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no |
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |

modules/private-cluster-update-variant/cluster.tf

@@ -50,6 +50,10 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   logging_service    = var.logging_service

modules/private-cluster-update-variant/variables.tf

@@ -415,6 +415,12 @@ variable "shadow_firewall_rules_priority" {
 }
 
 
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}
+
 variable "network_policy" {
   type        = bool
   description = "Enable network policy addon"

modules/private-cluster/README.md

@@ -151,6 +151,7 @@ Then perform the following commands on the root folder:
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no |
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |

modules/private-cluster/cluster.tf

@@ -50,6 +50,10 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
+
   min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null
 
   logging_service    = var.logging_service

modules/private-cluster/variables.tf

@@ -415,6 +415,12 @@ variable "shadow_firewall_rules_priority" {
 }
 
 
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}
+
 variable "network_policy" {
   type        = bool
   description = "Enable network policy addon"

variables.tf

@@ -391,6 +391,12 @@ variable "shadow_firewall_rules_priority" {
 }
 
 
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}
+
 variable "network_policy" {
   type        = bool
   description = "Enable network policy addon"