From c27c19db9108755dc7bccff44c5e52a25d290655 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Tue, 25 Apr 2023 16:10:29 +0200 Subject: [PATCH] feat: Add protect_config to beta clusters Signed-off-by: Edvin Norling --- autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/variables.tf.tmpl | 18 ++++++++++++++++++ autogen/main/versions.tf.tmpl | 4 ++-- .../beta-autopilot-private-cluster/cluster.tf | 7 +++++++ .../beta-autopilot-private-cluster/versions.tf | 4 ++-- .../beta-autopilot-public-cluster/cluster.tf | 7 +++++++ .../beta-autopilot-public-cluster/versions.tf | 4 ++-- .../README.md | 1 + .../cluster.tf | 7 +++++++ .../variables.tf | 18 ++++++++++++++++++ .../versions.tf | 4 ++-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/variables.tf | 18 ++++++++++++++++++ modules/beta-private-cluster/versions.tf | 4 ++-- .../README.md | 1 + .../cluster.tf | 7 +++++++ .../variables.tf | 18 ++++++++++++++++++ .../versions.tf | 4 ++-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/variables.tf | 18 ++++++++++++++++++ modules/beta-public-cluster/versions.tf | 4 ++-- 23 files changed, 157 insertions(+), 14 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 1f645109b8..cd2ec4574c 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -315,6 +315,13 @@ resource "google_container_cluster" "primary" { {% if beta_cluster %} networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } {% endif %} ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c4f44dfcc7..a01c82e7a9 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -760,5 +760,23 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "protect_config" { + description = "(beta) Enable/Disable Protect API features for the cluster." + type = object({ + workload_vulnerability_mode = string, + workload_config = object({ + audit_mode = string + }) + } + ) + + default = { + workload_vulnerability_mode = "" + workload_config = { + audit_mode = "MODE_UNSPECIFIED" + } + } +} {% endif %} {% endif %} diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 62620f9121..f0ee3aa6f8 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 9d40a5aa50..71e5e9c1a6 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" { } networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 888b07bdb9..e4f49596e4 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index e6d4920b4f..1cbc56ca2d 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" { } networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index ac9a466684..659b595120 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 7305b970ed..d661ee8720 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -247,6 +247,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | 
object({
    workload_vulnerability_mode = string,
    workload_config = object({
      audit_mode = string
    })
    }
  )
| 
{
  "workload_config": {
    "audit_mode": "MODE_UNSPECIFIED"
  },
  "workload_vulnerability_mode": ""
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 926b3a5232..2c70511d64 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 7ed013cfc8..93ddeadd6a 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -719,3 +719,21 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "protect_config" { + description = "(beta) Enable/Disable Protect API features for the cluster." + type = object({ + workload_vulnerability_mode = string, + workload_config = object({ + audit_mode = string + }) + } + ) + + default = { + workload_vulnerability_mode = "" + workload_config = { + audit_mode = "MODE_UNSPECIFIED" + } + } +} diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 23d268fc37..5ff52c525d 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index afbdf287e4..53edf4bbca 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -225,6 +225,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | 
object({
    workload_vulnerability_mode = string,
    workload_config = object({
      audit_mode = string
    })
    }
  )
| 
{
  "workload_config": {
    "audit_mode": "MODE_UNSPECIFIED"
  },
  "workload_vulnerability_mode": ""
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index fc2d22d5eb..338d246427 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 7ed013cfc8..93ddeadd6a 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -719,3 +719,21 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "protect_config" { + description = "(beta) Enable/Disable Protect API features for the cluster." + type = object({ + workload_vulnerability_mode = string, + workload_config = object({ + audit_mode = string + }) + } + ) + + default = { + workload_vulnerability_mode = "" + workload_config = { + audit_mode = "MODE_UNSPECIFIED" + } + } +} diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 3862d0a5d7..df3aae44e6 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a73037e17a..802024a08f 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -236,6 +236,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | 
object({
    workload_vulnerability_mode = string,
    workload_config = object({
      audit_mode = string
    })
    }
  )
| 
{
  "workload_config": {
    "audit_mode": "MODE_UNSPECIFIED"
  },
  "workload_vulnerability_mode": ""
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 2a7b1be0b9..8c72e0e87d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 04a2a21685..aeb005e092 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -689,3 +689,21 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "protect_config" { + description = "(beta) Enable/Disable Protect API features for the cluster." + type = object({ + workload_vulnerability_mode = string, + workload_config = object({ + audit_mode = string + }) + } + ) + + default = { + workload_vulnerability_mode = "" + workload_config = { + audit_mode = "MODE_UNSPECIFIED" + } + } +} diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 866413bcf5..987676a5ef 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7e3388050c..e127fcb499 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -214,6 +214,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | 
object({
    workload_vulnerability_mode = string,
    workload_config = object({
      audit_mode = string
    })
    }
  )
| 
{
  "workload_config": {
    "audit_mode": "MODE_UNSPECIFIED"
  },
  "workload_vulnerability_mode": ""
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index e5d70fef24..cb07ede372 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.protect_config.workload_config.audit_mode + } + workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 04a2a21685..aeb005e092 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -689,3 +689,21 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "protect_config" { + description = "(beta) Enable/Disable Protect API features for the cluster." + type = object({ + workload_vulnerability_mode = string, + workload_config = object({ + audit_mode = string + }) + } + ) + + default = { + workload_vulnerability_mode = "" + workload_config = { + audit_mode = "MODE_UNSPECIFIED" + } + } +} diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 8f28406fb9..0e640a0b21 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.51.0, < 5.0" + version = ">= 4.63.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes"