From d252579613ca44e11ad28a59f930cdb42dea2c29 Mon Sep 17 00:00:00 2001 From: Edvin N Date: Tue, 6 Jun 2023 04:31:38 +0200 Subject: [PATCH] feat!: Add protect_config beta feature (#1617) feat!: add protect_config beta feature --- autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/variables.tf.tmpl | 11 +++++++++++ modules/beta-autopilot-private-cluster/README.md | 2 ++ modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/variables.tf | 11 +++++++++++ modules/beta-autopilot-public-cluster/README.md | 2 ++ modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/variables.tf | 11 +++++++++++ modules/beta-private-cluster-update-variant/README.md | 2 ++ .../beta-private-cluster-update-variant/cluster.tf | 7 +++++++ .../beta-private-cluster-update-variant/variables.tf | 11 +++++++++++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/variables.tf | 11 +++++++++++ modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ .../beta-public-cluster-update-variant/variables.tf | 11 +++++++++++ modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/variables.tf | 11 +++++++++++ 20 files changed, 138 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index d263170b1..58ab5a57c 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -315,6 +315,13 @@ resource "google_container_cluster" "primary" { {% if beta_cluster %} networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } {% endif %} ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index e15a94bf3..d0d140b65 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -530,6 +530,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} {% endif %} variable "disable_default_snat" { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index bbe938170..9a3871bed 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -129,6 +129,8 @@ Then perform the following commands on the root folder: | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index a4432a658..5d836127b 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" { } networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 8b0bf17e2..a9bd58431 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -366,6 +366,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} variable "disable_default_snat" { type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 91a48d9ce..00b9a25f3 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -118,6 +118,8 @@ Then perform the following commands on the root folder: | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 84c48a673..75e6e67f3 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -128,6 +128,13 @@ resource "google_container_cluster" "primary" { } networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 947bf6df8..e244b7372 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -336,6 +336,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} variable "disable_default_snat" { type = bool diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index b5f670446..c782d85e1 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -264,6 +264,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 7f75a953d..519c54d8f 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 3ec0e2030..11bd398c6 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -502,6 +502,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} variable "disable_default_snat" { type = bool diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b696bfbfa..f707b3f28 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -242,6 +242,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 63cbe46e9..b53205c4d 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 3ec0e2030..11bd398c6 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -502,6 +502,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} variable "disable_default_snat" { type = bool diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index b79f37d9b..233b62570 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -253,6 +253,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 98738a3cf..c086223b5 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 960970303..5e033e3eb 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -472,6 +472,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} variable "disable_default_snat" { type = bool diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 9d0e115ae..be5efc9a0 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -231,6 +231,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 754747b79..ed021f26b 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -256,6 +256,13 @@ resource "google_container_cluster" "primary" { datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" + + protect_config { + workload_config { + audit_mode = var.workload_config_audit_mode + } + workload_vulnerability_mode = var.workload_vulnerability_mode + } ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 960970303..5e033e3eb 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -472,6 +472,17 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Worload config audit mode." + type = string + default = "DISABLED" +} variable "disable_default_snat" { type = bool