diff --git a/README.md b/README.md
index de52651f5..1cff8f1df 100644
--- a/README.md
+++ b/README.md
@@ -128,8 +128,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
@@ -151,7 +149,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -170,7 +168,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -202,7 +200,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| location | Cluster location (region if regional cluster, zone if zonal cluster) |
| logging\_service | Logging service used |
@@ -213,7 +211,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index eeee6d519..3debee4e0 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -161,9 +161,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -298,7 +295,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -377,7 +374,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -634,9 +631,10 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
{% if beta_cluster %}
dynamic "sandbox_config" {
for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []
diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl
index 03209c8a0..edba110f4 100644
--- a/autogen/main/dns.tf.tmpl
+++ b/autogen/main/dns.tf.tmpl
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl
index 3826d30a1..183e761f7 100644
--- a/autogen/main/firewall.tf.tmpl
+++ b/autogen/main/firewall.tf.tmpl
@@ -112,6 +112,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
index 2bf90161e..4b3f74105 100644
--- a/autogen/main/main.tf.tmpl
+++ b/autogen/main/main.tf.tmpl
@@ -111,8 +111,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -153,7 +156,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -177,7 +180,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
{% if beta_cluster %}
# BETA features
diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl
index fd58ec9c2..35ed78c1f 100644
--- a/autogen/main/outputs.tf.tmpl
+++ b/autogen/main/outputs.tf.tmpl
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,23 +123,23 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
{% if private_cluster %}
output "master_ipv4_cidr_block" {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index ea8e1fe01..d53d32cd9 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -394,18 +394,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -549,8 +537,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -564,7 +557,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
index 10338cf9a..5f9fca791 100644
--- a/autogen/main/versions.tf.tmpl
+++ b/autogen/main/versions.tf.tmpl
@@ -24,7 +24,7 @@ terraform {
required_providers {
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 3.87.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
@@ -38,7 +38,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 3.55.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl
index 720b1eb87..925b7b040 100644
--- a/autogen/safer-cluster/main.tf.tmpl
+++ b/autogen/safer-cluster/main.tf.tmpl
@@ -111,10 +111,6 @@ module "gke" {
registry_project_ids = var.registry_project_ids
grant_registry_access = var.grant_registry_access
- // Basic Auth disabled
- basic_auth_username = ""
- basic_auth_password = ""
-
issue_client_certificate = false
cluster_resource_labels = var.cluster_resource_labels
@@ -164,7 +160,7 @@ module "gke" {
enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling
- // We enable identity namespace by default.
+ // We enable Workload Identity by default.
identity_namespace = "${var.project_id}.svc.id.goog"
authenticator_security_group = var.authenticator_security_group
diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl
index 3769eab06..cf82ca027 100644
--- a/autogen/safer-cluster/outputs.tf.tmpl
+++ b/autogen/safer-cluster/outputs.tf.tmpl
@@ -104,7 +104,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = module.gke.node_pools_versions
}
diff --git a/cluster.tf b/cluster.tf
index 82ef9af9d..f4899cf1c 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -98,9 +98,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -165,7 +162,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -211,7 +208,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -339,10 +336,11 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
shielded_instance_config {
enable_secure_boot = lookup(each.value, "enable_secure_boot", false)
enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
diff --git a/dns.tf b/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/dns.tf
+++ b/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/docs/upgrading_to_v18.0.md b/docs/upgrading_to_v18.0.md
new file mode 100644
index 000000000..7f503017a
--- /dev/null
+++ b/docs/upgrading_to_v18.0.md
@@ -0,0 +1,66 @@
+# Upgrading to v18.0
+
+The v18.0 release of *kubernetes-engine* is a backwards incompatible release.
+
+### Google Cloud Platform Provider upgrade
+The Terraform Kubernetes Engine Module now requires version 4.0 or higher of
+the Google Cloud Platform Provider.
+
+```diff
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+- version = "~> 3.0"
++ version = "~> 4.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+- version = "~> 3.0"
++ version = "~> 4.0"
+ }
+
+ }
+}
+```
+
+### Kubernetes Basic Authentication removed
+Basic authentication is deprecated and has been removed in GKE 1.19 and later.
+Owing to this, the `basic_auth_username` and `basic_auth_password` variables
+have been eliminated.
+
+```diff
+ module "gke" {
+ source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
+- version = "~> 17.0"
++ version = "~> 18.0"
+
+- basic_auth_username = "admin"
+- basic_auth_password = "s3crets!"
+}
+```
+
+### Acceptable values for node_metadata modified
+It is recommended to update `node_metadata` variable to one of `GKE_METADATA`,
+`GCE_METADATA` or `UNSPECIFIED`. `GKE_METADATA` replaces the previous
+`GKE_METADATA_SERVER` value, `GCE_METADATA` should be used in place of
+`EXPOSE`, however old values continue to be supported for backwards compatibility.
+The `SECURE` option, previously deprecated, has now been removed.
+
+```diff
+module "gke" {
+ source = "../../modules/safer-cluster"
+
+ node_pools = [
+ {
+
+- node_metadata = "GKE_METADATA_SERVER"
++ node_metadata = "GKE_METADATA"
+ }
+ ]
+}
+```
+
+### node_pools_versions is now keyed by node-pool name
+The `node_pools_versions` output is now an object keyed by node pool name,
+rather than a list as previously.
diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf
index e3c3628ae..2b109fb20 100644
--- a/examples/acm-terraform-blog-part1/terraform/gke.tf
+++ b/examples/acm-terraform-blog-part1/terraform/gke.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 10.0"
+ version = "~> 11.3"
project_id = var.project
disable_services_on_destroy = false
diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf
index 7df56fc43..dae795b4c 100644
--- a/examples/acm-terraform-blog-part2/terraform/gke.tf
+++ b/examples/acm-terraform-blog-part2/terraform/gke.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 10.0"
+ version = "~> 11.3"
project_id = var.project
disable_services_on_destroy = false
diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf
index cbe55dfa8..2dcf171f5 100644
--- a/examples/acm-terraform-blog-part3/terraform/gke.tf
+++ b/examples/acm-terraform-blog-part3/terraform/gke.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 10.0"
+ version = "~> 11.3"
project_id = var.project
disable_services_on_destroy = false
diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf
index 75908d868..5a659b79b 100644
--- a/examples/deploy_service/main.tf
+++ b/examples/deploy_service/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "deploy-service"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/test/fixtures/upstream_nameservers/versions.tf b/examples/deploy_service/versions.tf
similarity index 71%
rename from test/fixtures/upstream_nameservers/versions.tf
rename to examples/deploy_service/versions.tf
index 22884dadd..e8fbb1aad 100644
--- a/test/fixtures/upstream_nameservers/versions.tf
+++ b/examples/deploy_service/versions.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2018 Google LLC
+ * Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,5 +15,14 @@
*/
terraform {
- required_version = ">=0.12"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
}
diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf
index 37479596d..8696ffc0d 100644
--- a/examples/disable_client_cert/main.tf
+++ b/examples/disable_client_cert/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "disable-cluster-cert"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/test/fixtures/workload_metadata_config/versions.tf b/examples/disable_client_cert/versions.tf
similarity index 71%
rename from test/fixtures/workload_metadata_config/versions.tf
rename to examples/disable_client_cert/versions.tf
index 22884dadd..e8fbb1aad 100644
--- a/test/fixtures/workload_metadata_config/versions.tf
+++ b/examples/disable_client_cert/versions.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2018 Google LLC
+ * Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,5 +15,14 @@
*/
terraform {
- required_version = ">=0.12"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
}
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
index e2b98cf9e..445d5e039 100644
--- a/examples/node_pool/main.tf
+++ b/examples/node_pool/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "node-pool"
}
-provider "google-beta" {
- version = "~> 3.90.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/node_pool/versions.tf b/examples/node_pool/versions.tf
new file mode 100644
index 000000000..68ef07184
--- /dev/null
+++ b/examples/node_pool/versions.tf
@@ -0,0 +1,31 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf
index 8f4900bfa..05cc542aa 100644
--- a/examples/node_pool_update_variant/main.tf
+++ b/examples/node_pool_update_variant/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "node-pool-update-variant"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_compute_subnetwork" "subnetwork" {
name = var.subnetwork
project = var.project_id
diff --git a/examples/node_pool_update_variant/versions.tf b/examples/node_pool_update_variant/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/node_pool_update_variant/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf
index b282aa608..da631a7b6 100644
--- a/examples/node_pool_update_variant_beta/main.tf
+++ b/examples/node_pool_update_variant_beta/main.tf
@@ -19,7 +19,6 @@ locals {
}
provider "google-beta" {
- version = "~> 3.87.0"
credentials = file(var.credentials_path)
region = var.region
}
diff --git a/examples/node_pool_update_variant_beta/versions.tf b/examples/node_pool_update_variant_beta/versions.tf
new file mode 100644
index 000000000..68ef07184
--- /dev/null
+++ b/examples/node_pool_update_variant_beta/versions.tf
@@ -0,0 +1,31 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf
index 10e9c084e..b6863e7db 100644
--- a/examples/node_pool_update_variant_public_beta/main.tf
+++ b/examples/node_pool_update_variant_public_beta/main.tf
@@ -19,7 +19,6 @@ locals {
}
provider "google-beta" {
- version = "~> 3.87.0"
credentials = file(var.credentials_path)
region = var.region
}
diff --git a/examples/node_pool_update_variant_public_beta/versions.tf b/examples/node_pool_update_variant_public_beta/versions.tf
new file mode 100644
index 000000000..68ef07184
--- /dev/null
+++ b/examples/node_pool_update_variant_public_beta/versions.tf
@@ -0,0 +1,31 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf
index a71dfaf76..9910b9bb1 100644
--- a/examples/private_zonal_with_networking/main.tf
+++ b/examples/private_zonal_with_networking/main.tf
@@ -23,8 +23,9 @@ provider "kubernetes" {
}
module "gcp-network" {
- source = "terraform-google-modules/network/google"
- version = "~> 3.1"
+ source = "terraform-google-modules/network/google"
+ version = ">= 4.0.1, < 5.0.0"
+
project_id = var.project_id
network_name = var.network
diff --git a/test/fixtures/stub_domains_upstream_nameservers/versions.tf b/examples/private_zonal_with_networking/versions.tf
similarity index 73%
rename from test/fixtures/stub_domains_upstream_nameservers/versions.tf
rename to examples/private_zonal_with_networking/versions.tf
index 22884dadd..61934a306 100644
--- a/test/fixtures/stub_domains_upstream_nameservers/versions.tf
+++ b/examples/private_zonal_with_networking/versions.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2018 Google LLC
+ * Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,5 +15,13 @@
*/
terraform {
- required_version = ">=0.12"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
}
diff --git a/examples/regional_private_node_pool_oauth_scopes/README.md b/examples/regional_private_node_pool_oauth_scopes/README.md
index 480ff1569..498b2a34d 100644
--- a/examples/regional_private_node_pool_oauth_scopes/README.md
+++ b/examples/regional_private_node_pool_oauth_scopes/README.md
@@ -27,7 +27,7 @@ This example illustrates how to create a private cluster with node pool specific
| network\_module | network module output |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| region | Cluster region |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
| subnets\_ips | The IP and cidrs of the subnets being created |
diff --git a/examples/regional_private_node_pool_oauth_scopes/network.tf b/examples/regional_private_node_pool_oauth_scopes/network.tf
index 140c20d94..e77f4c289 100644
--- a/examples/regional_private_node_pool_oauth_scopes/network.tf
+++ b/examples/regional_private_node_pool_oauth_scopes/network.tf
@@ -15,8 +15,9 @@
*/
module "gke-network" {
- source = "terraform-google-modules/network/google"
- version = "~> 2.5"
+ source = "terraform-google-modules/network/google"
+ version = ">= 4.0.1, < 5.0.0"
+
project_id = var.project_id
network_name = "random-gke-network"
diff --git a/examples/regional_private_node_pool_oauth_scopes/outputs.tf b/examples/regional_private_node_pool_oauth_scopes/outputs.tf
index 2df535729..ee38fa5fc 100644
--- a/examples/regional_private_node_pool_oauth_scopes/outputs.tf
+++ b/examples/regional_private_node_pool_oauth_scopes/outputs.tf
@@ -97,7 +97,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = module.gke.node_pools_versions
}
diff --git a/examples/regional_private_node_pool_oauth_scopes/provider.tf b/examples/regional_private_node_pool_oauth_scopes/provider.tf
index 28e2d75ab..b99defc51 100644
--- a/examples/regional_private_node_pool_oauth_scopes/provider.tf
+++ b/examples/regional_private_node_pool_oauth_scopes/provider.tf
@@ -14,14 +14,6 @@
* limitations under the License.
*/
-provider "google" {
- version = "~> 3.55.0"
-}
-
-provider "google-beta" {
- version = "~> 3.87.0"
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/regional_private_node_pool_oauth_scopes/versions.tf b/examples/regional_private_node_pool_oauth_scopes/versions.tf
new file mode 100644
index 000000000..551261c44
--- /dev/null
+++ b/examples/regional_private_node_pool_oauth_scopes/versions.tf
@@ -0,0 +1,32 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf
index 84b94d79e..d6de0cd27 100644
--- a/examples/safer_cluster/main.tf
+++ b/examples/safer_cluster/main.tf
@@ -30,14 +30,6 @@ locals {
subnet_names = [for subnet_self_link in module.gcp-network.subnets_self_links : split("/", subnet_self_link)[length(split("/", subnet_self_link)) - 1]]
}
-provider "google" {
- version = "~> 3.55.0"
-}
-
-provider "google-beta" {
- version = "~> 3.87.0"
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/safer_cluster/network.tf b/examples/safer_cluster/network.tf
index 8b22071f0..e3c477806 100644
--- a/examples/safer_cluster/network.tf
+++ b/examples/safer_cluster/network.tf
@@ -15,8 +15,9 @@
*/
module "gcp-network" {
- source = "terraform-google-modules/network/google"
- version = "~> 2.5"
+ source = "terraform-google-modules/network/google"
+ version = ">= 4.0.1, < 5.0.0"
+
project_id = var.project_id
network_name = local.network_name
diff --git a/examples/safer_cluster/versions.tf b/examples/safer_cluster/versions.tf
index 22884dadd..2d448a4b7 100644
--- a/examples/safer_cluster/versions.tf
+++ b/examples/safer_cluster/versions.tf
@@ -15,5 +15,21 @@
*/
terraform {
- required_version = ">=0.12"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ random = {
+ source = "hashicorp/random"
+ }
+ }
}
diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf
index 7a213824a..bf4803cdf 100644
--- a/examples/safer_cluster_iap_bastion/apis.tf
+++ b/examples/safer_cluster_iap_bastion/apis.tf
@@ -16,7 +16,7 @@
module "enabled_google_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 10.0"
+ version = "~> 11.3"
project_id = var.project_id
disable_services_on_destroy = false
diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf
index f998ea801..91592033f 100644
--- a/examples/safer_cluster_iap_bastion/bastion.tf
+++ b/examples/safer_cluster_iap_bastion/bastion.tf
@@ -27,8 +27,9 @@ data "template_file" "startup_script" {
}
module "bastion" {
- source = "terraform-google-modules/bastion-host/google"
- version = "~> 3.0"
+ source = "terraform-google-modules/bastion-host/google"
+ version = "~> 4.1"
+
network = module.vpc.network_self_link
subnet = module.vpc.subnets_self_links[0]
project = module.enabled_google_apis.project_id
diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf
index 8ec538b47..b46278454 100644
--- a/examples/safer_cluster_iap_bastion/cluster.tf
+++ b/examples/safer_cluster_iap_bastion/cluster.tf
@@ -36,7 +36,7 @@ module "gke" {
min_count = 1
max_count = 4
auto_upgrade = true
- node_metadata = "GKE_METADATA_SERVER"
+ node_metadata = "GKE_METADATA"
}
]
}
diff --git a/examples/safer_cluster_iap_bastion/network.tf b/examples/safer_cluster_iap_bastion/network.tf
index e1986ad58..572b366ad 100644
--- a/examples/safer_cluster_iap_bastion/network.tf
+++ b/examples/safer_cluster_iap_bastion/network.tf
@@ -17,7 +17,7 @@
module "vpc" {
source = "terraform-google-modules/network/google"
- version = "~> 2.5"
+ version = ">= 4.0.1, < 5.0.0"
project_id = module.enabled_google_apis.project_id
network_name = var.network_name
diff --git a/examples/safer_cluster_iap_bastion/provider.tf b/examples/safer_cluster_iap_bastion/provider.tf
index ca882e5f5..3da3ba8e5 100644
--- a/examples/safer_cluster_iap_bastion/provider.tf
+++ b/examples/safer_cluster_iap_bastion/provider.tf
@@ -14,14 +14,6 @@
* limitations under the License.
*/
-provider "google" {
- version = "~> 3.52.0"
-}
-
-provider "google-beta" {
- version = "~> 3.87.0"
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/safer_cluster_iap_bastion/versions.tf b/examples/safer_cluster_iap_bastion/versions.tf
new file mode 100644
index 000000000..a7d13b052
--- /dev/null
+++ b/examples/safer_cluster_iap_bastion/versions.tf
@@ -0,0 +1,35 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ template = {
+ source = "hashicorp/template"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf
index 4e1c2a1b5..72cba631b 100644
--- a/examples/shared_vpc/main.tf
+++ b/examples/shared_vpc/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "shared-vpc"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/shared_vpc/versions.tf b/examples/shared_vpc/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/shared_vpc/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf
index 0ddfa5581..45bdcf9cc 100644
--- a/examples/simple_regional/main.tf
+++ b/examples/simple_regional/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-regional"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_regional/versions.tf b/examples/simple_regional/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_regional/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
index 12ec938e7..a97cc09f1 100644
--- a/examples/simple_regional_beta/main.tf
+++ b/examples/simple_regional_beta/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-regional-beta"
}
-provider "google-beta" {
- version = "~> 3.87.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_regional_beta/versions.tf b/examples/simple_regional_beta/versions.tf
index 22884dadd..9d7a49648 100644
--- a/examples/simple_regional_beta/versions.tf
+++ b/examples/simple_regional_beta/versions.tf
@@ -15,5 +15,17 @@
*/
terraform {
- required_version = ">=0.12"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
}
diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf
index d0d038542..51a5ee846 100644
--- a/examples/simple_regional_private/main.tf
+++ b/examples/simple_regional_private/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-regional-private"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_regional_private/versions.tf b/examples/simple_regional_private/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_regional_private/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf
index 0c7d6885f..50c9374a4 100644
--- a/examples/simple_regional_private_beta/main.tf
+++ b/examples/simple_regional_private_beta/main.tf
@@ -18,16 +18,6 @@ locals {
cluster_type = "simple-regional-private-beta"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
-provider "google-beta" {
- version = "~> 3.87.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_regional_private_beta/versions.tf b/examples/simple_regional_private_beta/versions.tf
index 22884dadd..bd6eb4f18 100644
--- a/examples/simple_regional_private_beta/versions.tf
+++ b/examples/simple_regional_private_beta/versions.tf
@@ -15,5 +15,18 @@
*/
terraform {
- required_version = ">=0.12"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
}
diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf
index 645d4b666..183c0721d 100644
--- a/examples/simple_regional_with_kubeconfig/main.tf
+++ b/examples/simple_regional_with_kubeconfig/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-regional"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_regional_with_kubeconfig/versions.tf b/examples/simple_regional_with_kubeconfig/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_regional_with_kubeconfig/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf
index f1f9b48b4..4854c4d64 100644
--- a/examples/simple_regional_with_networking/main.tf
+++ b/examples/simple_regional_with_networking/main.tf
@@ -14,10 +14,6 @@
* limitations under the License.
*/
-provider "google" {
- version = "~> 3.55.0"
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
@@ -27,8 +23,9 @@ provider "kubernetes" {
}
module "gcp-network" {
- source = "terraform-google-modules/network/google"
- version = "~> 3.1"
+ source = "terraform-google-modules/network/google"
+ version = ">= 4.0.1, < 5.0.0"
+
project_id = var.project_id
network_name = var.network
diff --git a/examples/simple_regional_with_networking/versions.tf b/examples/simple_regional_with_networking/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_regional_with_networking/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf
index d98718c9a..e845f41ca 100644
--- a/examples/simple_zonal_private/main.tf
+++ b/examples/simple_zonal_private/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-zonal-private"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_zonal_private/versions.tf b/examples/simple_zonal_private/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_zonal_private/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf
index 70a1f3f12..540c3a6bb 100644
--- a/examples/simple_zonal_with_acm/main.tf
+++ b/examples/simple_zonal_with_acm/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-zonal"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_zonal_with_acm/versions.tf b/examples/simple_zonal_with_acm/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_zonal_with_acm/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf
index d8a5f9a81..849248d38 100644
--- a/examples/simple_zonal_with_asm/main.tf
+++ b/examples/simple_zonal_with_asm/main.tf
@@ -18,16 +18,6 @@ locals {
cluster_type = "simple-zonal-asm"
}
-provider "google-beta" {
- version = "~> 3.87.0"
- region = var.region
-}
-
-provider "google" {
- version = "~> 3.63.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_zonal_with_asm/versions.tf b/examples/simple_zonal_with_asm/versions.tf
index 1dcf340b5..bd6eb4f18 100644
--- a/examples/simple_zonal_with_asm/versions.tf
+++ b/examples/simple_zonal_with_asm/versions.tf
@@ -15,5 +15,18 @@
*/
terraform {
- required_version = ">=0.13"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
}
diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf
index f19b592f7..8c1d03914 100644
--- a/examples/simple_zonal_with_hub/main.tf
+++ b/examples/simple_zonal_with_hub/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "simple-zonal"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/simple_zonal_with_hub/versions.tf b/examples/simple_zonal_with_hub/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/simple_zonal_with_hub/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/simple_zonal_with_hub_kubeconfig/main.tf b/examples/simple_zonal_with_hub_kubeconfig/main.tf
index 22956825a..43622d1ac 100644
--- a/examples/simple_zonal_with_hub_kubeconfig/main.tf
+++ b/examples/simple_zonal_with_hub_kubeconfig/main.tf
@@ -14,14 +14,6 @@
* limitations under the License.
*/
-terraform {
- required_providers {
- kind = {
- source = "kyma-incubator/kind"
- version = "0.0.6"
- }
- }
-}
provider "kind" {}
# creating a cluster with kind of the name "test-cluster" with kubernetes version v1.18.4 and two nodes
diff --git a/examples/simple_zonal_with_hub_kubeconfig/versions.tf b/examples/simple_zonal_with_hub_kubeconfig/versions.tf
new file mode 100644
index 000000000..1d715aef2
--- /dev/null
+++ b/examples/simple_zonal_with_hub_kubeconfig/versions.tf
@@ -0,0 +1,32 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kind = {
+ source = "kyma-incubator/kind"
+ version = "0.0.6"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf
index 150514976..808f4b436 100644
--- a/examples/stub_domains/main.tf
+++ b/examples/stub_domains/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "stub-domains"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/stub_domains/versions.tf b/examples/stub_domains/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/stub_domains/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf
index e2d077b84..3a04cfbe3 100644
--- a/examples/stub_domains_private/main.tf
+++ b/examples/stub_domains_private/main.tf
@@ -14,11 +14,6 @@
* limitations under the License.
*/
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/stub_domains_private/versions.tf b/examples/stub_domains_private/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/stub_domains_private/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf
index f64f02f49..d9aa82bab 100644
--- a/examples/stub_domains_upstream_nameservers/main.tf
+++ b/examples/stub_domains_upstream_nameservers/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "domains-nameservers"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/stub_domains_upstream_nameservers/versions.tf b/examples/stub_domains_upstream_nameservers/versions.tf
index 22884dadd..424ba9ae7 100644
--- a/examples/stub_domains_upstream_nameservers/versions.tf
+++ b/examples/stub_domains_upstream_nameservers/versions.tf
@@ -15,5 +15,14 @@
*/
terraform {
- required_version = ">=0.12"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
}
diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf
index 1ab9edc1d..df8954c3b 100644
--- a/examples/upstream_nameservers/main.tf
+++ b/examples/upstream_nameservers/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "upstream-nameservers"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
diff --git a/examples/upstream_nameservers/versions.tf b/examples/upstream_nameservers/versions.tf
index 22884dadd..424ba9ae7 100644
--- a/examples/upstream_nameservers/versions.tf
+++ b/examples/upstream_nameservers/versions.tf
@@ -15,5 +15,14 @@
*/
terraform {
- required_version = ">=0.12"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
}
diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf
index 2b6fe82e2..204e13b73 100644
--- a/examples/workload_identity/main.tf
+++ b/examples/workload_identity/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "regional"
}
-provider "google" {
- version = "~> 3.55.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
@@ -42,7 +37,7 @@ module "gke" {
ip_range_services = var.ip_range_services
remove_default_node_pool = true
service_account = "create"
- node_metadata = "GKE_METADATA_SERVER"
+ node_metadata = "GKE_METADATA"
node_pools = [
{
name = "wi-pool"
diff --git a/examples/workload_identity/versions.tf b/examples/workload_identity/versions.tf
new file mode 100644
index 000000000..e8fbb1aad
--- /dev/null
+++ b/examples/workload_identity/versions.tf
@@ -0,0 +1,28 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf
index b146e30c3..a1443f285 100644
--- a/examples/workload_metadata_config/main.tf
+++ b/examples/workload_metadata_config/main.tf
@@ -18,11 +18,6 @@ locals {
cluster_type = "workload-metadata-private"
}
-provider "google-beta" {
- version = "~> 3.87.0"
- region = var.region
-}
-
data "google_client_config" "default" {}
provider "kubernetes" {
@@ -54,7 +49,7 @@ module "gke" {
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "172.16.0.0/28"
- node_metadata = "SECURE"
+ node_metadata = "GKE_METADATA"
master_authorized_networks = [
{
diff --git a/examples/workload_metadata_config/versions.tf b/examples/workload_metadata_config/versions.tf
index 22884dadd..9d7a49648 100644
--- a/examples/workload_metadata_config/versions.tf
+++ b/examples/workload_metadata_config/versions.tf
@@ -15,5 +15,17 @@
*/
terraform {
- required_version = ">=0.12"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "~> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ }
+ }
}
diff --git a/firewall.tf b/firewall.tf
index 02df638f2..8ac7624d1 100644
--- a/firewall.tf
+++ b/firewall.tf
@@ -70,6 +70,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/main.tf b/main.tf
index eb511e724..34a0fc323 100644
--- a/main.tf
+++ b/main.tf
@@ -86,8 +86,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -113,7 +116,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -137,7 +140,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
}
diff --git a/modules/acm/main.tf b/modules/acm/main.tf
index 7acc98662..fb6a913ac 100644
--- a/modules/acm/main.tf
+++ b/modules/acm/main.tf
@@ -16,7 +16,7 @@
module "enable_acm" {
source = "terraform-google-modules/gcloud/google"
- version = "~> 2.0"
+ version = "~> 3.1"
platform = "linux"
upgrade = true
diff --git a/modules/asm/main.tf b/modules/asm/main.tf
index f5ed3ecd9..84e3828c3 100644
--- a/modules/asm/main.tf
+++ b/modules/asm/main.tf
@@ -62,8 +62,9 @@ resource "google_project_iam_member" "asm_iam" {
module "asm-services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 10.0"
- count = var.enable_gcp_apis ? 1 : 0
+ version = "~> 11.3"
+
+ count = var.enable_gcp_apis ? 1 : 0
project_id = var.project_id
disable_services_on_destroy = false
@@ -87,8 +88,9 @@ module "asm-services" {
}
module "asm_install" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
module_depends_on = concat([var.cluster_endpoint], local.additional_depends_on)
gcloud_sdk_version = var.gcloud_sdk_version
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index a932b2e70..bebc836f4 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -160,8 +160,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"autoscaling_profile": "BALANCED",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -199,7 +197,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -227,7 +225,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -264,7 +262,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
| istio\_enabled | Whether Istio is enabled |
@@ -278,7 +276,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| peering\_name | The name of the peering between this cluster and the Google owned VPC. |
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index fe7f85e87..9ce5a921a 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -265,7 +262,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -338,7 +335,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -573,9 +570,10 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
dynamic "sandbox_config" {
for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []
content {
diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/modules/beta-private-cluster-update-variant/dns.tf
+++ b/modules/beta-private-cluster-update-variant/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf
index 75023e32c..e6318ff45 100644
--- a/modules/beta-private-cluster-update-variant/firewall.tf
+++ b/modules/beta-private-cluster-update-variant/firewall.tf
@@ -100,6 +100,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
index d24a1e037..80449dd5b 100644
--- a/modules/beta-private-cluster-update-variant/main.tf
+++ b/modules/beta-private-cluster-update-variant/main.tf
@@ -101,8 +101,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -136,7 +139,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -160,7 +163,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf
index b60db783d..ff3263918 100644
--- a/modules/beta-private-cluster-update-variant/outputs.tf
+++ b/modules/beta-private-cluster-update-variant/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,24 +123,24 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
-
output "master_ipv4_cidr_block" {
description = "The IP range in CIDR notation used for the hosted master network"
value = var.master_ipv4_cidr_block
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index f25adcccf..012027410 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -378,18 +378,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -527,8 +515,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -542,7 +535,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf
index 52a38d0c0..736164f07 100644
--- a/modules/beta-private-cluster-update-variant/versions.tf
+++ b/modules/beta-private-cluster-update-variant/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 3.87.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index bdec3ab7c..e6c45504e 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -138,8 +138,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"autoscaling_profile": "BALANCED",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -177,7 +175,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -205,7 +203,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -242,7 +240,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
| istio\_enabled | Whether Istio is enabled |
@@ -256,7 +254,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| peering\_name | The name of the peering between this cluster and the Google owned VPC. |
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index d873637b9..a7bf19571 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -265,7 +262,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -338,7 +335,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -488,9 +485,10 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
dynamic "sandbox_config" {
for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []
content {
diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/modules/beta-private-cluster/dns.tf
+++ b/modules/beta-private-cluster/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf
index 75023e32c..e6318ff45 100644
--- a/modules/beta-private-cluster/firewall.tf
+++ b/modules/beta-private-cluster/firewall.tf
@@ -100,6 +100,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
index d24a1e037..80449dd5b 100644
--- a/modules/beta-private-cluster/main.tf
+++ b/modules/beta-private-cluster/main.tf
@@ -101,8 +101,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -136,7 +139,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -160,7 +163,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf
index b60db783d..ff3263918 100644
--- a/modules/beta-private-cluster/outputs.tf
+++ b/modules/beta-private-cluster/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,24 +123,24 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
-
output "master_ipv4_cidr_block" {
description = "The IP range in CIDR notation used for the hosted master network"
value = var.master_ipv4_cidr_block
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index f25adcccf..012027410 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -378,18 +378,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -527,8 +515,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -542,7 +535,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
index 8f194b9aa..63744c1b2 100644
--- a/modules/beta-private-cluster/versions.tf
+++ b/modules/beta-private-cluster/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 3.87.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index a8ead250c..afa5c2740 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -154,8 +154,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"autoscaling_profile": "BALANCED",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -190,7 +188,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -216,7 +214,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -253,7 +251,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
| istio\_enabled | Whether Istio is enabled |
@@ -266,7 +264,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index fe57be51c..c0f2d8d86 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -265,7 +262,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -319,7 +316,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -554,9 +551,10 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
dynamic "sandbox_config" {
for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []
content {
diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/modules/beta-public-cluster-update-variant/dns.tf
+++ b/modules/beta-public-cluster-update-variant/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf
index ce56926f3..b808dba1f 100644
--- a/modules/beta-public-cluster-update-variant/firewall.tf
+++ b/modules/beta-public-cluster-update-variant/firewall.tf
@@ -106,6 +106,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf
index 3648af011..cf2f7bc0e 100644
--- a/modules/beta-public-cluster-update-variant/main.tf
+++ b/modules/beta-public-cluster-update-variant/main.tf
@@ -101,8 +101,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -135,7 +138,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -159,7 +162,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf
index 4f92d3561..fe06ef81f 100644
--- a/modules/beta-public-cluster-update-variant/outputs.tf
+++ b/modules/beta-public-cluster-update-variant/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,24 +123,24 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
-
output "istio_enabled" {
description = "Whether Istio is enabled"
value = local.cluster_istio_enabled
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index 104d1dae7..18bc408e3 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -378,18 +378,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -496,8 +484,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -511,7 +504,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf
index d5aae5156..343884131 100644
--- a/modules/beta-public-cluster-update-variant/versions.tf
+++ b/modules/beta-public-cluster-update-variant/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 3.87.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index be7111e85..c104f36a6 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -132,8 +132,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no |
| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"autoscaling_profile": "BALANCED",
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -168,7 +166,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -194,7 +192,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -231,7 +229,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
| istio\_enabled | Whether Istio is enabled |
@@ -244,7 +242,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index 34b39e554..dc6b439c3 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -265,7 +262,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -319,7 +316,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -469,9 +466,10 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
dynamic "sandbox_config" {
for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []
content {
diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/modules/beta-public-cluster/dns.tf
+++ b/modules/beta-public-cluster/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf
index ce56926f3..b808dba1f 100644
--- a/modules/beta-public-cluster/firewall.tf
+++ b/modules/beta-public-cluster/firewall.tf
@@ -106,6 +106,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
index 3648af011..cf2f7bc0e 100644
--- a/modules/beta-public-cluster/main.tf
+++ b/modules/beta-public-cluster/main.tf
@@ -101,8 +101,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -135,7 +138,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -159,7 +162,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf
index 4f92d3561..fe06ef81f 100644
--- a/modules/beta-public-cluster/outputs.tf
+++ b/modules/beta-public-cluster/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,24 +123,24 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
-
output "istio_enabled" {
description = "Whether Istio is enabled"
value = local.cluster_istio_enabled
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index 104d1dae7..18bc408e3 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -378,18 +378,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -496,8 +484,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -511,7 +504,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
index 78789f3e9..a7d479432 100644
--- a/modules/beta-public-cluster/versions.tf
+++ b/modules/beta-public-cluster/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 3.87.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf
index 5b6ee0208..e4a69c0b6 100644
--- a/modules/binary-authorization/main.tf
+++ b/modules/binary-authorization/main.tf
@@ -25,7 +25,7 @@ locals {
module "project-services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 10.0"
+ version = "~> 11.3"
project_id = var.project_id
activate_apis = local.required_enabled_apis
diff --git a/modules/hub/main.tf b/modules/hub/main.tf
index 428d4d8e5..700f474b2 100644
--- a/modules/hub/main.tf
+++ b/modules/hub/main.tf
@@ -72,7 +72,7 @@ resource "google_service_account_key" "gke_hub_key" {
module "gke_hub_registration" {
source = "terraform-google-modules/gcloud/google"
- version = "~> 2.1.0"
+ version = "~> 3.1"
platform = "linux"
gcloud_sdk_version = var.gcloud_sdk_version
diff --git a/modules/hub/outputs.tf b/modules/hub/outputs.tf
index c41635b17..9ad677933 100644
--- a/modules/hub/outputs.tf
+++ b/modules/hub/outputs.tf
@@ -14,7 +14,6 @@
* limitations under the License.
*/
-
output "wait" {
description = "An output to use when you want to depend on registration finishing"
value = module.gke_hub_registration.wait
diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf
index 60536b8cd..e10f006b6 100644
--- a/modules/k8s-operator-crd-support/main.tf
+++ b/modules/k8s-operator-crd-support/main.tf
@@ -34,7 +34,8 @@ locals {
module "k8sop_manifest" {
source = "terraform-google-modules/gcloud/google"
- version = "~> 2.1.0"
+ version = "~> 3.1"
+
enabled = local.should_download_manifest
create_cmd_entrypoint = "gsutil"
@@ -45,8 +46,9 @@ module "k8sop_manifest" {
module "k8s_operator" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint]
cluster_name = var.cluster_name
cluster_location = var.location
@@ -68,7 +70,7 @@ resource "tls_private_key" "k8sop_creds" {
module "k8sop_creds_secret" {
source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ version = "~> 3.1"
enabled = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false"
module_depends_on = [module.k8s_operator.wait]
@@ -104,8 +106,9 @@ data "template_file" "k8sop_config" {
}
module "k8sop_config" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
cluster_name = var.cluster_name
cluster_location = var.location
@@ -136,7 +139,8 @@ data "template_file" "rootsync_config" {
module "wait_for_configsync_api" {
source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ version = "~> 3.1"
+
enabled = var.enable_multi_repo
module_depends_on = [module.k8sop_config.wait]
@@ -156,7 +160,8 @@ module "wait_for_configsync_api" {
module "rootsync_config" {
source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ version = "~> 3.1"
+
enabled = var.enable_multi_repo
module_depends_on = [module.wait_for_configsync_api.wait]
@@ -173,8 +178,9 @@ module "rootsync_config" {
}
module "wait_for_gatekeeper" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = var.enable_policy_controller ? true : false
module_depends_on = [module.k8sop_config.wait]
cluster_name = var.cluster_name
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index 5176ac124..a0eb953d7 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -156,8 +156,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
@@ -182,7 +180,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -202,7 +200,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -234,7 +232,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| location | Cluster location (region if regional cluster, zone if zonal cluster) |
| logging\_service | Logging service used |
@@ -246,7 +244,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| peering\_name | The name of the peering between this cluster and the Google owned VPC. |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
index 6ad68cd30..868306a33 100644
--- a/modules/private-cluster-update-variant/cluster.tf
+++ b/modules/private-cluster-update-variant/cluster.tf
@@ -98,9 +98,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -165,7 +162,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -224,7 +221,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -437,10 +434,11 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
shielded_instance_config {
enable_secure_boot = lookup(each.value, "enable_secure_boot", false)
enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/modules/private-cluster-update-variant/dns.tf
+++ b/modules/private-cluster-update-variant/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf
index 62d8463ee..d91335627 100644
--- a/modules/private-cluster-update-variant/firewall.tf
+++ b/modules/private-cluster-update-variant/firewall.tf
@@ -67,6 +67,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
index 9fbd46a8d..686bc61fa 100644
--- a/modules/private-cluster-update-variant/main.tf
+++ b/modules/private-cluster-update-variant/main.tf
@@ -86,8 +86,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -114,7 +117,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -138,7 +141,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
}
diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf
index 1f0bbeaaf..98336bf5b 100644
--- a/modules/private-cluster-update-variant/outputs.tf
+++ b/modules/private-cluster-update-variant/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,24 +123,24 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
-
output "master_ipv4_cidr_block" {
description = "The IP range in CIDR notation used for the hosted master network"
value = var.master_ipv4_cidr_block
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index a1c8253d7..eb1f464b6 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -330,18 +330,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -402,8 +390,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -417,7 +410,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf
index 98d3b74f9..e1d6491e1 100644
--- a/modules/private-cluster-update-variant/versions.tf
+++ b/modules/private-cluster-update-variant/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 3.55.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 1ec12aba6..3f7192f45 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -134,8 +134,6 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
@@ -160,7 +158,7 @@ Then perform the following commands on the root folder:
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
+| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -180,7 +178,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | {
"all": {},
"default-node-pool": {}
} | no |
@@ -212,7 +210,7 @@ Then perform the following commands on the root folder:
| endpoint | Cluster endpoint |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
+| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| location | Cluster location (region if regional cluster, zone if zonal cluster) |
| logging\_service | Logging service used |
@@ -224,7 +222,7 @@ Then perform the following commands on the root folder:
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| peering\_name | The name of the peering between this cluster and the Google owned VPC. |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
index 278420d15..09e6e7dce 100644
--- a/modules/private-cluster/cluster.tf
+++ b/modules/private-cluster/cluster.tf
@@ -98,9 +98,6 @@ resource "google_container_cluster" "primary" {
}
master_auth {
- username = var.basic_auth_username
- password = var.basic_auth_password
-
client_certificate_config {
issue_client_certificate = var.issue_client_certificate
}
@@ -165,7 +162,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = workload_metadata_config.value.node_metadata
+ mode = workload_metadata_config.value.mode
}
}
@@ -224,7 +221,7 @@ resource "google_container_cluster" "primary" {
for_each = local.cluster_workload_identity_config
content {
- identity_namespace = workload_identity_config.value.identity_namespace
+ workload_pool = workload_identity_config.value.workload_pool
}
}
@@ -352,10 +349,11 @@ resource "google_container_node_pool" "pools" {
for_each = local.cluster_node_metadata_config
content {
- node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+ mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}
+
shielded_instance_config {
enable_secure_boot = lookup(each.value, "enable_secure_boot", false)
enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf
index fa10a4110..5dd9a8ee2 100644
--- a/modules/private-cluster/dns.tf
+++ b/modules/private-cluster/dns.tf
@@ -20,8 +20,9 @@
Delete default kube-dns configmap
*****************************************/
module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+ version = "~> 3.1"
+
enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
cluster_name = google_container_cluster.primary.name
cluster_location = google_container_cluster.primary.location
diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf
index 62d8463ee..d91335627 100644
--- a/modules/private-cluster/firewall.tf
+++ b/modules/private-cluster/firewall.tf
@@ -67,6 +67,7 @@ resource "google_compute_firewall" "master_webhooks" {
direction = "INGRESS"
source_ranges = [local.cluster_endpoint_for_nodes]
+ source_tags = []
target_tags = [local.cluster_network_tag]
allow {
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index 9fbd46a8d..686bc61fa 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -86,8 +86,11 @@ locals {
security_group = var.authenticator_security_group
}]
+ // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238
+ old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" }
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
- node_metadata = var.node_metadata
+ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata)
}]
cluster_output_name = google_container_cluster.primary.name
@@ -114,7 +117,7 @@ locals {
}]
cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""])
- cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+ cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version }
cluster_master_auth_list_layer1 = local.cluster_output_master_auth
cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -138,7 +141,7 @@ locals {
cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
- identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
}
diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf
index 1f0bbeaaf..98336bf5b 100644
--- a/modules/private-cluster/outputs.tf
+++ b/modules/private-cluster/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,24 +123,24 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
-
output "master_ipv4_cidr_block" {
description = "The IP range in CIDR notation used for the hosted master network"
value = var.master_ipv4_cidr_block
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index a1c8253d7..eb1f464b6 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -330,18 +330,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -402,8 +390,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -417,7 +410,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf
index 484c1eac5..3c93df5af 100644
--- a/modules/private-cluster/versions.tf
+++ b/modules/private-cluster/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 3.55.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
index 10bcc3434..1d02e4644 100644
--- a/modules/safer-cluster-update-variant/README.md
+++ b/modules/safer-cluster-update-variant/README.md
@@ -279,7 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| peering\_name | The name of the peering between this cluster and the Google owned VPC. |
| region | Cluster region |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf
index b3a501f92..6242fc466 100644
--- a/modules/safer-cluster-update-variant/main.tf
+++ b/modules/safer-cluster-update-variant/main.tf
@@ -107,10 +107,6 @@ module "gke" {
registry_project_ids = var.registry_project_ids
grant_registry_access = var.grant_registry_access
- // Basic Auth disabled
- basic_auth_username = ""
- basic_auth_password = ""
-
issue_client_certificate = false
cluster_resource_labels = var.cluster_resource_labels
@@ -160,7 +156,7 @@ module "gke" {
enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling
- // We enable identity namespace by default.
+ // We enable Workload Identity by default.
identity_namespace = "${var.project_id}.svc.id.goog"
authenticator_security_group = var.authenticator_security_group
diff --git a/modules/safer-cluster-update-variant/outputs.tf b/modules/safer-cluster-update-variant/outputs.tf
index 8ad86f38f..9846251c1 100644
--- a/modules/safer-cluster-update-variant/outputs.tf
+++ b/modules/safer-cluster-update-variant/outputs.tf
@@ -104,7 +104,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = module.gke.node_pools_versions
}
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
index 10bcc3434..1d02e4644 100644
--- a/modules/safer-cluster/README.md
+++ b/modules/safer-cluster/README.md
@@ -279,7 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and
| name | Cluster name |
| network\_policy\_enabled | Whether network policy enabled |
| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
| peering\_name | The name of the peering between this cluster and the Google owned VPC. |
| region | Cluster region |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf
index 803144e50..567df7c61 100644
--- a/modules/safer-cluster/main.tf
+++ b/modules/safer-cluster/main.tf
@@ -107,10 +107,6 @@ module "gke" {
registry_project_ids = var.registry_project_ids
grant_registry_access = var.grant_registry_access
- // Basic Auth disabled
- basic_auth_username = ""
- basic_auth_password = ""
-
issue_client_certificate = false
cluster_resource_labels = var.cluster_resource_labels
@@ -160,7 +156,7 @@ module "gke" {
enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling
- // We enable identity namespace by default.
+ // We enable Workload Identity by default.
identity_namespace = "${var.project_id}.svc.id.goog"
authenticator_security_group = var.authenticator_security_group
diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf
index 8ad86f38f..9846251c1 100644
--- a/modules/safer-cluster/outputs.tf
+++ b/modules/safer-cluster/outputs.tf
@@ -104,7 +104,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = module.gke.node_pools_versions
}
diff --git a/modules/services/main.tf b/modules/services/main.tf
index f6021fe1a..5d6d95d17 100644
--- a/modules/services/main.tf
+++ b/modules/services/main.tf
@@ -16,7 +16,7 @@
module "services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
- version = "~> 6.0.0"
+ version = "~> 11.3"
project_id = var.project_id
enable_apis = var.enable_apis
diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf
index ebcb5da01..eaf02c777 100644
--- a/modules/workload-identity/main.tf
+++ b/modules/workload-identity/main.tf
@@ -59,7 +59,7 @@ resource "kubernetes_service_account" "main" {
module "annotate-sa" {
source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 2.1.0"
+ version = "~> 3.1"
enabled = var.use_existing_k8s_sa && var.annotate_k8s_sa
skip_download = true
diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf
index cd4b163fb..1f4a825e4 100644
--- a/modules/workload-identity/versions.tf
+++ b/modules/workload-identity/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 3.39.0, <4.0.0"
+ version = ">= 3.39.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/outputs.tf b/outputs.tf
index bd48ce34c..a6f20a6f3 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -114,7 +114,7 @@ output "node_pools_names" {
}
output "node_pools_versions" {
- description = "List of node pools versions"
+ description = "Node pool versions by node pool name"
value = local.cluster_node_pools_versions
}
@@ -123,20 +123,20 @@ output "service_account" {
value = local.service_account
}
+output "instance_group_urls" {
+ description = "List of GKE generated instance groups"
+ value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls]))
+}
+
output "release_channel" {
description = "The release channel of this cluster"
value = var.release_channel
}
output "identity_namespace" {
- description = "Workload Identity namespace"
- value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+ description = "Workload Identity pool"
+ value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
depends_on = [
google_container_cluster.primary
]
}
-
-output "instance_group_urls" {
- description = "List of GKE generated instance groups"
- value = google_container_cluster.primary.instance_group_urls
-}
diff --git a/test/fixtures/deploy_service/network.tf b/test/fixtures/deploy_service/network.tf
index a0fd4082c..94bb29e63 100644
--- a/test/fixtures/deploy_service/network.tf
+++ b/test/fixtures/deploy_service/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[0]
}
diff --git a/test/fixtures/disable_client_cert/network.tf b/test/fixtures/disable_client_cert/network.tf
index a0fd4082c..94bb29e63 100644
--- a/test/fixtures/disable_client_cert/network.tf
+++ b/test/fixtures/disable_client_cert/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[0]
}
diff --git a/test/fixtures/shared_vpc/network.tf b/test/fixtures/shared_vpc/network.tf
index a0fd4082c..94bb29e63 100644
--- a/test/fixtures/shared_vpc/network.tf
+++ b/test/fixtures/shared_vpc/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[0]
}
diff --git a/test/fixtures/simple_regional/network.tf b/test/fixtures/simple_regional/network.tf
index a0fd4082c..94bb29e63 100644
--- a/test/fixtures/simple_regional/network.tf
+++ b/test/fixtures/simple_regional/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[0]
}
diff --git a/test/fixtures/simple_regional_with_kubeconfig/network.tf b/test/fixtures/simple_regional_with_kubeconfig/network.tf
index 4c64f5a90..acb91a126 100644
--- a/test/fixtures/simple_regional_with_kubeconfig/network.tf
+++ b/test/fixtures/simple_regional_with_kubeconfig/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[0]
}
diff --git a/test/fixtures/simple_zonal/network.tf b/test/fixtures/simple_zonal/network.tf
index 9f9824bd7..e0bf46c2f 100644
--- a/test/fixtures/simple_zonal/network.tf
+++ b/test/fixtures/simple_zonal/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[1]
}
diff --git a/test/fixtures/simple_zonal_with_asm/network.tf b/test/fixtures/simple_zonal_with_asm/network.tf
index 22c0c9723..0b538b4b5 100644
--- a/test/fixtures/simple_zonal_with_asm/network.tf
+++ b/test/fixtures/simple_zonal_with_asm/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.63.0"
project = var.project_ids[2]
}
diff --git a/test/fixtures/stub_domains/network.tf b/test/fixtures/stub_domains/network.tf
index a6fff524f..a24129ec4 100644
--- a/test/fixtures/stub_domains/network.tf
+++ b/test/fixtures/stub_domains/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[1]
}
diff --git a/test/fixtures/stub_domains_upstream_nameservers/network.tf b/test/fixtures/stub_domains_upstream_nameservers/network.tf
index b94679b3a..8ec5389ad 100644
--- a/test/fixtures/stub_domains_upstream_nameservers/network.tf
+++ b/test/fixtures/stub_domains_upstream_nameservers/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[1]
}
diff --git a/test/fixtures/upstream_nameservers/network.tf b/test/fixtures/upstream_nameservers/network.tf
index b94679b3a..8ec5389ad 100644
--- a/test/fixtures/upstream_nameservers/network.tf
+++ b/test/fixtures/upstream_nameservers/network.tf
@@ -21,7 +21,6 @@ resource "random_string" "suffix" {
}
provider "google" {
- version = "~> 3.55.0"
project = var.project_ids[1]
}
diff --git a/test/integration/workload_metadata_config/controls/gcloud.rb b/test/integration/workload_metadata_config/controls/gcloud.rb
index 70d14a860..59250d499 100644
--- a/test/integration/workload_metadata_config/controls/gcloud.rb
+++ b/test/integration/workload_metadata_config/controls/gcloud.rb
@@ -31,12 +31,6 @@
{}
end
end
-
- describe "workload metada config" do
- it "is secure" do
- expect(data['nodePools'][0]["config"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'SECURE'
- end
- end
end
describe command("gcloud beta --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json --format=\"json(nodeConfig.workloadMetadataConfig)\"") do
@@ -50,12 +44,6 @@
{}
end
end
-
- describe "workload metada config" do
- it "is secure" do
- expect(data["nodeConfig"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'SECURE'
- end
- end
end
registry_project_ids.each do |registry_project_id|
@@ -63,17 +51,21 @@
its(:exit_status) { should eq 0 }
its(:stderr) { should eq '' }
- let!(:iam) do
+ let(:bindings) do
if subject.exit_status == 0
- JSON.parse(subject.stdout)
+ JSON.parse(subject.stdout, symbolize_names: true)[:bindings]
else
- {}
+ []
end
end
it "has expected registry roles" do
- expect(iam['bindings']).to include(
- {"members" => ["serviceAccount:#{service_account}"], "role" => "roles/storage.objectViewer"},
- {"members" => ["serviceAccount:#{service_account}"], "role" => "roles/artifactregistry.reader"}
+ expect(bindings).to include(
+ members: including("serviceAccount:#{service_account}"),
+ role: "roles/storage.objectViewer",
+ )
+ expect(bindings).to include(
+ members: including("serviceAccount:#{service_account}"),
+ role: "roles/artifactregistry.reader",
)
end
end
diff --git a/test/setup/main.tf b/test/setup/main.tf
index b690796fb..a4bee2d78 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "random_project_id_suffix" {
module "gke-project-1" {
source = "terraform-google-modules/project-factory/google"
- version = "~> 10.1"
+ version = "~> 11.3"
name = "ci-gke-${random_id.random_project_id_suffix.hex}"
random_project_id = true
@@ -48,7 +48,7 @@ module "gke-project-1" {
module "gke-project-2" {
source = "terraform-google-modules/project-factory/google"
- version = "~> 10.1"
+ version = "~> 11.3"
name = "ci-gke-${random_id.random_project_id_suffix.hex}"
random_project_id = true
@@ -75,8 +75,10 @@ module "gke-project-2" {
# apis as documented https://cloud.google.com/service-mesh/docs/scripted-install/reference#setting_up_your_project
module "gke-project-asm" {
- source = "terraform-google-modules/project-factory/google"
- version = "~> 10.1"
+ source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master"
+
+ #source = "terraform-google-modules/project-factory/google"
+ #version = "~> 11.3"
name = "ci-gke-asm-${random_id.random_project_id_suffix.hex}"
random_project_id = true
diff --git a/test/setup/versions.tf b/test/setup/versions.tf
index 1963f1ed9..c010643e9 100644
--- a/test/setup/versions.tf
+++ b/test/setup/versions.tf
@@ -15,13 +15,18 @@
*/
terraform {
- required_version = ">=0.12"
-}
-
-provider "google" {
- version = "3.50.0"
-}
-
-provider "google-beta" {
- version = "3.50.0"
+ required_version = ">= 0.13"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = "4.1.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = "4.1.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ }
+ }
}
diff --git a/variables.tf b/variables.tf
index 66dd772f5..e0bd7dcb1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -330,18 +330,6 @@ variable "service_account" {
default = ""
}
-variable "basic_auth_username" {
- type = string
- description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
- default = ""
-}
-
-variable "basic_auth_password" {
- type = string
- description = "The password to be used with Basic Authentication."
- default = ""
-}
-
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -378,8 +366,13 @@ variable "authenticator_security_group" {
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
- default = "GKE_METADATA_SERVER"
+ default = "GKE_METADATA"
type = string
+
+ validation {
+ condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+ error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED."
+ }
}
variable "database_encryption" {
@@ -393,7 +386,7 @@ variable "database_encryption" {
}
variable "identity_namespace" {
- description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+ description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
diff --git a/versions.tf b/versions.tf
index b3d1820b4..fb7f8d19f 100644
--- a/versions.tf
+++ b/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 3.55.0, <4.0.0"
+ version = ">= 4.0.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"