feat: Add GCE PD CSI Driver beta support (#497)

BREAKING CHANGE: Minimum provider change increased to 3.19.

autogen/main/cluster.tf.tmpl

@@ -152,6 +152,14 @@ resource "google_container_cluster" "primary" {
     dns_cache_config {
       enabled = var.dns_cache
     }
+
+    dynamic "gce_persistent_disk_csi_driver_config" {
+      for_each = local.cluster_gce_pd_csi_config
+
+      content {
+        enabled = gce_persistent_disk_csi_driver_config.value.enabled
+      }
+    }
     {% endif %}
   }
 

autogen/main/main.tf.tmpl

@@ -88,6 +88,8 @@ locals {
 {% if beta_cluster %}
   cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : []
 
+  cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+
   cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
     node_metadata = var.node_metadata
   }]

autogen/main/variables.tf.tmpl

@@ -417,6 +417,12 @@ variable "dns_cache" {
   default     = false
 }
 
+variable "gce_pd_csi_driver" {
+  type        = bool
+  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

autogen/main/versions.tf.tmpl

@@ -19,7 +19,7 @@ terraform {
 
   required_providers {
 {% if beta_cluster %}
-    google-beta = ">= 3.16, <4.0.0"
+    google-beta = ">= 3.19, <4.0.0"
 {% else %}
     google = ">= 3.16, <4.0.0"
 {% endif %}

examples/node_pool/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.16.0"
+  version = "~> 3.19.0"
   region  = var.region
 }
 

examples/node_pool_update_variant_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.16.0"
+  version     = "~> 3.19.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/safer_cluster/main.tf

@@ -34,7 +34,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.16.0"
+  version = "~> 3.19.0"
 }
 
 module "gke" {

examples/simple_regional_beta/README.md

@@ -13,6 +13,7 @@ This example illustrates how to create a simple cluster with beta features.
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
+| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes |
 | istio | Boolean to enable / disable Istio | string | `"true"` | no |

examples/simple_regional_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.16.0"
+  version = "~> 3.19.0"
   region  = var.region
 }
 
@@ -39,6 +39,7 @@ module "gke" {
   istio                       = var.istio
   cloudrun                    = var.cloudrun
   dns_cache                   = var.dns_cache
+  gce_pd_csi_driver           = var.gce_pd_csi_driver
   node_metadata               = var.node_metadata
   sandbox_enabled             = var.sandbox_enabled
   remove_default_node_pool    = var.remove_default_node_pool

examples/simple_regional_beta/variables.tf

@@ -63,6 +63,12 @@ variable "dns_cache" {
   default     = false
 }
 
+variable "gce_pd_csi_driver" {
+  type        = bool
+  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
+  default     = false
+}
+
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
   default     = "SECURE"

examples/simple_regional_private_beta/main.tf

@@ -24,7 +24,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.16.0"
+  version = "~> 3.19.0"
   region  = var.region
 }
 
@@ -56,9 +56,10 @@ module "gke" {
     },
   ]
 
-  istio     = var.istio
-  cloudrun  = var.cloudrun
-  dns_cache = var.dns_cache
+  istio             = var.istio
+  cloudrun          = var.cloudrun
+  dns_cache         = var.dns_cache
+  gce_pd_csi_driver = var.gce_pd_csi_driver
 }
 
 data "google_client_config" "default" {

examples/simple_regional_private_beta/variables.tf

@@ -61,3 +61,9 @@ variable "dns_cache" {
   description = "Boolean to enable / disable NodeLocal DNSCache "
   default     = false
 }
+
+variable "gce_pd_csi_driver" {
+  type        = bool
+  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
+  default     = false
+}

examples/workload_metadata_config/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.16.0"
+  version = "~> 3.19.0"
   region  = var.region
 }
 

modules/beta-private-cluster-update-variant/README.md

@@ -183,6 +183,7 @@ Then perform the following commands on the root folder:
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
 | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no |
+| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -137,6 +137,14 @@ resource "google_container_cluster" "primary" {
     dns_cache_config {
       enabled = var.dns_cache
     }
+
+    dynamic "gce_persistent_disk_csi_driver_config" {
+      for_each = local.cluster_gce_pd_csi_config
+
+      content {
+        enabled = gce_persistent_disk_csi_driver_config.value.enabled
+      }
+    }
   }
 
   ip_allocation_policy {

modules/beta-private-cluster-update-variant/main.tf

@@ -81,6 +81,8 @@ locals {
 
   cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : []
 
+  cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+
   cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
     node_metadata = var.node_metadata
   }]

modules/beta-private-cluster-update-variant/variables.tf

@@ -410,6 +410,12 @@ variable "dns_cache" {
   default     = false
 }
 
+variable "gce_pd_csi_driver" {
+  type        = bool
+  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

modules/beta-private-cluster-update-variant/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google-beta = ">= 3.16, <4.0.0"
+    google-beta = ">= 3.19, <4.0.0"
   }
 }

modules/beta-private-cluster/README.md

@@ -161,6 +161,7 @@ Then perform the following commands on the root folder:
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
 | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no |
+| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |

modules/beta-private-cluster/cluster.tf

@@ -137,6 +137,14 @@ resource "google_container_cluster" "primary" {
     dns_cache_config {
       enabled = var.dns_cache
     }
+
+    dynamic "gce_persistent_disk_csi_driver_config" {
+      for_each = local.cluster_gce_pd_csi_config
+
+      content {
+        enabled = gce_persistent_disk_csi_driver_config.value.enabled
+      }
+    }
   }
 
   ip_allocation_policy {

modules/beta-private-cluster/main.tf

@@ -81,6 +81,8 @@ locals {
 
   cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : []
 
+  cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+
   cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
     node_metadata = var.node_metadata
   }]

modules/beta-private-cluster/variables.tf

@@ -410,6 +410,12 @@ variable "dns_cache" {
   default     = false
 }
 
+variable "gce_pd_csi_driver" {
+  type        = bool
+  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

modules/beta-private-cluster/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google-beta = ">= 3.16, <4.0.0"
+    google-beta = ">= 3.19, <4.0.0"
   }
 }

modules/beta-public-cluster/README.md

@@ -140,6 +140,7 @@ Then perform the following commands on the root folder:
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
 | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no |
+| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |

modules/beta-public-cluster/cluster.tf

@@ -137,6 +137,14 @@ resource "google_container_cluster" "primary" {
     dns_cache_config {
       enabled = var.dns_cache
     }
+
+    dynamic "gce_persistent_disk_csi_driver_config" {
+      for_each = local.cluster_gce_pd_csi_config
+
+      content {
+        enabled = gce_persistent_disk_csi_driver_config.value.enabled
+      }
+    }
   }
 
   ip_allocation_policy {

modules/beta-public-cluster/main.tf

@@ -81,6 +81,8 @@ locals {
 
   cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : []
 
+  cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+
   cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
     node_metadata = var.node_metadata
   }]

modules/beta-public-cluster/variables.tf

@@ -386,6 +386,12 @@ variable "dns_cache" {
   default     = false
 }
 
+variable "gce_pd_csi_driver" {
+  type        = bool
+  description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

modules/beta-public-cluster/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google-beta = ">= 3.16, <4.0.0"
+    google-beta = ">= 3.19, <4.0.0"
   }
 }

test/fixtures/beta_cluster/main.tf

@@ -56,6 +56,8 @@ module "this" {
 
   dns_cache = true
 
+  gce_pd_csi_driver = true
+
   enable_binary_authorization = true
 
   pod_security_policy_config = [{

test/integration/beta_cluster/controls/gcloud.rb

@@ -60,6 +60,9 @@
           "cloudRunConfig" => {},
           "dnsCacheConfig" => {
             "enabled" => true,
+          },
+          "gcePersistentDiskCsiDriverConfig" => {
+            "enabled" => true,
           }
         })
       end