From d96afa79fa97f88e8866b54c46c253efd9481ec5 Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Tue, 28 Apr 2020 21:14:34 +0100 Subject: [PATCH] feat: Add GCE PD CSI Driver beta support (#497) BREAKING CHANGE: Minimum provider change increased to 3.19. --- autogen/main/cluster.tf.tmpl | 8 ++++++++ autogen/main/main.tf.tmpl | 2 ++ autogen/main/variables.tf.tmpl | 6 ++++++ autogen/main/versions.tf.tmpl | 2 +- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/simple_regional_beta/README.md | 1 + examples/simple_regional_beta/main.tf | 3 ++- examples/simple_regional_beta/variables.tf | 6 ++++++ examples/simple_regional_private_beta/main.tf | 9 +++++---- examples/simple_regional_private_beta/variables.tf | 6 ++++++ examples/workload_metadata_config/main.tf | 2 +- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-private-cluster-update-variant/main.tf | 2 ++ modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/main.tf | 2 ++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/main.tf | 2 ++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/versions.tf | 2 +- test/fixtures/beta_cluster/main.tf | 2 ++ test/integration/beta_cluster/controls/gcloud.rb | 3 +++ 30 files changed, 100 insertions(+), 13 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 920470f06..da1795bd8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -152,6 +152,14 @@ resource "google_container_cluster" "primary" { dns_cache_config { enabled = var.dns_cache } + + dynamic "gce_persistent_disk_csi_driver_config" { + for_each = local.cluster_gce_pd_csi_config + + content { + enabled = gce_persistent_disk_csi_driver_config.value.enabled + } + } {% endif %} } diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 491d1f7ba..1dd1576bb 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -88,6 +88,8 @@ locals { {% if beta_cluster %} cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : [] + cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ node_metadata = var.node_metadata }] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 75f18de9b..080417549 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -417,6 +417,12 @@ variable "dns_cache" { default = false } +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index b7c1232b2..bd8845758 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -19,7 +19,7 @@ terraform { required_providers { {% if beta_cluster %} - google-beta = ">= 3.16, <4.0.0" + google-beta = ">= 3.19, <4.0.0" {% else %} google = ">= 3.16, <4.0.0" {% endif %} diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 85da019a6..75f41ed62 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.16.0" + version = "~> 3.19.0" region = var.region } diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index 8080c2b2a..c9e682c5b 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.16.0" + version = "~> 3.19.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 07e62ab12..f87d38cdc 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -34,7 +34,7 @@ provider "google" { } provider "google-beta" { - version = "~> 3.16.0" + version = "~> 3.19.0" } module "gke" { diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 0c805e578..5aba74d58 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -13,6 +13,7 @@ This example illustrates how to create a simple cluster with beta features. | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | +| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes | | istio | Boolean to enable / disable Istio | string | `"true"` | no | diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index f994f77f0..4bd63e67e 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.16.0" + version = "~> 3.19.0" region = var.region } @@ -39,6 +39,7 @@ module "gke" { istio = var.istio cloudrun = var.cloudrun dns_cache = var.dns_cache + gce_pd_csi_driver = var.gce_pd_csi_driver node_metadata = var.node_metadata sandbox_enabled = var.sandbox_enabled remove_default_node_pool = var.remove_default_node_pool diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf index 65a1e890a..a3bb1acae 100644 --- a/examples/simple_regional_beta/variables.tf +++ b/examples/simple_regional_beta/variables.tf @@ -63,6 +63,12 @@ variable "dns_cache" { default = false } +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "SECURE" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index ab0ac826f..350c5db49 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -24,7 +24,7 @@ provider "google" { } provider "google-beta" { - version = "~> 3.16.0" + version = "~> 3.19.0" region = var.region } @@ -56,9 +56,10 @@ module "gke" { }, ] - istio = var.istio - cloudrun = var.cloudrun - dns_cache = var.dns_cache + istio = var.istio + cloudrun = var.cloudrun + dns_cache = var.dns_cache + gce_pd_csi_driver = var.gce_pd_csi_driver } data "google_client_config" "default" { diff --git a/examples/simple_regional_private_beta/variables.tf b/examples/simple_regional_private_beta/variables.tf index 1ee4c32c2..c0b651b69 100644 --- a/examples/simple_regional_private_beta/variables.tf +++ b/examples/simple_regional_private_beta/variables.tf @@ -61,3 +61,9 @@ variable "dns_cache" { description = "Boolean to enable / disable NodeLocal DNSCache " default = false } + +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 9b40e16e3..184b747bb 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.16.0" + version = "~> 3.19.0" region = var.region } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index d8d301aa8..0a545fab0 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -183,6 +183,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | +| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 21404796d..5abdf86a1 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -137,6 +137,14 @@ resource "google_container_cluster" "primary" { dns_cache_config { enabled = var.dns_cache } + + dynamic "gce_persistent_disk_csi_driver_config" { + for_each = local.cluster_gce_pd_csi_config + + content { + enabled = gce_persistent_disk_csi_driver_config.value.enabled + } + } } ip_allocation_policy { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 6127c323f..98aa39d05 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -81,6 +81,8 @@ locals { cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : [] + cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ node_metadata = var.node_metadata }] diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 0f3d3a8c4..7f77f3d05 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -410,6 +410,12 @@ variable "dns_cache" { default = false } +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 49108e267..66b8da61a 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = "~> 0.12.6" required_providers { - google-beta = ">= 3.16, <4.0.0" + google-beta = ">= 3.19, <4.0.0" } } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index bf11a3eee..08c467a56 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -161,6 +161,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | +| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 60a686564..a1ddfa758 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -137,6 +137,14 @@ resource "google_container_cluster" "primary" { dns_cache_config { enabled = var.dns_cache } + + dynamic "gce_persistent_disk_csi_driver_config" { + for_each = local.cluster_gce_pd_csi_config + + content { + enabled = gce_persistent_disk_csi_driver_config.value.enabled + } + } } ip_allocation_policy { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 6127c323f..98aa39d05 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -81,6 +81,8 @@ locals { cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : [] + cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ node_metadata = var.node_metadata }] diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 0f3d3a8c4..7f77f3d05 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -410,6 +410,12 @@ variable "dns_cache" { default = false } +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 49108e267..66b8da61a 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = "~> 0.12.6" required_providers { - google-beta = ">= 3.16, <4.0.0" + google-beta = ">= 3.19, <4.0.0" } } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 8b99702b4..4cd8e84b9 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -140,6 +140,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `` | no | | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no | +| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 20dd350de..224e7d773 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -137,6 +137,14 @@ resource "google_container_cluster" "primary" { dns_cache_config { enabled = var.dns_cache } + + dynamic "gce_persistent_disk_csi_driver_config" { + for_each = local.cluster_gce_pd_csi_config + + content { + enabled = gce_persistent_disk_csi_driver_config.value.enabled + } + } } ip_allocation_policy { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index bbdf9192a..1d559b3df 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -81,6 +81,8 @@ locals { cluster_cloudrun_config = var.cloudrun ? [{ disabled = false }] : [] + cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ node_metadata = var.node_metadata }] diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2d802775e..aadac5660 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -386,6 +386,12 @@ variable "dns_cache" { default = false } +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 49108e267..66b8da61a 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = "~> 0.12.6" required_providers { - google-beta = ">= 3.16, <4.0.0" + google-beta = ">= 3.19, <4.0.0" } } diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf index e53572d4c..2b2d2556f 100644 --- a/test/fixtures/beta_cluster/main.tf +++ b/test/fixtures/beta_cluster/main.tf @@ -56,6 +56,8 @@ module "this" { dns_cache = true + gce_pd_csi_driver = true + enable_binary_authorization = true pod_security_policy_config = [{ diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 9ebcd5b9c..d5b41677f 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -60,6 +60,9 @@ "cloudRunConfig" => {}, "dnsCacheConfig" => { "enabled" => true, + }, + "gcePersistentDiskCsiDriverConfig" => { + "enabled" => true, } }) end