terraform-google-modules · jackwhelpton · Nov 17, 2021 · Nov 22, 2021 · Nov 22, 2021 · Nov 22, 2021
@@ -128,8 +128,6 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
 | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled       = bool<br>    min_cpu_cores = number<br>    max_cpu_cores = number<br>    min_memory_gb = number<br>    max_memory_gb = number<br>    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
@@ -150,7 +148,6 @@ Then perform the following commands on the root folder:
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
 | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
@@ -190,6 +187,7 @@ Then perform the following commands on the root folder:
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
+| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
 
 ## Outputs
@@ -201,8 +199,6 @@ Then perform the following commands on the root folder:
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
-| instance\_group\_urls | List of GKE generated instance groups |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | logging\_service | Logging service used |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |
@@ -211,12 +207,14 @@ Then perform the following commands on the root folder:
 | monitoring\_service | Monitoring service used |
 | name | Cluster name |
 | network\_policy\_enabled | Whether network policy enabled |
+| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name |
 | node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
+| node\_pools\_versions | Node pool versions by node pool name |
 | region | Cluster region |
 | release\_channel | The release channel of this cluster |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |
+| workload\_pool | Workload Identity pool |
 | zones | List of zones in which the cluster resides |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

@@ -143,9 +143,6 @@ resource "google_container_cluster" "primary" {
   }
 
   master_auth {
-    username = var.basic_auth_username
-    password = var.basic_auth_password
-
     client_certificate_config {
       issue_client_certificate = var.issue_client_certificate
     }
@@ -274,7 +271,7 @@ resource "google_container_cluster" "primary" {
         for_each = local.cluster_node_metadata_config
 
         content {
-          node_metadata = workload_metadata_config.value.node_metadata
+          mode = workload_metadata_config.value.mode
         }
       }
 
@@ -353,7 +350,7 @@ resource "google_container_cluster" "primary" {
     for_each = local.cluster_workload_identity_config
 
     content {
-      identity_namespace = workload_identity_config.value.identity_namespace
+      workload_pool = workload_identity_config.value.workload_pool
     }
   }
 
@@ -610,9 +607,10 @@ resource "google_container_node_pool" "pools" {
       for_each = local.cluster_node_metadata_config
 
       content {
-        node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+        mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
       }
     }
+
     {% if beta_cluster %}
     dynamic "sandbox_config" {
       for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []

@@ -20,8 +20,9 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                     = "~> 2.1.0"
+  source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version = "~> 3.1"
+
   enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
   cluster_name                = google_container_cluster.primary.name
   cluster_location            = google_container_cluster.primary.location

@@ -112,7 +112,7 @@ locals {
   }]
 
   cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
-    node_metadata = var.node_metadata
+    mode = var.node_metadata
   }]
 
   cluster_output_name           = google_container_cluster.primary.name
@@ -152,8 +152,9 @@ locals {
     cidr_blocks : var.master_authorized_networks
   }]
 
-  cluster_output_node_pools_names    = concat([for np in google_container_node_pool.pools : np.name], [""])
-  cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""])
+  cluster_output_node_pools_names               = concat([for np in google_container_node_pool.pools : np.name], [""])
+  cluster_output_node_pools_versions            = { for np in google_container_node_pool.pools : np.name => np.version }
+  cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls }
 
   cluster_master_auth_list_layer1 = local.cluster_output_master_auth
   cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
@@ -172,12 +173,13 @@ locals {
   cluster_monitoring_service                 = local.cluster_output_monitoring_service
   cluster_node_pools_names                   = local.cluster_output_node_pools_names
   cluster_node_pools_versions                = local.cluster_output_node_pools_versions
+  cluster_node_pools_instance_group_urls     = local.cluster_output_node_pools_instance_group_urls
   cluster_network_policy_enabled             = !local.cluster_output_network_policy_enabled
   cluster_http_load_balancing_enabled        = !local.cluster_output_http_load_balancing_enabled
   cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled
-  workload_identity_enabled                  = !(var.identity_namespace == null || var.identity_namespace == "null")
-  cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
-    identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+  workload_identity_enabled                  = !(var.workload_pool == null || var.workload_pool == "null")
+  cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{
+    workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool
   }]
 {% if beta_cluster %}
   # BETA features

@@ -114,10 +114,15 @@ output "node_pools_names" {
 }
 
 output "node_pools_versions" {
-  description = "List of node pools versions"
+  description = "Node pool versions by node pool name"
   value       = local.cluster_node_pools_versions
 }
 
+output "node_pools_instance_group_urls" {
+  description = "Lists of GKE generated instance groups by node pool name"
+  value       = local.cluster_node_pools_instance_group_urls
+}
+
 output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = local.service_account
@@ -128,18 +133,13 @@ output "release_channel" {
   value       = var.release_channel
 }
 
-output "identity_namespace" {
-  description = "Workload Identity namespace"
-  value       = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null
+output "workload_pool" {
+  description = "Workload Identity pool"
+  value       = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
   depends_on = [
     google_container_cluster.primary
   ]
 }
-
-output "instance_group_urls" {
-  description = "List of GKE generated instance groups"
-  value       = google_container_cluster.primary.instance_group_urls
-}
 {% if private_cluster %}
 
 output "master_ipv4_cidr_block" {

@@ -379,18 +379,6 @@ variable "service_account" {
   default     = ""
 }
 
-variable "basic_auth_username" {
-  type        = string
-  description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
-  default     = ""
-}
-
-variable "basic_auth_password" {
-  type        = string
-  description = "The password to be used with Basic Authentication."
-  default     = ""
-}
-
 variable "issue_client_certificate" {
   type        = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
@@ -548,8 +536,8 @@ variable "database_encryption" {
   }]
 }
 
-variable "identity_namespace" {
-  description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
+variable "workload_pool" {
+  description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
   type        = string
   default     = "enabled"
 }

@@ -24,7 +24,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.79.0, <4.0.0"
+      version = ">= 4.0.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
@@ -38,7 +38,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.39.0, <4.0.0"
+      version = ">= 4.0.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

@@ -103,10 +103,6 @@ module "gke" {
   registry_project_ids   = var.registry_project_ids
   grant_registry_access  = var.grant_registry_access
 
-  // Basic Auth disabled
-  basic_auth_username = ""
-  basic_auth_password = ""
-
   issue_client_certificate = false
 
   cluster_resource_labels = var.cluster_resource_labels
@@ -157,7 +153,7 @@ module "gke" {
   enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling
 
   // We enable identity namespace by default.
-  identity_namespace = "${var.project_id}.svc.id.goog"
+  workload_pool = "${var.project_id}.svc.id.goog"
 
   authenticator_security_group = var.authenticator_security_group
 

@@ -104,7 +104,7 @@ output "node_pools_names" {
 }
 
 output "node_pools_versions" {
-  description = "List of node pools versions"
+  description = "Node pool versions by node pool name"
   value       = module.gke.node_pools_versions
 }
 

@@ -90,9 +90,6 @@ resource "google_container_cluster" "primary" {
   }
 
   master_auth {
-    username = var.basic_auth_username
-    password = var.basic_auth_password
-
     client_certificate_config {
       issue_client_certificate = var.issue_client_certificate
     }
@@ -148,7 +145,7 @@ resource "google_container_cluster" "primary" {
         for_each = local.cluster_node_metadata_config
 
         content {
-          node_metadata = workload_metadata_config.value.node_metadata
+          mode = workload_metadata_config.value.mode
         }
       }
 
@@ -194,7 +191,7 @@ resource "google_container_cluster" "primary" {
     for_each = local.cluster_workload_identity_config
 
     content {
-      identity_namespace = workload_identity_config.value.identity_namespace
+      workload_pool = workload_identity_config.value.workload_pool
     }
   }
 
@@ -322,10 +319,11 @@ resource "google_container_node_pool" "pools" {
       for_each = local.cluster_node_metadata_config
 
       content {
-        node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata)
+        mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
       }
     }
 
+
     shielded_instance_config {
       enable_secure_boot          = lookup(each.value, "enable_secure_boot", false)
       enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)

@@ -20,8 +20,9 @@
   Delete default kube-dns configmap
  *****************************************/
 module "gcloud_delete_default_kube_dns_configmap" {
-  source                      = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
-  version                     = "~> 2.1.0"
+  source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version = "~> 3.1"
+
   enabled                     = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
   cluster_name                = google_container_cluster.primary.name
   cluster_location            = google_container_cluster.primary.location

@@ -0,0 +1,43 @@
+# Upgrading to v18.0
+
+The v18.0 release of *kubernetes-engine* is a backwards incompatible release.
+
+### Kubernetes Basic Authentication removed
+Basic authentication is deprecated and has been removed in GKE 1.19 and later.
+Owing to this, the `basic_auth_username` and `basic_auth_password` variables
+have been eliminated.
+
+```diff
+ module "gke" {
+   source  = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
+-  version = "~> 17.0"
++  version = "~> 18.0"
+
+-  basic_auth_username = "admin"
+-  basic_auth_password = "s3crets!"
+}
+```
+
+### identity_namespace renamed to workload_pool
+The `identity_namespace` variable has been renamed for consistency with the
+Kubernetes API; the behavior (e.g. enabling Workload Identity by default)
+remains the same.
+
+```diff
+ module "gke" {
+   source  = "terraform-google-modules/kubernetes-engine/google"
+-  version = "~> 17.0"
++  version = "~> 18.0"
+
+-  identity_namespace = null
++  workload_pool      = null
+}
+```
+
+### node_pools_versions is now keyed by node-pool name
+The `node_pools_versions` output is now an object keyed by node-pool name,
+rather than a list as previously.
+
+### instance_group_urls is now removed
+The `instance_group_urls` output has been removed in favor of a node-pool level
+output `node_pools_instance_group_urls`, keyed by node-pool name.
@@ -4,7 +4,7 @@ The v8.0 release of *kubernetes-engine* is a backwards incompatible
 release.
 
 ## Workload Identity (beta)
-Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `identity_namespace = null`
+Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `workload_pool = null`
 
 ## Shielded Nodes (beta)
 Beta clusters now have shielded nodes enabled by default. To disable, set `enable_shielded_nodes = false`
@@ -15,8 +15,10 @@
  */
 
 module "enabled_google_apis" {
-  source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 10.0"
+  source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master"
+
+  #source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  #version = "~> 11.3"
 
   project_id                  = var.project
   disable_services_on_destroy = false

@@ -15,8 +15,10 @@
  */
 
 module "enabled_google_apis" {
-  source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 10.0"
+  source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master"
+
+  #source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  #version = "~> 11.3"
 
   project_id                  = var.project
   disable_services_on_destroy = false