From 65aa00e0af8ce88be54ac92e0620d17ca133463b Mon Sep 17 00:00:00 2001 From: cloud-foundation-bot Date: Tue, 16 Nov 2021 19:16:48 -0600 Subject: [PATCH 01/35] feat: update TPG version constraints to allow 4.0 --- examples/deploy_service/main.tf | 5 --- .../deploy_service}/versions.tf | 13 +++++-- examples/disable_client_cert/main.tf | 5 --- .../disable_client_cert}/versions.tf | 13 +++++-- examples/node_pool/main.tf | 5 --- examples/node_pool/versions.tf | 31 ++++++++++++++++ examples/node_pool_update_variant/main.tf | 5 --- examples/node_pool_update_variant/versions.tf | 28 +++++++++++++++ .../node_pool_update_variant_beta/main.tf | 1 - .../node_pool_update_variant_beta/versions.tf | 31 ++++++++++++++++ .../main.tf | 1 - .../versions.tf | 31 ++++++++++++++++ .../versions.tf | 12 +++++-- .../provider.tf | 8 ----- .../versions.tf | 32 +++++++++++++++++ examples/safer_cluster/main.tf | 8 ----- examples/safer_cluster/versions.tf | 18 +++++++++- .../safer_cluster_iap_bastion/provider.tf | 8 ----- .../safer_cluster_iap_bastion/versions.tf | 35 +++++++++++++++++++ examples/shared_vpc/main.tf | 5 --- examples/shared_vpc/versions.tf | 28 +++++++++++++++ examples/simple_regional/main.tf | 5 --- examples/simple_regional/versions.tf | 28 +++++++++++++++ examples/simple_regional_beta/main.tf | 5 --- examples/simple_regional_beta/versions.tf | 14 +++++++- examples/simple_regional_private/main.tf | 5 --- examples/simple_regional_private/versions.tf | 28 +++++++++++++++ examples/simple_regional_private_beta/main.tf | 10 ------ .../simple_regional_private_beta/versions.tf | 15 +++++++- .../simple_regional_with_kubeconfig/main.tf | 5 --- .../versions.tf | 28 +++++++++++++++ .../simple_regional_with_networking/main.tf | 4 --- .../versions.tf | 28 +++++++++++++++ examples/simple_zonal_private/main.tf | 5 --- examples/simple_zonal_private/versions.tf | 28 +++++++++++++++ examples/simple_zonal_with_acm/main.tf | 5 --- examples/simple_zonal_with_acm/versions.tf | 28 +++++++++++++++ examples/simple_zonal_with_asm/main.tf | 10 ------ examples/simple_zonal_with_asm/versions.tf | 15 +++++++- examples/simple_zonal_with_hub/main.tf | 5 --- examples/simple_zonal_with_hub/versions.tf | 28 +++++++++++++++ .../versions.tf | 28 +++++++++++++++ examples/stub_domains/main.tf | 5 --- examples/stub_domains/versions.tf | 28 +++++++++++++++ examples/stub_domains_private/main.tf | 5 --- examples/stub_domains_private/versions.tf | 28 +++++++++++++++ .../stub_domains_upstream_nameservers/main.tf | 5 --- .../versions.tf | 11 +++++- examples/upstream_nameservers/main.tf | 5 --- examples/upstream_nameservers/versions.tf | 11 +++++- examples/workload_identity/main.tf | 5 --- examples/workload_identity/versions.tf | 28 +++++++++++++++ examples/workload_metadata_config/main.tf | 5 --- examples/workload_metadata_config/versions.tf | 14 +++++++- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- test/fixtures/deploy_service/network.tf | 1 - test/fixtures/disable_client_cert/network.tf | 1 - test/fixtures/shared_vpc/network.tf | 1 - test/fixtures/simple_regional/network.tf | 1 - .../network.tf | 1 - test/fixtures/simple_zonal/network.tf | 1 - .../fixtures/simple_zonal_with_asm/network.tf | 1 - test/fixtures/stub_domains/network.tf | 1 - .../network.tf | 1 - test/fixtures/upstream_nameservers/network.tf | 1 - test/setup/versions.tf | 23 +++++++----- 72 files changed, 668 insertions(+), 179 deletions(-) rename {test/fixtures/upstream_nameservers => examples/deploy_service}/versions.tf (71%) rename {test/fixtures/workload_metadata_config => examples/disable_client_cert}/versions.tf (71%) create mode 100644 examples/node_pool/versions.tf create mode 100644 examples/node_pool_update_variant/versions.tf create mode 100644 examples/node_pool_update_variant_beta/versions.tf create mode 100644 examples/node_pool_update_variant_public_beta/versions.tf rename {test/fixtures/stub_domains_upstream_nameservers => examples/private_zonal_with_networking}/versions.tf (73%) create mode 100644 examples/regional_private_node_pool_oauth_scopes/versions.tf create mode 100644 examples/safer_cluster_iap_bastion/versions.tf create mode 100644 examples/shared_vpc/versions.tf create mode 100644 examples/simple_regional/versions.tf create mode 100644 examples/simple_regional_private/versions.tf create mode 100644 examples/simple_regional_with_kubeconfig/versions.tf create mode 100644 examples/simple_regional_with_networking/versions.tf create mode 100644 examples/simple_zonal_private/versions.tf create mode 100644 examples/simple_zonal_with_acm/versions.tf create mode 100644 examples/simple_zonal_with_hub/versions.tf create mode 100644 examples/simple_zonal_with_hub_kubeconfig/versions.tf create mode 100644 examples/stub_domains/versions.tf create mode 100644 examples/stub_domains_private/versions.tf create mode 100644 examples/workload_identity/versions.tf diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 75908d8689..5a659b79bc 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "deploy-service" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/test/fixtures/upstream_nameservers/versions.tf b/examples/deploy_service/versions.tf similarity index 71% rename from test/fixtures/upstream_nameservers/versions.tf rename to examples/deploy_service/versions.tf index 22884dadd4..e8fbb1aadd 100644 --- a/test/fixtures/upstream_nameservers/versions.tf +++ b/examples/deploy_service/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,5 +15,14 @@ */ terraform { - required_version = ">=0.12" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" } diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index 37479596dc..8696ffc0de 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "disable-cluster-cert" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/test/fixtures/workload_metadata_config/versions.tf b/examples/disable_client_cert/versions.tf similarity index 71% rename from test/fixtures/workload_metadata_config/versions.tf rename to examples/disable_client_cert/versions.tf index 22884dadd4..e8fbb1aadd 100644 --- a/test/fixtures/workload_metadata_config/versions.tf +++ b/examples/disable_client_cert/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,5 +15,14 @@ */ terraform { - required_version = ">=0.12" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index e2b98cf9ef..445d5e039b 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "node-pool" } -provider "google-beta" { - version = "~> 3.90.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/node_pool/versions.tf b/examples/node_pool/versions.tf new file mode 100644 index 0000000000..68ef071848 --- /dev/null +++ b/examples/node_pool/versions.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index 8f4900bfa8..05cc542aa6 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "node-pool-update-variant" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_compute_subnetwork" "subnetwork" { name = var.subnetwork project = var.project_id diff --git a/examples/node_pool_update_variant/versions.tf b/examples/node_pool_update_variant/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/node_pool_update_variant/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index b282aa608e..da631a7b63 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -19,7 +19,6 @@ locals { } provider "google-beta" { - version = "~> 3.87.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/node_pool_update_variant_beta/versions.tf b/examples/node_pool_update_variant_beta/versions.tf new file mode 100644 index 0000000000..68ef071848 --- /dev/null +++ b/examples/node_pool_update_variant_beta/versions.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index 10e9c084ef..b6863e7db9 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -19,7 +19,6 @@ locals { } provider "google-beta" { - version = "~> 3.87.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/node_pool_update_variant_public_beta/versions.tf b/examples/node_pool_update_variant_public_beta/versions.tf new file mode 100644 index 0000000000..68ef071848 --- /dev/null +++ b/examples/node_pool_update_variant_public_beta/versions.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/test/fixtures/stub_domains_upstream_nameservers/versions.tf b/examples/private_zonal_with_networking/versions.tf similarity index 73% rename from test/fixtures/stub_domains_upstream_nameservers/versions.tf rename to examples/private_zonal_with_networking/versions.tf index 22884dadd4..61934a306b 100644 --- a/test/fixtures/stub_domains_upstream_nameservers/versions.tf +++ b/examples/private_zonal_with_networking/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,5 +15,13 @@ */ terraform { - required_version = ">=0.12" + required_providers { + google = { + source = "hashicorp/google" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" } diff --git a/examples/regional_private_node_pool_oauth_scopes/provider.tf b/examples/regional_private_node_pool_oauth_scopes/provider.tf index 28e2d75ab1..b99defc516 100644 --- a/examples/regional_private_node_pool_oauth_scopes/provider.tf +++ b/examples/regional_private_node_pool_oauth_scopes/provider.tf @@ -14,14 +14,6 @@ * limitations under the License. */ -provider "google" { - version = "~> 3.55.0" -} - -provider "google-beta" { - version = "~> 3.87.0" -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/regional_private_node_pool_oauth_scopes/versions.tf b/examples/regional_private_node_pool_oauth_scopes/versions.tf new file mode 100644 index 0000000000..551261c443 --- /dev/null +++ b/examples/regional_private_node_pool_oauth_scopes/versions.tf @@ -0,0 +1,32 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 84b94d79e6..d6de0cd279 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -30,14 +30,6 @@ locals { subnet_names = [for subnet_self_link in module.gcp-network.subnets_self_links : split("/", subnet_self_link)[length(split("/", subnet_self_link)) - 1]] } -provider "google" { - version = "~> 3.55.0" -} - -provider "google-beta" { - version = "~> 3.87.0" -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/safer_cluster/versions.tf b/examples/safer_cluster/versions.tf index 22884dadd4..2d448a4b78 100644 --- a/examples/safer_cluster/versions.tf +++ b/examples/safer_cluster/versions.tf @@ -15,5 +15,21 @@ */ terraform { - required_version = ">=0.12" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + random = { + source = "hashicorp/random" + } + } } diff --git a/examples/safer_cluster_iap_bastion/provider.tf b/examples/safer_cluster_iap_bastion/provider.tf index ca882e5f56..3da3ba8e5e 100644 --- a/examples/safer_cluster_iap_bastion/provider.tf +++ b/examples/safer_cluster_iap_bastion/provider.tf @@ -14,14 +14,6 @@ * limitations under the License. */ -provider "google" { - version = "~> 3.52.0" -} - -provider "google-beta" { - version = "~> 3.87.0" -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/safer_cluster_iap_bastion/versions.tf b/examples/safer_cluster_iap_bastion/versions.tf new file mode 100644 index 0000000000..a7d13b052a --- /dev/null +++ b/examples/safer_cluster_iap_bastion/versions.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + template = { + source = "hashicorp/template" + } + } + required_version = ">= 0.13" +} diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index 4e1c2a1b56..72cba631b9 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "shared-vpc" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/shared_vpc/versions.tf b/examples/shared_vpc/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/shared_vpc/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 0ddfa5581a..45bdcf9ccb 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-regional" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_regional/versions.tf b/examples/simple_regional/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_regional/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 12ec938e7f..a97cc09f1e 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-regional-beta" } -provider "google-beta" { - version = "~> 3.87.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_regional_beta/versions.tf b/examples/simple_regional_beta/versions.tf index 22884dadd4..9d7a496483 100644 --- a/examples/simple_regional_beta/versions.tf +++ b/examples/simple_regional_beta/versions.tf @@ -15,5 +15,17 @@ */ terraform { - required_version = ">=0.12" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } } diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index d0d0385428..51a5ee846e 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-regional-private" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_regional_private/versions.tf b/examples/simple_regional_private/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_regional_private/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 0c7d6885f6..50c9374a4d 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -18,16 +18,6 @@ locals { cluster_type = "simple-regional-private-beta" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - -provider "google-beta" { - version = "~> 3.87.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_regional_private_beta/versions.tf b/examples/simple_regional_private_beta/versions.tf index 22884dadd4..bd6eb4f181 100644 --- a/examples/simple_regional_private_beta/versions.tf +++ b/examples/simple_regional_private_beta/versions.tf @@ -15,5 +15,18 @@ */ terraform { - required_version = ">=0.12" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } } diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index 645d4b666b..183c0721dc 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-regional" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_regional_with_kubeconfig/versions.tf b/examples/simple_regional_with_kubeconfig/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index f1f9b48b43..d96ddd0660 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -provider "google" { - version = "~> 3.55.0" -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_regional_with_networking/versions.tf b/examples/simple_regional_with_networking/versions.tf new file mode 100644 index 0000000000..2d51f4c8f0 --- /dev/null +++ b/examples/simple_regional_with_networking/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 3.45.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index d98718c9a6..e845f41ca9 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-zonal-private" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_zonal_private/versions.tf b/examples/simple_zonal_private/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_zonal_private/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index 70a1f3f12e..540c3a6bb3 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-zonal" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_zonal_with_acm/versions.tf b/examples/simple_zonal_with_acm/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_zonal_with_acm/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index d8a5f9a818..849248d38e 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -18,16 +18,6 @@ locals { cluster_type = "simple-zonal-asm" } -provider "google-beta" { - version = "~> 3.87.0" - region = var.region -} - -provider "google" { - version = "~> 3.63.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_zonal_with_asm/versions.tf b/examples/simple_zonal_with_asm/versions.tf index 1dcf340b5c..b805d61b14 100644 --- a/examples/simple_zonal_with_asm/versions.tf +++ b/examples/simple_zonal_with_asm/versions.tf @@ -15,5 +15,18 @@ */ terraform { - required_version = ">=0.13" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 3.63.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } } diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index f19b592f77..8c1d039143 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "simple-zonal" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/simple_zonal_with_hub/versions.tf b/examples/simple_zonal_with_hub/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_zonal_with_hub/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_zonal_with_hub_kubeconfig/versions.tf b/examples/simple_zonal_with_hub_kubeconfig/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_zonal_with_hub_kubeconfig/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index 150514976e..808f4b4366 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "stub-domains" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/stub_domains/versions.tf b/examples/stub_domains/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/stub_domains/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index e2d077b849..3a04cfbe3e 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/stub_domains_private/versions.tf b/examples/stub_domains_private/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/stub_domains_private/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index f64f02f499..d9aa82baba 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "domains-nameservers" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/stub_domains_upstream_nameservers/versions.tf b/examples/stub_domains_upstream_nameservers/versions.tf index 22884dadd4..424ba9ae7e 100644 --- a/examples/stub_domains_upstream_nameservers/versions.tf +++ b/examples/stub_domains_upstream_nameservers/versions.tf @@ -15,5 +15,14 @@ */ terraform { - required_version = ">=0.12" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } } diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 1ab9edc1d3..df8954c3b4 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "upstream-nameservers" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/upstream_nameservers/versions.tf b/examples/upstream_nameservers/versions.tf index 22884dadd4..424ba9ae7e 100644 --- a/examples/upstream_nameservers/versions.tf +++ b/examples/upstream_nameservers/versions.tf @@ -15,5 +15,14 @@ */ terraform { - required_version = ">=0.12" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } } diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 2b6fe82e20..8647836729 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "regional" } -provider "google" { - version = "~> 3.55.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/workload_identity/versions.tf b/examples/workload_identity/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/workload_identity/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index b146e30c33..dd4b806feb 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -18,11 +18,6 @@ locals { cluster_type = "workload-metadata-private" } -provider "google-beta" { - version = "~> 3.87.0" - region = var.region -} - data "google_client_config" "default" {} provider "kubernetes" { diff --git a/examples/workload_metadata_config/versions.tf b/examples/workload_metadata_config/versions.tf index 22884dadd4..9d7a496483 100644 --- a/examples/workload_metadata_config/versions.tf +++ b/examples/workload_metadata_config/versions.tf @@ -15,5 +15,17 @@ */ terraform { - required_version = ">=0.12" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 52a38d0c0b..3e3fee4b97 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.87.0, <4.0.0" + version = ">= 3.79.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 8f194b9aa8..1ae2732d4d 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.87.0, <4.0.0" + version = ">= 3.79.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index d5aae51563..ce446c8b38 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.87.0, <4.0.0" + version = ">= 3.79.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 78789f3e96..a6db3c50f0 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.87.0, <4.0.0" + version = ">= 3.79.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 98d3b74f99..1792826535 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.55.0, <4.0.0" + version = ">= 3.39.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 484c1eac5f..26b8caff43 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.55.0, <4.0.0" + version = ">= 3.39.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index cd4b163fb9..1f4a825e4c 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.39.0, <4.0.0" + version = ">= 3.39.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/test/fixtures/deploy_service/network.tf b/test/fixtures/deploy_service/network.tf index a0fd4082cc..94bb29e63c 100644 --- a/test/fixtures/deploy_service/network.tf +++ b/test/fixtures/deploy_service/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[0] } diff --git a/test/fixtures/disable_client_cert/network.tf b/test/fixtures/disable_client_cert/network.tf index a0fd4082cc..94bb29e63c 100644 --- a/test/fixtures/disable_client_cert/network.tf +++ b/test/fixtures/disable_client_cert/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[0] } diff --git a/test/fixtures/shared_vpc/network.tf b/test/fixtures/shared_vpc/network.tf index a0fd4082cc..94bb29e63c 100644 --- a/test/fixtures/shared_vpc/network.tf +++ b/test/fixtures/shared_vpc/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[0] } diff --git a/test/fixtures/simple_regional/network.tf b/test/fixtures/simple_regional/network.tf index a0fd4082cc..94bb29e63c 100644 --- a/test/fixtures/simple_regional/network.tf +++ b/test/fixtures/simple_regional/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[0] } diff --git a/test/fixtures/simple_regional_with_kubeconfig/network.tf b/test/fixtures/simple_regional_with_kubeconfig/network.tf index 4c64f5a90c..acb91a126b 100644 --- a/test/fixtures/simple_regional_with_kubeconfig/network.tf +++ b/test/fixtures/simple_regional_with_kubeconfig/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[0] } diff --git a/test/fixtures/simple_zonal/network.tf b/test/fixtures/simple_zonal/network.tf index 9f9824bd7c..e0bf46c2f2 100644 --- a/test/fixtures/simple_zonal/network.tf +++ b/test/fixtures/simple_zonal/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[1] } diff --git a/test/fixtures/simple_zonal_with_asm/network.tf b/test/fixtures/simple_zonal_with_asm/network.tf index 22c0c97239..0b538b4b58 100644 --- a/test/fixtures/simple_zonal_with_asm/network.tf +++ b/test/fixtures/simple_zonal_with_asm/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.63.0" project = var.project_ids[2] } diff --git a/test/fixtures/stub_domains/network.tf b/test/fixtures/stub_domains/network.tf index a6fff524fe..a24129ec4f 100644 --- a/test/fixtures/stub_domains/network.tf +++ b/test/fixtures/stub_domains/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[1] } diff --git a/test/fixtures/stub_domains_upstream_nameservers/network.tf b/test/fixtures/stub_domains_upstream_nameservers/network.tf index b94679b3a7..8ec5389ade 100644 --- a/test/fixtures/stub_domains_upstream_nameservers/network.tf +++ b/test/fixtures/stub_domains_upstream_nameservers/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[1] } diff --git a/test/fixtures/upstream_nameservers/network.tf b/test/fixtures/upstream_nameservers/network.tf index b94679b3a7..8ec5389ade 100644 --- a/test/fixtures/upstream_nameservers/network.tf +++ b/test/fixtures/upstream_nameservers/network.tf @@ -21,7 +21,6 @@ resource "random_string" "suffix" { } provider "google" { - version = "~> 3.55.0" project = var.project_ids[1] } diff --git a/test/setup/versions.tf b/test/setup/versions.tf index 1963f1ed9b..026fdac3ca 100644 --- a/test/setup/versions.tf +++ b/test/setup/versions.tf @@ -15,13 +15,18 @@ */ terraform { - required_version = ">=0.12" -} - -provider "google" { - version = "3.50.0" -} - -provider "google-beta" { - version = "3.50.0" + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = "3.50.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "3.50.0" + } + random = { + source = "hashicorp/random" + } + } } From d988d3eb817c8c171f1d9c890ce8609daccdcfda Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Mon, 22 Nov 2021 10:05:11 -0800 Subject: [PATCH 02/35] Removes basic auth, renames namespace_identity --- autogen/main/cluster.tf.tmpl | 5 +-- autogen/main/main.tf.tmpl | 6 ++-- autogen/main/outputs.tf.tmpl | 6 ++-- autogen/main/variables.tf.tmpl | 16 ++------- autogen/safer-cluster/main.tf.tmpl | 6 +--- cluster.tf | 5 +-- docs/upgrading_to_v18.0.md | 35 +++++++++++++++++++ docs/upgrading_to_v8.0.md | 2 +- examples/simple_regional_beta/main.tf | 4 +-- examples/simple_regional_beta/test_outputs.tf | 4 +-- .../simple_zonal_with_asm/test_outputs.tf | 4 +-- main.tf | 6 ++-- .../cluster.tf | 5 +-- .../main.tf | 6 ++-- .../outputs.tf | 6 ++-- .../variables.tf | 4 +-- .../versions.tf | 2 +- modules/beta-private-cluster/cluster.tf | 5 +-- modules/beta-private-cluster/main.tf | 6 ++-- modules/beta-private-cluster/outputs.tf | 6 ++-- modules/beta-private-cluster/variables.tf | 4 +-- modules/beta-private-cluster/versions.tf | 2 +- .../cluster.tf | 5 +-- .../main.tf | 6 ++-- .../outputs.tf | 6 ++-- .../variables.tf | 4 +-- .../versions.tf | 2 +- modules/beta-public-cluster/cluster.tf | 5 +-- modules/beta-public-cluster/main.tf | 6 ++-- modules/beta-public-cluster/outputs.tf | 6 ++-- modules/beta-public-cluster/variables.tf | 4 +-- modules/beta-public-cluster/versions.tf | 2 +- .../private-cluster-update-variant/cluster.tf | 5 +-- .../private-cluster-update-variant/main.tf | 6 ++-- .../private-cluster-update-variant/outputs.tf | 6 ++-- .../variables.tf | 16 ++------- .../versions.tf | 2 +- modules/private-cluster/cluster.tf | 5 +-- modules/private-cluster/main.tf | 6 ++-- modules/private-cluster/outputs.tf | 6 ++-- modules/private-cluster/variables.tf | 4 +-- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/main.tf | 2 +- modules/safer-cluster/main.tf | 2 +- outputs.tf | 6 ++-- test/fixtures/beta_cluster/outputs.tf | 4 +-- test/integration/beta_cluster/inspec.yml | 2 +- variables.tf | 16 ++------- versions.tf | 2 +- 49 files changed, 127 insertions(+), 156 deletions(-) create mode 100644 docs/upgrading_to_v18.0.md diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index eeee6d5196..d806826ae1 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -161,9 +161,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -377,7 +374,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 2bf90161ea..da8237cb48 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -175,9 +175,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] {% if beta_cluster %} # BETA features diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index fd58ec9c24..f15808020f 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index ea8e1fe01b..2f0f116c35 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -394,18 +394,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" @@ -563,8 +551,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 720b1eb87e..761826dd44 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -111,10 +111,6 @@ module "gke" { registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access - // Basic Auth disabled - basic_auth_username = "" - basic_auth_password = "" - issue_client_certificate = false cluster_resource_labels = var.cluster_resource_labels @@ -165,7 +161,7 @@ module "gke" { enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling // We enable identity namespace by default. - identity_namespace = "${var.project_id}.svc.id.goog" + workload_pool = "${var.project_id}.svc.id.goog" authenticator_security_group = var.authenticator_security_group diff --git a/cluster.tf b/cluster.tf index 82ef9af9da..c0a7d466dc 100644 --- a/cluster.tf +++ b/cluster.tf @@ -98,9 +98,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -211,7 +208,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/docs/upgrading_to_v18.0.md b/docs/upgrading_to_v18.0.md new file mode 100644 index 0000000000..67a9b9c146 --- /dev/null +++ b/docs/upgrading_to_v18.0.md @@ -0,0 +1,35 @@ +# Upgrading to v18.0 + +The v18.0 release of *kubernetes-engine* is a backwards incompatible release. + +### Kubernetes Basic Authentication removed +Basic authentication is deprecated and has been removed in GKE 1.19 and later. +Owing to this, the `basic_auth_username` and `basic_auth_password` variables +have been eliminated. + +```diff + module "gke" { + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" +- version = "~> 17.0" ++ version = "~> 18.0" + +- basic_auth_username = "admin" +- basic_auth_password = "s3crets!" +} +``` + +### identity_namespace renamed to workload_pool +The `identity_namespace` variable has been renamed for consistency with the +Kubernetes API; the behavior (e.g. enabling Workload Identity by default) +remains the same. + +```diff + module "gke" { + source = "terraform-google-modules/kubernetes-engine/google" +- version = "~> 17.0" ++ version = "~> 18.0" + +- identity_namespace = null ++ workload_pool = null +} +``` diff --git a/docs/upgrading_to_v8.0.md b/docs/upgrading_to_v8.0.md index 5d0f0aea7b..913a9b060e 100644 --- a/docs/upgrading_to_v8.0.md +++ b/docs/upgrading_to_v8.0.md @@ -4,7 +4,7 @@ The v8.0 release of *kubernetes-engine* is a backwards incompatible release. ## Workload Identity (beta) -Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `identity_namespace = null` +Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `workload_pool = null` ## Shielded Nodes (beta) Beta clusters now have shielded nodes enabled by default. To disable, set `enable_shielded_nodes = false` diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index a97cc09f1e..c397d89a69 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -52,8 +52,8 @@ module "gke" { release_channel = "REGULAR" # Disable workload identity - identity_namespace = null - node_metadata = "UNSPECIFIED" + workload_pool = null + node_metadata = "UNSPECIFIED" # Enable Dataplane Setup datapath_provider = "ADVANCED_DATAPATH" diff --git a/examples/simple_regional_beta/test_outputs.tf b/examples/simple_regional_beta/test_outputs.tf index 71e5965e05..786ff9ea29 100644 --- a/examples/simple_regional_beta/test_outputs.tf +++ b/examples/simple_regional_beta/test_outputs.tf @@ -62,6 +62,6 @@ output "master_kubernetes_version" { value = module.gke.master_version } -output "identity_namespace" { - value = module.gke.identity_namespace +output "workload_pool" { + value = module.gke.workload_pool } diff --git a/examples/simple_zonal_with_asm/test_outputs.tf b/examples/simple_zonal_with_asm/test_outputs.tf index 71e5965e05..786ff9ea29 100644 --- a/examples/simple_zonal_with_asm/test_outputs.tf +++ b/examples/simple_zonal_with_asm/test_outputs.tf @@ -62,6 +62,6 @@ output "master_kubernetes_version" { value = module.gke.master_version } -output "identity_namespace" { - value = module.gke.identity_namespace +output "workload_pool" { + value = module.gke.workload_pool } diff --git a/main.tf b/main.tf index eb511e724a..a5b88a518c 100644 --- a/main.tf +++ b/main.tf @@ -135,9 +135,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index fe7f85e878..1b1d0e7457 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -338,7 +335,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index d24a1e0377..6f35a599ee 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -158,9 +158,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index b60db783d8..8a728942c7 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f25adcccf7..9ccfcd18bf 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -541,8 +541,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 3e3fee4b97..736164f070 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.79.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d873637b9a..ce335e4a69 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -338,7 +335,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index d24a1e0377..6f35a599ee 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -158,9 +158,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index b60db783d8..8a728942c7 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f25adcccf7..9ccfcd18bf 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -541,8 +541,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 1ae2732d4d..63744c1b21 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.79.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index fe57be51c9..8e7194b11a 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -319,7 +316,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 3648af0112..9fa21407f2 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -157,9 +157,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 4f92d3561b..4039b05bae 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 104d1dae7f..e05e2633ac 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -510,8 +510,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index ce446c8b38..3438841319 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.79.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 34b39e5548..f05243b8b8 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -142,9 +142,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -319,7 +316,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 3648af0112..9fa21407f2 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -157,9 +157,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 4f92d3561b..4039b05bae 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 104d1dae7f..e05e2633ac 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -510,8 +510,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index a6db3c50f0..a7d4794323 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.79.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 6ad68cd30c..1453d23433 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -98,9 +98,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -224,7 +221,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 9fbd46a8de..bdd52d4822 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -136,9 +136,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] } diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 1f0bbeaaff..22a0dfd113 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index a1c8253d71..7fc0f4ab17 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -330,18 +330,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" @@ -416,8 +404,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 1792826535..e1d6491e1a 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.39.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 278420d150..987b3de162 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -98,9 +98,6 @@ resource "google_container_cluster" "primary" { } master_auth { - username = var.basic_auth_username - password = var.basic_auth_password - client_certificate_config { issue_client_certificate = var.issue_client_certificate } @@ -224,7 +221,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_workload_identity_config content { - identity_namespace = workload_identity_config.value.identity_namespace + workload_pool = workload_identity_config.value.workload_pool } } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 9fbd46a8de..bdd52d4822 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -136,9 +136,9 @@ locals { cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ - identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace + workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool }] } diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 1f0bbeaaff..22a0dfd113 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index a1c8253d71..4903686d7c 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -416,8 +416,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 26b8caff43..3c93df5af6 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.39.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index b3a501f92f..d0207768a3 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -161,7 +161,7 @@ module "gke" { enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling // We enable identity namespace by default. - identity_namespace = "${var.project_id}.svc.id.goog" + workload_pool = "${var.project_id}.svc.id.goog" authenticator_security_group = var.authenticator_security_group diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 803144e50f..2f2ddf5327 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -161,7 +161,7 @@ module "gke" { enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling // We enable identity namespace by default. - identity_namespace = "${var.project_id}.svc.id.goog" + workload_pool = "${var.project_id}.svc.id.goog" authenticator_security_group = var.authenticator_security_group diff --git a/outputs.tf b/outputs.tf index bd48ce34cc..9945ba2d65 100644 --- a/outputs.tf +++ b/outputs.tf @@ -128,9 +128,9 @@ output "release_channel" { value = var.release_channel } -output "identity_namespace" { - description = "Workload Identity namespace" - value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null +output "workload_pool" { + description = "Workload Identity pool" + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ google_container_cluster.primary ] diff --git a/test/fixtures/beta_cluster/outputs.tf b/test/fixtures/beta_cluster/outputs.tf index fdcc23db68..a5bdffd2fd 100644 --- a/test/fixtures/beta_cluster/outputs.tf +++ b/test/fixtures/beta_cluster/outputs.tf @@ -84,6 +84,6 @@ output "database_encryption_key_name" { value = google_kms_crypto_key.db.id } -output "identity_namespace" { - value = module.this.identity_namespace +output "workload_pool" { + value = module.this.workload_pool } diff --git a/test/integration/beta_cluster/inspec.yml b/test/integration/beta_cluster/inspec.yml index 05762386b6..bc38a8915f 100644 --- a/test/integration/beta_cluster/inspec.yml +++ b/test/integration/beta_cluster/inspec.yml @@ -45,6 +45,6 @@ attributes: - name: database_encryption_key_name required: true type: string - - name: identity_namespace + - name: workload_pool required: true type: string diff --git a/variables.tf b/variables.tf index 66dd772f5b..3a0bafb6be 100644 --- a/variables.tf +++ b/variables.tf @@ -330,18 +330,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" @@ -392,8 +380,8 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)" +variable "workload_pool" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } diff --git a/versions.tf b/versions.tf index b3d1820b43..649740e585 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.55.0, <4.0.0" + version = ">= 4.0.0, <5.0" } kubernetes = { source = "hashicorp/kubernetes" From 84f737cc614314f981568c1e5478a7fa801c344b Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Mon, 22 Nov 2021 10:30:03 -0800 Subject: [PATCH 03/35] Regenerates modules and documentation --- README.md | 6 ++---- autogen/main/cluster.tf.tmpl | 5 +++-- autogen/main/main.tf.tmpl | 2 +- autogen/main/versions.tf.tmpl | 4 ++-- cluster.tf | 5 +++-- examples/simple_regional_beta/README.md | 2 +- examples/simple_zonal_with_asm/README.md | 2 +- main.tf | 2 +- .../beta-private-cluster-update-variant/README.md | 6 ++---- .../beta-private-cluster-update-variant/cluster.tf | 5 +++-- modules/beta-private-cluster-update-variant/main.tf | 2 +- .../beta-private-cluster-update-variant/variables.tf | 12 ------------ modules/beta-private-cluster/README.md | 6 ++---- modules/beta-private-cluster/cluster.tf | 5 +++-- modules/beta-private-cluster/main.tf | 2 +- modules/beta-private-cluster/variables.tf | 12 ------------ modules/beta-public-cluster-update-variant/README.md | 6 ++---- .../beta-public-cluster-update-variant/cluster.tf | 5 +++-- modules/beta-public-cluster-update-variant/main.tf | 2 +- .../beta-public-cluster-update-variant/variables.tf | 12 ------------ modules/beta-public-cluster/README.md | 6 ++---- modules/beta-public-cluster/cluster.tf | 5 +++-- modules/beta-public-cluster/main.tf | 2 +- modules/beta-public-cluster/variables.tf | 12 ------------ modules/private-cluster-update-variant/README.md | 6 ++---- modules/private-cluster-update-variant/cluster.tf | 5 +++-- modules/private-cluster-update-variant/main.tf | 2 +- modules/private-cluster/README.md | 6 ++---- modules/private-cluster/cluster.tf | 5 +++-- modules/private-cluster/main.tf | 2 +- modules/private-cluster/variables.tf | 12 ------------ modules/safer-cluster-update-variant/main.tf | 4 ---- modules/safer-cluster/main.tf | 4 ---- versions.tf | 2 +- 34 files changed, 51 insertions(+), 125 deletions(-) diff --git a/README.md b/README.md index de52651f5b..8532fa2fdf 100644 --- a/README.md +++ b/README.md @@ -128,8 +128,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | @@ -151,7 +149,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -191,6 +188,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -202,7 +200,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | @@ -218,6 +215,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index d806826ae1..3debee4e0d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -295,7 +295,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -631,9 +631,10 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + {% if beta_cluster %} dynamic "sandbox_config" { for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index da8237cb48..1f4b44b073 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -112,7 +112,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 10338cf9a0..5f9fca7916 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,7 +24,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 3.87.0, <4.0.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" @@ -38,7 +38,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.55.0, <4.0.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index c0a7d466dc..f4899cf1c4 100644 --- a/cluster.tf +++ b/cluster.tf @@ -162,7 +162,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -336,10 +336,11 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 5d301c9ad6..bfc9eae7ee 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -36,7 +36,6 @@ This example illustrates how to create a simple cluster with beta features. | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | -| identity\_namespace | n/a | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | @@ -47,6 +46,7 @@ This example illustrates how to create a simple cluster with beta features. | region | n/a | | service\_account | The default service account used for running nodes. | | subnetwork | n/a | +| workload\_pool | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index ce486ec503..d7085148cd 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -23,7 +23,6 @@ This example illustrates how to create a simple zonal cluster with ASM. | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | -| identity\_namespace | n/a | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | @@ -34,6 +33,7 @@ This example illustrates how to create a simple zonal cluster with ASM. | region | n/a | | service\_account | The default service account used for running nodes. | | subnetwork | n/a | +| workload\_pool | n/a | | zones | List of zones in which the cluster resides | diff --git a/main.tf b/main.tf index a5b88a518c..0529eeac0e 100644 --- a/main.tf +++ b/main.tf @@ -87,7 +87,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index a932b2e70a..d4b56530ce 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -160,8 +160,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | @@ -199,7 +197,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -251,6 +248,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -264,7 +262,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | @@ -287,6 +284,7 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 1b1d0e7457..9ce5a921a0 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -262,7 +262,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -570,9 +570,10 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + dynamic "sandbox_config" { for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 6f35a599ee..ff74a00446 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -102,7 +102,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9ccfcd18bf..a24fd968eb 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -378,18 +378,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index bdec3ab7c7..a498e85af2 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -138,8 +138,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | @@ -177,7 +175,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -229,6 +226,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -242,7 +240,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | @@ -265,6 +262,7 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index ce335e4a69..a7bf195713 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -262,7 +262,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -485,9 +485,10 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + dynamic "sandbox_config" { for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 6f35a599ee..ff74a00446 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -102,7 +102,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9ccfcd18bf..a24fd968eb 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -378,18 +378,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a8ead250c5..11836bc233 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -154,8 +154,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | @@ -190,7 +188,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -240,6 +237,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -253,7 +251,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | @@ -274,6 +271,7 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 8e7194b11a..c0f2d8d86d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -262,7 +262,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -551,9 +551,10 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + dynamic "sandbox_config" { for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 9fa21407f2..40e7bcae9a 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -102,7 +102,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index e05e2633ac..6c35c434d6 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -378,18 +378,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index be7111e851..0d08689861 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -132,8 +132,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | @@ -168,7 +166,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -218,6 +215,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -231,7 +229,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | @@ -252,6 +249,7 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index f05243b8b8..dc6b439c39 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -262,7 +262,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -466,9 +466,10 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + dynamic "sandbox_config" { for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 9fa21407f2..40e7bcae9a 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -102,7 +102,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e05e2633ac..6c35c434d6 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -378,18 +378,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 5176ac1241..18d4fa8c4c 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -156,8 +156,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | @@ -182,7 +180,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -223,6 +220,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -234,7 +232,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | @@ -252,6 +249,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 1453d23433..868306a339 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -162,7 +162,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -434,10 +434,11 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index bdd52d4822..cac234e2c2 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -87,7 +87,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 1ec12aba6d..8e90996400 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -134,8 +134,6 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no | -| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `any` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | @@ -160,7 +158,6 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -201,6 +198,7 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -212,7 +210,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity namespace | | instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | @@ -230,6 +227,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | +| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 987b3de162..09e6e7dcee 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -162,7 +162,7 @@ resource "google_container_cluster" "primary" { for_each = local.cluster_node_metadata_config content { - node_metadata = workload_metadata_config.value.node_metadata + mode = workload_metadata_config.value.mode } } @@ -349,10 +349,11 @@ resource "google_container_node_pool" "pools" { for_each = local.cluster_node_metadata_config content { - node_metadata = lookup(each.value, "node_metadata", workload_metadata_config.value.node_metadata) + mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode) } } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index bdd52d4822..cac234e2c2 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -87,7 +87,7 @@ locals { }] cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - node_metadata = var.node_metadata + mode = var.node_metadata }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 4903686d7c..7fc0f4ab17 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -330,18 +330,6 @@ variable "service_account" { default = "" } -variable "basic_auth_username" { - type = string - description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" -} - -variable "basic_auth_password" { - type = string - description = "The password to be used with Basic Authentication." - default = "" -} - variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index d0207768a3..26e62284f7 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -107,10 +107,6 @@ module "gke" { registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access - // Basic Auth disabled - basic_auth_username = "" - basic_auth_password = "" - issue_client_certificate = false cluster_resource_labels = var.cluster_resource_labels diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 2f2ddf5327..51831de376 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -107,10 +107,6 @@ module "gke" { registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access - // Basic Auth disabled - basic_auth_username = "" - basic_auth_password = "" - issue_client_certificate = false cluster_resource_labels = var.cluster_resource_labels diff --git a/versions.tf b/versions.tf index 649740e585..fb7f8d19f3 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.0.0, <5.0" + version = ">= 4.0.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" From fc4abaf5900c0a498b480934fbccd98b0c9c5bd0 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Mon, 22 Nov 2021 11:00:57 -0800 Subject: [PATCH 04/35] Updates tests to use latest Google provider * addresses warning about multiple provider blocks --- examples/simple_zonal_with_hub_kubeconfig/main.tf | 8 -------- examples/simple_zonal_with_hub_kubeconfig/versions.tf | 4 ++++ test/setup/versions.tf | 4 ++-- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/examples/simple_zonal_with_hub_kubeconfig/main.tf b/examples/simple_zonal_with_hub_kubeconfig/main.tf index 22956825a5..43622d1ac4 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/main.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/main.tf @@ -14,14 +14,6 @@ * limitations under the License. */ -terraform { - required_providers { - kind = { - source = "kyma-incubator/kind" - version = "0.0.6" - } - } -} provider "kind" {} # creating a cluster with kind of the name "test-cluster" with kubernetes version v1.18.4 and two nodes diff --git a/examples/simple_zonal_with_hub_kubeconfig/versions.tf b/examples/simple_zonal_with_hub_kubeconfig/versions.tf index e8fbb1aadd..1d715aef24 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/versions.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/versions.tf @@ -20,6 +20,10 @@ terraform { source = "hashicorp/google" version = "~> 4.0" } + kind = { + source = "kyma-incubator/kind" + version = "0.0.6" + } kubernetes = { source = "hashicorp/kubernetes" } diff --git a/test/setup/versions.tf b/test/setup/versions.tf index 026fdac3ca..c010643e9d 100644 --- a/test/setup/versions.tf +++ b/test/setup/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "3.50.0" + version = "4.1.0" } google-beta = { source = "hashicorp/google-beta" - version = "3.50.0" + version = "4.1.0" } random = { source = "hashicorp/random" From 190ae7f41d73f2e6803e3b8fd64160a781042501 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Mon, 22 Nov 2021 11:35:21 -0800 Subject: [PATCH 05/35] Updates network module for Google provider 4.0 compatibility --- examples/private_zonal_with_networking/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/network.tf | 2 +- examples/safer_cluster/network.tf | 2 +- examples/safer_cluster_iap_bastion/network.tf | 2 +- examples/simple_regional_with_networking/main.tf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index a71dfaf768..fdfb17783a 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -24,7 +24,7 @@ provider "kubernetes" { module "gcp-network" { source = "terraform-google-modules/network/google" - version = "~> 3.1" + version = ">= 4.0.1, < 5.0.0" project_id = var.project_id network_name = var.network diff --git a/examples/regional_private_node_pool_oauth_scopes/network.tf b/examples/regional_private_node_pool_oauth_scopes/network.tf index 140c20d941..d83104ab41 100644 --- a/examples/regional_private_node_pool_oauth_scopes/network.tf +++ b/examples/regional_private_node_pool_oauth_scopes/network.tf @@ -16,7 +16,7 @@ module "gke-network" { source = "terraform-google-modules/network/google" - version = "~> 2.5" + version = ">= 4.0.1, < 5.0.0" project_id = var.project_id network_name = "random-gke-network" diff --git a/examples/safer_cluster/network.tf b/examples/safer_cluster/network.tf index 8b22071f0e..2b18780a12 100644 --- a/examples/safer_cluster/network.tf +++ b/examples/safer_cluster/network.tf @@ -16,7 +16,7 @@ module "gcp-network" { source = "terraform-google-modules/network/google" - version = "~> 2.5" + version = ">= 4.0.1, < 5.0.0" project_id = var.project_id network_name = local.network_name diff --git a/examples/safer_cluster_iap_bastion/network.tf b/examples/safer_cluster_iap_bastion/network.tf index e1986ad588..572b366adb 100644 --- a/examples/safer_cluster_iap_bastion/network.tf +++ b/examples/safer_cluster_iap_bastion/network.tf @@ -17,7 +17,7 @@ module "vpc" { source = "terraform-google-modules/network/google" - version = "~> 2.5" + version = ">= 4.0.1, < 5.0.0" project_id = module.enabled_google_apis.project_id network_name = var.network_name diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index d96ddd0660..7c7f12f6ff 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -24,7 +24,7 @@ provider "kubernetes" { module "gcp-network" { source = "terraform-google-modules/network/google" - version = "~> 3.1" + version = ">= 4.0.1, < 5.0.0" project_id = var.project_id network_name = var.network From a493bc2f37b1eca36c2295c16c5c64cb8aef895a Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Mon, 22 Nov 2021 13:46:05 -0800 Subject: [PATCH 06/35] Temporarily uses "main" for gcloud module (until next release is cut) --- autogen/main/dns.tf.tmpl | 5 ++-- dns.tf | 5 ++-- .../private_zonal_with_networking/main.tf | 5 ++-- .../network.tf | 5 ++-- examples/safer_cluster/network.tf | 5 ++-- .../simple_regional_with_networking/main.tf | 5 ++-- modules/acm/main.tf | 2 +- modules/asm/main.tf | 5 ++-- .../dns.tf | 5 ++-- modules/beta-private-cluster/dns.tf | 5 ++-- .../beta-public-cluster-update-variant/dns.tf | 5 ++-- modules/beta-public-cluster/dns.tf | 5 ++-- modules/hub/main.tf | 2 +- modules/k8s-operator-crd-support/main.tf | 26 ++++++++++++------- modules/private-cluster-update-variant/dns.tf | 5 ++-- modules/private-cluster/dns.tf | 5 ++-- modules/workload-identity/main.tf | 2 +- 17 files changed, 58 insertions(+), 39 deletions(-) diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index 03209c8a0f..0ede42862c 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/dns.tf b/dns.tf index fa10a41101..96ed60d14c 100644 --- a/dns.tf +++ b/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index fdfb17783a..9910b9bb12 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -23,8 +23,9 @@ provider "kubernetes" { } module "gcp-network" { - source = "terraform-google-modules/network/google" - version = ">= 4.0.1, < 5.0.0" + source = "terraform-google-modules/network/google" + version = ">= 4.0.1, < 5.0.0" + project_id = var.project_id network_name = var.network diff --git a/examples/regional_private_node_pool_oauth_scopes/network.tf b/examples/regional_private_node_pool_oauth_scopes/network.tf index d83104ab41..e77f4c2897 100644 --- a/examples/regional_private_node_pool_oauth_scopes/network.tf +++ b/examples/regional_private_node_pool_oauth_scopes/network.tf @@ -15,8 +15,9 @@ */ module "gke-network" { - source = "terraform-google-modules/network/google" - version = ">= 4.0.1, < 5.0.0" + source = "terraform-google-modules/network/google" + version = ">= 4.0.1, < 5.0.0" + project_id = var.project_id network_name = "random-gke-network" diff --git a/examples/safer_cluster/network.tf b/examples/safer_cluster/network.tf index 2b18780a12..e3c4778068 100644 --- a/examples/safer_cluster/network.tf +++ b/examples/safer_cluster/network.tf @@ -15,8 +15,9 @@ */ module "gcp-network" { - source = "terraform-google-modules/network/google" - version = ">= 4.0.1, < 5.0.0" + source = "terraform-google-modules/network/google" + version = ">= 4.0.1, < 5.0.0" + project_id = var.project_id network_name = local.network_name diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index 7c7f12f6ff..4854c4d644 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -23,8 +23,9 @@ provider "kubernetes" { } module "gcp-network" { - source = "terraform-google-modules/network/google" - version = ">= 4.0.1, < 5.0.0" + source = "terraform-google-modules/network/google" + version = ">= 4.0.1, < 5.0.0" + project_id = var.project_id network_name = var.network diff --git a/modules/acm/main.tf b/modules/acm/main.tf index 7acc986624..e95e0d405e 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -16,7 +16,7 @@ module "enable_acm" { source = "terraform-google-modules/gcloud/google" - version = "~> 2.0" + version = "main" platform = "linux" upgrade = true diff --git a/modules/asm/main.tf b/modules/asm/main.tf index f5ed3ecd9d..a80e6d3ced 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -87,8 +87,9 @@ module "asm-services" { } module "asm_install" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + module_depends_on = concat([var.cluster_endpoint], local.additional_depends_on) gcloud_sdk_version = var.gcloud_sdk_version diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index fa10a41101..96ed60d14c 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index fa10a41101..96ed60d14c 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index fa10a41101..96ed60d14c 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index fa10a41101..96ed60d14c 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/modules/hub/main.tf b/modules/hub/main.tf index 428d4d8e5e..b854f68f87 100644 --- a/modules/hub/main.tf +++ b/modules/hub/main.tf @@ -72,7 +72,7 @@ resource "google_service_account_key" "gke_hub_key" { module "gke_hub_registration" { source = "terraform-google-modules/gcloud/google" - version = "~> 2.1.0" + version = "main" platform = "linux" gcloud_sdk_version = var.gcloud_sdk_version diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf index 60536b8cd7..8c5ba6d493 100644 --- a/modules/k8s-operator-crd-support/main.tf +++ b/modules/k8s-operator-crd-support/main.tf @@ -34,7 +34,8 @@ locals { module "k8sop_manifest" { source = "terraform-google-modules/gcloud/google" - version = "~> 2.1.0" + version = "main" + enabled = local.should_download_manifest create_cmd_entrypoint = "gsutil" @@ -45,8 +46,9 @@ module "k8sop_manifest" { module "k8s_operator" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint] cluster_name = var.cluster_name cluster_location = var.location @@ -68,7 +70,7 @@ resource "tls_private_key" "k8sop_creds" { module "k8sop_creds_secret" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + version = "main" enabled = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false" module_depends_on = [module.k8s_operator.wait] @@ -104,8 +106,9 @@ data "template_file" "k8sop_config" { } module "k8sop_config" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] cluster_name = var.cluster_name cluster_location = var.location @@ -136,7 +139,8 @@ data "template_file" "rootsync_config" { module "wait_for_configsync_api" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + version = "main" + enabled = var.enable_multi_repo module_depends_on = [module.k8sop_config.wait] @@ -156,7 +160,8 @@ module "wait_for_configsync_api" { module "rootsync_config" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + version = "main" + enabled = var.enable_multi_repo module_depends_on = [module.wait_for_configsync_api.wait] @@ -173,8 +178,9 @@ module "rootsync_config" { } module "wait_for_gatekeeper" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = var.enable_policy_controller ? true : false module_depends_on = [module.k8sop_config.wait] cluster_name = var.cluster_name diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index fa10a41101..96ed60d14c 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index fa10a41101..96ed60d14c 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,8 +20,9 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "main" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name cluster_location = google_container_cluster.primary.location diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index ebcb5da01c..565d1cdfaa 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -59,7 +59,7 @@ resource "kubernetes_service_account" "main" { module "annotate-sa" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 2.1.0" + version = "main" enabled = var.use_existing_k8s_sa && var.annotate_k8s_sa skip_download = true From de866626cfac6a2c83198b3712ced092a10ba1d7 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Mon, 22 Nov 2021 14:19:37 -0800 Subject: [PATCH 07/35] Comments out version constraint (temporary change) * fetches main branch by default? --- autogen/main/dns.tf.tmpl | 2 +- dns.tf | 4 +-- modules/acm/main.tf | 4 +-- modules/asm/main.tf | 4 +-- .../dns.tf | 4 +-- modules/beta-private-cluster/dns.tf | 4 +-- .../beta-public-cluster-update-variant/dns.tf | 4 +-- modules/beta-public-cluster/dns.tf | 4 +-- modules/hub/main.tf | 4 +-- modules/k8s-operator-crd-support/main.tf | 28 +++++++++---------- modules/private-cluster-update-variant/dns.tf | 4 +-- modules/private-cluster/dns.tf | 4 +-- modules/workload-identity/main.tf | 4 +-- 13 files changed, 37 insertions(+), 37 deletions(-) diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index 0ede42862c..e0c44668f4 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -21,7 +21,7 @@ *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/dns.tf b/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/dns.tf +++ b/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/acm/main.tf b/modules/acm/main.tf index e95e0d405e..b79c8fc5de 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -15,8 +15,8 @@ */ module "enable_acm" { - source = "terraform-google-modules/gcloud/google" - version = "main" + source = "terraform-google-modules/gcloud/google" + #version = "main" platform = "linux" upgrade = true diff --git a/modules/asm/main.tf b/modules/asm/main.tf index a80e6d3ced..0969b3ab9e 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -87,8 +87,8 @@ module "asm-services" { } module "asm_install" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" module_depends_on = concat([var.cluster_endpoint], local.additional_depends_on) diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/hub/main.tf b/modules/hub/main.tf index b854f68f87..ea0eba0e4a 100644 --- a/modules/hub/main.tf +++ b/modules/hub/main.tf @@ -71,8 +71,8 @@ resource "google_service_account_key" "gke_hub_key" { } module "gke_hub_registration" { - source = "terraform-google-modules/gcloud/google" - version = "main" + source = "terraform-google-modules/gcloud/google" + #version = "main" platform = "linux" gcloud_sdk_version = var.gcloud_sdk_version diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf index 8c5ba6d493..6220d42fe3 100644 --- a/modules/k8s-operator-crd-support/main.tf +++ b/modules/k8s-operator-crd-support/main.tf @@ -33,8 +33,8 @@ locals { } module "k8sop_manifest" { - source = "terraform-google-modules/gcloud/google" - version = "main" + source = "terraform-google-modules/gcloud/google" + #version = "main" enabled = local.should_download_manifest @@ -46,8 +46,8 @@ module "k8sop_manifest" { module "k8s_operator" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint] cluster_name = var.cluster_name @@ -69,8 +69,8 @@ resource "tls_private_key" "k8sop_creds" { } module "k8sop_creds_secret" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false" module_depends_on = [module.k8s_operator.wait] @@ -106,8 +106,8 @@ data "template_file" "k8sop_config" { } module "k8sop_config" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] cluster_name = var.cluster_name @@ -138,8 +138,8 @@ data "template_file" "rootsync_config" { } module "wait_for_configsync_api" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = var.enable_multi_repo @@ -159,8 +159,8 @@ module "wait_for_configsync_api" { } module "rootsync_config" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = var.enable_multi_repo @@ -178,8 +178,8 @@ module "rootsync_config" { } module "wait_for_gatekeeper" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = var.enable_policy_controller ? true : false module_depends_on = [module.k8sop_config.wait] diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index 96ed60d14c..8a8f73aa39 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,8 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 565d1cdfaa..0c703afbdf 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -58,8 +58,8 @@ resource "kubernetes_service_account" "main" { } module "annotate-sa" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "main" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "main" enabled = var.use_existing_k8s_sa && var.annotate_k8s_sa skip_download = true From 69fffa0b953bfd74051686569e55decb26e70ecc Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Tue, 23 Nov 2021 08:46:22 -0800 Subject: [PATCH 08/35] Uses master branch for gcloud module (until release is cut) --- autogen/main/dns.tf.tmpl | 6 ++- dns.tf | 6 ++- modules/acm/main.tf | 6 ++- modules/asm/main.tf | 6 ++- .../dns.tf | 6 ++- modules/beta-private-cluster/dns.tf | 6 ++- .../beta-public-cluster-update-variant/dns.tf | 6 ++- modules/beta-public-cluster/dns.tf | 6 ++- modules/hub/main.tf | 6 ++- modules/k8s-operator-crd-support/main.tf | 42 ++++++++++++------- modules/private-cluster-update-variant/dns.tf | 6 ++- modules/private-cluster/dns.tf | 6 ++- modules/workload-identity/main.tf | 6 ++- 13 files changed, 76 insertions(+), 38 deletions(-) diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index e0c44668f4..182c74b753 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/dns.tf b/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/dns.tf +++ b/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/acm/main.tf b/modules/acm/main.tf index b79c8fc5de..17a8c69d0d 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -15,8 +15,10 @@ */ module "enable_acm" { - source = "terraform-google-modules/gcloud/google" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google" + #version = "~> 3.1" platform = "linux" upgrade = true diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 0969b3ab9e..dad0a3ffea 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -87,8 +87,10 @@ module "asm-services" { } module "asm_install" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" module_depends_on = concat([var.cluster_endpoint], local.additional_depends_on) diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/hub/main.tf b/modules/hub/main.tf index ea0eba0e4a..73e333a107 100644 --- a/modules/hub/main.tf +++ b/modules/hub/main.tf @@ -71,8 +71,10 @@ resource "google_service_account_key" "gke_hub_key" { } module "gke_hub_registration" { - source = "terraform-google-modules/gcloud/google" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google" + #version = "~> 3.1" platform = "linux" gcloud_sdk_version = var.gcloud_sdk_version diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf index 6220d42fe3..e53ac7fca3 100644 --- a/modules/k8s-operator-crd-support/main.tf +++ b/modules/k8s-operator-crd-support/main.tf @@ -33,8 +33,10 @@ locals { } module "k8sop_manifest" { - source = "terraform-google-modules/gcloud/google" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google" + #version = "~> 3.1" enabled = local.should_download_manifest @@ -46,8 +48,10 @@ module "k8sop_manifest" { module "k8s_operator" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint] cluster_name = var.cluster_name @@ -69,8 +73,10 @@ resource "tls_private_key" "k8sop_creds" { } module "k8sop_creds_secret" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false" module_depends_on = [module.k8s_operator.wait] @@ -106,8 +112,10 @@ data "template_file" "k8sop_config" { } module "k8sop_config" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] cluster_name = var.cluster_name @@ -138,8 +146,10 @@ data "template_file" "rootsync_config" { } module "wait_for_configsync_api" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = var.enable_multi_repo @@ -159,8 +169,10 @@ module "wait_for_configsync_api" { } module "rootsync_config" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = var.enable_multi_repo @@ -178,8 +190,10 @@ module "rootsync_config" { } module "wait_for_gatekeeper" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = var.enable_policy_controller ? true : false module_depends_on = [module.k8sop_config.wait] diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index 8a8f73aa39..74e940c18f 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,8 +20,10 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 0c703afbdf..7147fa02e1 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -58,8 +58,10 @@ resource "kubernetes_service_account" "main" { } module "annotate-sa" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "main" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + + #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + #version = "~> 3.1" enabled = var.use_existing_k8s_sa && var.annotate_k8s_sa skip_download = true From 5c14247c5dd752a82db6fa62e437392aa66e48ee Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Tue, 23 Nov 2021 09:41:21 -0800 Subject: [PATCH 09/35] Uses kubectl-wrapper where appropriate --- autogen/main/dns.tf.tmpl | 2 +- dns.tf | 2 +- modules/asm/main.tf | 2 +- modules/beta-private-cluster-update-variant/dns.tf | 2 +- modules/beta-private-cluster/dns.tf | 2 +- modules/beta-public-cluster-update-variant/dns.tf | 2 +- modules/beta-public-cluster/dns.tf | 2 +- modules/k8s-operator-crd-support/main.tf | 12 ++++++------ modules/private-cluster-update-variant/dns.tf | 2 +- modules/private-cluster/dns.tf | 2 +- modules/workload-identity/main.tf | 2 +- 11 files changed, 16 insertions(+), 16 deletions(-) diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index 182c74b753..a42ebc5de7 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/dns.tf b/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/dns.tf +++ b/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/asm/main.tf b/modules/asm/main.tf index dad0a3ffea..04f87fad84 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -87,7 +87,7 @@ module "asm-services" { } module "asm_install" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf index e53ac7fca3..b46e1143ff 100644 --- a/modules/k8s-operator-crd-support/main.tf +++ b/modules/k8s-operator-crd-support/main.tf @@ -48,7 +48,7 @@ module "k8sop_manifest" { module "k8s_operator" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" @@ -73,7 +73,7 @@ resource "tls_private_key" "k8sop_creds" { } module "k8sop_creds_secret" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" @@ -112,7 +112,7 @@ data "template_file" "k8sop_config" { } module "k8sop_config" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" @@ -146,7 +146,7 @@ data "template_file" "rootsync_config" { } module "wait_for_configsync_api" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" @@ -169,7 +169,7 @@ module "wait_for_configsync_api" { } module "rootsync_config" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" @@ -190,7 +190,7 @@ module "rootsync_config" { } module "wait_for_gatekeeper" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index 74e940c18f..a52b578b5b 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,7 +20,7 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 7147fa02e1..60c1d53895 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -58,7 +58,7 @@ resource "kubernetes_service_account" "main" { } module "annotate-sa" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" + source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" #version = "~> 3.1" From 93925ae9c2942aee408d377244f5b39da7686b35 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 14:45:25 -0800 Subject: [PATCH 10/35] Uses released version of gcloud module --- autogen/main/dns.tf.tmpl | 6 +-- dns.tf | 6 +-- examples/safer_cluster_iap_bastion/bastion.tf | 2 +- modules/acm/main.tf | 6 +-- modules/asm/main.tf | 6 +-- .../dns.tf | 6 +-- modules/beta-private-cluster/dns.tf | 6 +-- .../beta-public-cluster-update-variant/dns.tf | 6 +-- modules/beta-public-cluster/dns.tf | 6 +-- modules/hub/main.tf | 6 +-- modules/k8s-operator-crd-support/main.tf | 42 +++++++------------ modules/private-cluster-update-variant/dns.tf | 6 +-- modules/private-cluster/dns.tf | 6 +-- modules/workload-identity/main.tf | 6 +-- 14 files changed, 39 insertions(+), 77 deletions(-) diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index a42ebc5de7..edba110f4f 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/dns.tf b/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/dns.tf +++ b/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index f998ea801a..aad1297cff 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -28,7 +28,7 @@ data "template_file" "startup_script" { module "bastion" { source = "terraform-google-modules/bastion-host/google" - version = "~> 3.0" + version = "~> 4.0" network = module.vpc.network_self_link subnet = module.vpc.subnets_self_links[0] project = module.enabled_google_apis.project_id diff --git a/modules/acm/main.tf b/modules/acm/main.tf index 17a8c69d0d..fb6a913ac0 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -15,10 +15,8 @@ */ module "enable_acm" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" - - #source = "terraform-google-modules/gcloud/google" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google" + version = "~> 3.1" platform = "linux" upgrade = true diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 04f87fad84..e50d56bcce 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -87,10 +87,8 @@ module "asm-services" { } module "asm_install" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" module_depends_on = concat([var.cluster_endpoint], local.additional_depends_on) diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/hub/main.tf b/modules/hub/main.tf index 73e333a107..700f474b2c 100644 --- a/modules/hub/main.tf +++ b/modules/hub/main.tf @@ -71,10 +71,8 @@ resource "google_service_account_key" "gke_hub_key" { } module "gke_hub_registration" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" - - #source = "terraform-google-modules/gcloud/google" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google" + version = "~> 3.1" platform = "linux" gcloud_sdk_version = var.gcloud_sdk_version diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf index b46e1143ff..e10f006b6e 100644 --- a/modules/k8s-operator-crd-support/main.tf +++ b/modules/k8s-operator-crd-support/main.tf @@ -33,10 +33,8 @@ locals { } module "k8sop_manifest" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git?ref=master" - - #source = "terraform-google-modules/gcloud/google" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google" + version = "~> 3.1" enabled = local.should_download_manifest @@ -48,10 +46,8 @@ module "k8sop_manifest" { module "k8s_operator" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint] cluster_name = var.cluster_name @@ -73,10 +69,8 @@ resource "tls_private_key" "k8sop_creds" { } module "k8sop_creds_secret" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = var.create_ssh_key == true || var.ssh_auth_key != null ? "true" : "false" module_depends_on = [module.k8s_operator.wait] @@ -112,10 +106,8 @@ data "template_file" "k8sop_config" { } module "k8sop_config" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] cluster_name = var.cluster_name @@ -146,10 +138,8 @@ data "template_file" "rootsync_config" { } module "wait_for_configsync_api" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = var.enable_multi_repo @@ -169,10 +159,8 @@ module "wait_for_configsync_api" { } module "rootsync_config" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = var.enable_multi_repo @@ -190,10 +178,8 @@ module "rootsync_config" { } module "wait_for_gatekeeper" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = var.enable_policy_controller ? true : false module_depends_on = [module.k8sop_config.wait] diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index a52b578b5b..5dd9a8ee24 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,10 +20,8 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners cluster_name = google_container_cluster.primary.name diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 60c1d53895..eaf02c777b 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -58,10 +58,8 @@ resource "kubernetes_service_account" "main" { } module "annotate-sa" { - source = "github.com/terraform-google-modules/terraform-google-gcloud.git//modules/kubectl-wrapper?ref=master" - - #source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - #version = "~> 3.1" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 3.1" enabled = var.use_existing_k8s_sa && var.annotate_k8s_sa skip_download = true From eb289bec10474a18ebb94f2a118cacdafe92b272 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 15:55:58 -0800 Subject: [PATCH 11/35] Returns instance group URLs per node pool --- docs/upgrading_to_v18.0.md | 8 ++++++++ main.tf | 6 ++++-- outputs.tf | 12 ++++++------ 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/docs/upgrading_to_v18.0.md b/docs/upgrading_to_v18.0.md index 67a9b9c146..652a12d3a3 100644 --- a/docs/upgrading_to_v18.0.md +++ b/docs/upgrading_to_v18.0.md @@ -33,3 +33,11 @@ remains the same. + workload_pool = null } ``` + +### node_pools_versions is now keyed by node-pool name +The `node_pools_versions` output is now an object keyed by node-pool name, +rather than a list as previously. + +### instance_group_urls is now removed +The `instance_group_urls` output has been removed in favor of a node-pool level +output `node_pools_instance_group_urls`, keyed by node-pool name. diff --git a/main.tf b/main.tf index 0529eeac0e..5fc275a1d1 100644 --- a/main.tf +++ b/main.tf @@ -112,8 +112,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -132,6 +133,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/outputs.tf b/outputs.tf index 9945ba2d65..f7fee44197 100644 --- a/outputs.tf +++ b/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node-pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node-pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -135,8 +140,3 @@ output "workload_pool" { google_container_cluster.primary ] } - -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} From 2ce599a863de4bd0a4e357889e50212ba2ff4796 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 16:12:02 -0800 Subject: [PATCH 12/35] Extends use of cluster_output_node_pools_ variables --- autogen/main/main.tf.tmpl | 5 +++-- modules/beta-private-cluster-update-variant/main.tf | 5 +++-- modules/beta-private-cluster/main.tf | 5 +++-- modules/beta-public-cluster-update-variant/main.tf | 5 +++-- modules/beta-public-cluster/main.tf | 5 +++-- modules/private-cluster-update-variant/main.tf | 5 +++-- modules/private-cluster/main.tf | 5 +++-- 7 files changed, 21 insertions(+), 14 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 1f4b44b073..5629a0cfb5 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -152,8 +152,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index ff74a00446..93545d4e97 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -135,8 +135,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index ff74a00446..93545d4e97 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -135,8 +135,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 40e7bcae9a..718dbd8a7d 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -134,8 +134,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 40e7bcae9a..718dbd8a7d 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -134,8 +134,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index cac234e2c2..53f9c5538c 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -113,8 +113,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index cac234e2c2..53f9c5538c 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -113,8 +113,9 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = concat([for np in google_container_node_pool.pools : np.version], [""]) + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } + cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] From a47d6e62bf901d576678e795b0e93f7e81cc45bd Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 16:16:07 -0800 Subject: [PATCH 13/35] Fixes documentation --- README.md | 3 ++- outputs.tf | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8532fa2fdf..10dcff3494 100644 --- a/README.md +++ b/README.md @@ -209,8 +209,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | region | Cluster region | | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | diff --git a/outputs.tf b/outputs.tf index f7fee44197..317ade8221 100644 --- a/outputs.tf +++ b/outputs.tf @@ -114,12 +114,12 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "Node pool versions by node-pool name" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node-pool name" + description = "Lists of GKE generated instance groups by node pool name" value = local.cluster_node_pools_instance_group_urls } From b722774f7c4321308595c24171692c2dda340066 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 16:26:42 -0800 Subject: [PATCH 14/35] Updates more modules --- autogen/main/outputs.tf.tmpl | 12 ++++++------ autogen/safer-cluster/outputs.tf.tmpl | 2 +- .../beta-private-cluster-update-variant/outputs.tf | 12 ++++++------ modules/beta-private-cluster/outputs.tf | 12 ++++++------ .../beta-public-cluster-update-variant/outputs.tf | 12 ++++++------ modules/beta-public-cluster/outputs.tf | 12 ++++++------ modules/hub/outputs.tf | 1 - modules/private-cluster-update-variant/outputs.tf | 12 ++++++------ modules/private-cluster/outputs.tf | 12 ++++++------ modules/safer-cluster-update-variant/outputs.tf | 2 +- modules/safer-cluster/outputs.tf | 2 +- 11 files changed, 45 insertions(+), 46 deletions(-) diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index f15808020f..79108e8199 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -135,11 +140,6 @@ output "workload_pool" { google_container_cluster.primary ] } - -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} {% if private_cluster %} output "master_ipv4_cidr_block" { diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl index 3769eab065..cf82ca0274 100644 --- a/autogen/safer-cluster/outputs.tf.tmpl +++ b/autogen/safer-cluster/outputs.tf.tmpl @@ -104,7 +104,7 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = module.gke.node_pools_versions } diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 8a728942c7..e73bb22528 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -136,11 +141,6 @@ output "workload_pool" { ] } -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} - output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 8a728942c7..e73bb22528 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -136,11 +141,6 @@ output "workload_pool" { ] } -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} - output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 4039b05bae..b12cb9db84 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -136,11 +141,6 @@ output "workload_pool" { ] } -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} - output "istio_enabled" { description = "Whether Istio is enabled" value = local.cluster_istio_enabled diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 4039b05bae..b12cb9db84 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -136,11 +141,6 @@ output "workload_pool" { ] } -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} - output "istio_enabled" { description = "Whether Istio is enabled" value = local.cluster_istio_enabled diff --git a/modules/hub/outputs.tf b/modules/hub/outputs.tf index c41635b172..9ad677933c 100644 --- a/modules/hub/outputs.tf +++ b/modules/hub/outputs.tf @@ -14,7 +14,6 @@ * limitations under the License. */ - output "wait" { description = "An output to use when you want to depend on registration finishing" value = module.gke_hub_registration.wait diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 22a0dfd113..2d6293f4f3 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -136,11 +141,6 @@ output "workload_pool" { ] } -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} - output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 22a0dfd113..2d6293f4f3 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -114,10 +114,15 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = local.cluster_node_pools_versions } +output "node_pools_instance_group_urls" { + description = "Lists of GKE generated instance groups by node pool name" + value = local.cluster_node_pools_instance_group_urls +} + output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account @@ -136,11 +141,6 @@ output "workload_pool" { ] } -output "instance_group_urls" { - description = "List of GKE generated instance groups" - value = google_container_cluster.primary.instance_group_urls -} - output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/safer-cluster-update-variant/outputs.tf b/modules/safer-cluster-update-variant/outputs.tf index 8ad86f38fc..9846251c16 100644 --- a/modules/safer-cluster-update-variant/outputs.tf +++ b/modules/safer-cluster-update-variant/outputs.tf @@ -104,7 +104,7 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = module.gke.node_pools_versions } diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf index 8ad86f38fc..9846251c16 100644 --- a/modules/safer-cluster/outputs.tf +++ b/modules/safer-cluster/outputs.tf @@ -104,7 +104,7 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = module.gke.node_pools_versions } From 15eef377d844fc9a1e06d82ccf7b68fe6dfc52a6 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 22:17:50 -0800 Subject: [PATCH 15/35] Updates READMEs to match variables --- README.md | 1 - modules/beta-private-cluster-update-variant/README.md | 4 ++-- modules/beta-private-cluster/README.md | 4 ++-- modules/beta-public-cluster-update-variant/README.md | 4 ++-- modules/beta-public-cluster/README.md | 4 ++-- modules/private-cluster-update-variant/README.md | 4 ++-- modules/private-cluster/README.md | 4 ++-- 7 files changed, 12 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 10dcff3494..8e38c48c14 100644 --- a/README.md +++ b/README.md @@ -200,7 +200,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index d4b56530ce..4dea0eff02 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -262,7 +262,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -274,8 +273,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index a498e85af2..5376310b47 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -240,7 +240,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -252,8 +251,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 11836bc233..64ee71668a 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -251,7 +251,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -262,8 +261,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 0d08689861..0c36a4cb09 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -229,7 +229,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -240,8 +239,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 18d4fa8c4c..3e25c588a4 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -232,7 +232,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | @@ -242,8 +241,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | | region | Cluster region | | release\_channel | The release channel of this cluster | diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 8e90996400..af9b1c323e 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -210,7 +210,6 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | -| instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | @@ -220,8 +219,9 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | | region | Cluster region | | release\_channel | The release channel of this cluster | From 21ed39aa859d816406ba6b7b2170d683a3a4425a Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 22:22:57 -0800 Subject: [PATCH 16/35] Uses master branch of bastion * temporary change until new version is released --- examples/safer_cluster_iap_bastion/bastion.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index aad1297cff..b861425fac 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -27,8 +27,11 @@ data "template_file" "startup_script" { } module "bastion" { - source = "terraform-google-modules/bastion-host/google" - version = "~> 4.0" + source = "github.com/terraform-google-modules/terraform-google-bastion-host.git?ref=master" + + # source = "terraform-google-modules/bastion-host/google" + # version = "~> 4.0" + network = module.vpc.network_self_link subnet = module.vpc.subnets_self_links[0] project = module.enabled_google_apis.project_id From f2d7f824ebfe723a6af0251cb5e89b657430f1fd Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 22:33:07 -0800 Subject: [PATCH 17/35] Updates node pools versions description --- examples/regional_private_node_pool_oauth_scopes/README.md | 2 +- examples/regional_private_node_pool_oauth_scopes/outputs.tf | 2 +- examples/safer_cluster_iap_bastion/bastion.tf | 4 ++-- modules/safer-cluster-update-variant/README.md | 2 +- modules/safer-cluster/README.md | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/regional_private_node_pool_oauth_scopes/README.md b/examples/regional_private_node_pool_oauth_scopes/README.md index 480ff15692..498b2a34de 100644 --- a/examples/regional_private_node_pool_oauth_scopes/README.md +++ b/examples/regional_private_node_pool_oauth_scopes/README.md @@ -27,7 +27,7 @@ This example illustrates how to create a private cluster with node pool specific | network\_module | network module output | | network\_policy\_enabled | Whether network policy enabled | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | region | Cluster region | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | subnets\_ips | The IP and cidrs of the subnets being created | diff --git a/examples/regional_private_node_pool_oauth_scopes/outputs.tf b/examples/regional_private_node_pool_oauth_scopes/outputs.tf index 2df5357298..ee38fa5fc1 100644 --- a/examples/regional_private_node_pool_oauth_scopes/outputs.tf +++ b/examples/regional_private_node_pool_oauth_scopes/outputs.tf @@ -97,7 +97,7 @@ output "node_pools_names" { } output "node_pools_versions" { - description = "List of node pools versions" + description = "Node pool versions by node pool name" value = module.gke.node_pools_versions } diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index b861425fac..268b761f66 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -29,8 +29,8 @@ data "template_file" "startup_script" { module "bastion" { source = "github.com/terraform-google-modules/terraform-google-bastion-host.git?ref=master" - # source = "terraform-google-modules/bastion-host/google" - # version = "~> 4.0" + #source = "terraform-google-modules/bastion-host/google" + #version = "~> 4.0" network = module.vpc.network_self_link subnet = module.vpc.subnets_self_links[0] diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 10bcc34349..1d02e46449 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -279,7 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | | region | Cluster region | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 10bcc34349..1d02e46449 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -279,7 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | | node\_pools\_names | List of node pools names | -| node\_pools\_versions | List of node pools versions | +| node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | | region | Cluster region | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | From c6872755ffaa309a0200af2dec3f7a8d84b16018 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 22:38:54 -0800 Subject: [PATCH 18/35] Adds locals for node pool instance group URLs --- autogen/main/main.tf.tmpl | 1 + modules/beta-private-cluster-update-variant/main.tf | 1 + modules/beta-private-cluster/main.tf | 1 + modules/beta-public-cluster-update-variant/main.tf | 1 + modules/beta-public-cluster/main.tf | 1 + modules/private-cluster-update-variant/main.tf | 1 + modules/private-cluster/main.tf | 1 + 7 files changed, 7 insertions(+) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 5629a0cfb5..826deccc8e 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -173,6 +173,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 93545d4e97..29f9dbf9d4 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -156,6 +156,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 93545d4e97..29f9dbf9d4 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -156,6 +156,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 718dbd8a7d..9f5269fb6d 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -155,6 +155,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 718dbd8a7d..9f5269fb6d 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -155,6 +155,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 53f9c5538c..992a81b9c8 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -134,6 +134,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 53f9c5538c..992a81b9c8 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -134,6 +134,7 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions + cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled From a304f6db042ec4c5661082cc45220a6dc152491e Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 23:02:44 -0800 Subject: [PATCH 19/35] Uses master branch of terraform-google-project-factory * temporary change until new version of that dependency is released --- .../acm-terraform-blog-part1/terraform/gke.tf | 6 ++++-- .../acm-terraform-blog-part2/terraform/gke.tf | 6 ++++-- .../acm-terraform-blog-part3/terraform/gke.tf | 6 ++++-- examples/safer_cluster_iap_bastion/apis.tf | 6 ++++-- modules/asm/main.tf | 9 ++++++--- modules/binary-authorization/main.tf | 6 ++++-- modules/services/main.tf | 6 ++++-- test/setup/main.tf | 18 ++++++++++++------ 8 files changed, 42 insertions(+), 21 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index e3c3628aeb..641d50611a 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -15,8 +15,10 @@ */ module "enabled_google_apis" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 10.0" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 10.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 7df56fc43a..805b383786 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -15,8 +15,10 @@ */ module "enabled_google_apis" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 10.0" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 10.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index cbe55dfa89..43cd78dd22 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -15,8 +15,10 @@ */ module "enabled_google_apis" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 10.0" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 10.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf index 7a213824a5..ded53aad5d 100644 --- a/examples/safer_cluster_iap_bastion/apis.tf +++ b/examples/safer_cluster_iap_bastion/apis.tf @@ -15,8 +15,10 @@ */ module "enabled_google_apis" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 10.0" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 10.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/modules/asm/main.tf b/modules/asm/main.tf index e50d56bcce..1bf3699010 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -61,9 +61,12 @@ resource "google_project_iam_member" "asm_iam" { } module "asm-services" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 10.0" - count = var.enable_gcp_apis ? 1 : 0 + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 10.0" + + count = var.enable_gcp_apis ? 1 : 0 project_id = var.project_id disable_services_on_destroy = false diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf index 5b6ee02085..b4d35420c7 100644 --- a/modules/binary-authorization/main.tf +++ b/modules/binary-authorization/main.tf @@ -24,8 +24,10 @@ locals { } module "project-services" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 10.0" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 10.0" project_id = var.project_id activate_apis = local.required_enabled_apis diff --git a/modules/services/main.tf b/modules/services/main.tf index f6021fe1a8..426a2a49eb 100644 --- a/modules/services/main.tf +++ b/modules/services/main.tf @@ -15,8 +15,10 @@ */ module "services" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 6.0.0" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" + + #source = "terraform-google-modules/project-factory/google//modules/project_services" + #version = "~> 6.0.0" project_id = var.project_id enable_apis = var.enable_apis diff --git a/test/setup/main.tf b/test/setup/main.tf index b690796fb6..6e42bc5298 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -19,8 +19,10 @@ resource "random_id" "random_project_id_suffix" { } module "gke-project-1" { - source = "terraform-google-modules/project-factory/google" - version = "~> 10.1" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" + + #source = "terraform-google-modules/project-factory/google" + #version = "~> 10.1" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -47,8 +49,10 @@ module "gke-project-1" { } module "gke-project-2" { - source = "terraform-google-modules/project-factory/google" - version = "~> 10.1" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" + + #source = "terraform-google-modules/project-factory/google" + #version = "~> 10.1" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -75,8 +79,10 @@ module "gke-project-2" { # apis as documented https://cloud.google.com/service-mesh/docs/scripted-install/reference#setting_up_your_project module "gke-project-asm" { - source = "terraform-google-modules/project-factory/google" - version = "~> 10.1" + source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" + + #source = "terraform-google-modules/project-factory/google" + #version = "~> 10.1" name = "ci-gke-asm-${random_id.random_project_id_suffix.hex}" random_project_id = true From 6b564952f8d140f1a17150b84ebdd1d1029faaad Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 23:04:57 -0800 Subject: [PATCH 20/35] Updates project version ready for release --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 2 +- examples/safer_cluster_iap_bastion/apis.tf | 2 +- modules/asm/main.tf | 2 +- modules/binary-authorization/main.tf | 2 +- modules/services/main.tf | 2 +- test/setup/main.tf | 6 +++--- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 641d50611a..e64875af4d 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -18,7 +18,7 @@ module "enabled_google_apis" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 10.0" + #version = "~> 11.3" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 805b383786..3ab471f251 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -18,7 +18,7 @@ module "enabled_google_apis" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 10.0" + #version = "~> 11.3" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 43cd78dd22..62a5df9f6d 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -18,7 +18,7 @@ module "enabled_google_apis" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 10.0" + #version = "~> 11.3" project_id = var.project disable_services_on_destroy = false diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf index ded53aad5d..ae0db88553 100644 --- a/examples/safer_cluster_iap_bastion/apis.tf +++ b/examples/safer_cluster_iap_bastion/apis.tf @@ -18,7 +18,7 @@ module "enabled_google_apis" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 10.0" + #version = "~> 11.3" project_id = var.project_id disable_services_on_destroy = false diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 1bf3699010..d85a751a9a 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -64,7 +64,7 @@ module "asm-services" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 10.0" + #version = "~> 11.3" count = var.enable_gcp_apis ? 1 : 0 diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf index b4d35420c7..c3d3d69709 100644 --- a/modules/binary-authorization/main.tf +++ b/modules/binary-authorization/main.tf @@ -27,7 +27,7 @@ module "project-services" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 10.0" + #version = "~> 11.3" project_id = var.project_id activate_apis = local.required_enabled_apis diff --git a/modules/services/main.tf b/modules/services/main.tf index 426a2a49eb..be2643dd97 100644 --- a/modules/services/main.tf +++ b/modules/services/main.tf @@ -18,7 +18,7 @@ module "services" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 6.0.0" + #version = "~> 11.3" project_id = var.project_id enable_apis = var.enable_apis diff --git a/test/setup/main.tf b/test/setup/main.tf index 6e42bc5298..e3d6264aea 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -22,7 +22,7 @@ module "gke-project-1" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" #source = "terraform-google-modules/project-factory/google" - #version = "~> 10.1" + #version = "~> 11.3" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -52,7 +52,7 @@ module "gke-project-2" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" #source = "terraform-google-modules/project-factory/google" - #version = "~> 10.1" + #version = "~> 11.3" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -82,7 +82,7 @@ module "gke-project-asm" { source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" #source = "terraform-google-modules/project-factory/google" - #version = "~> 10.1" + #version = "~> 11.3" name = "ci-gke-asm-${random_id.random_project_id_suffix.hex}" random_project_id = true From b7f094f6cdfcb28756c13a15121364215e3115d6 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 23:12:20 -0800 Subject: [PATCH 21/35] Updates pinned version of Google provider for example --- examples/simple_zonal_with_asm/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_zonal_with_asm/versions.tf b/examples/simple_zonal_with_asm/versions.tf index b805d61b14..bd6eb4f181 100644 --- a/examples/simple_zonal_with_asm/versions.tf +++ b/examples/simple_zonal_with_asm/versions.tf @@ -19,7 +19,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.63.0" + version = "~> 4.0" } google-beta = { source = "hashicorp/google-beta" From df47f35acea80cbac8448970f1a4994ee82aed28 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Wed, 24 Nov 2021 23:18:43 -0800 Subject: [PATCH 22/35] Updates pinned version of Google provider in example --- examples/simple_regional_with_networking/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_regional_with_networking/versions.tf b/examples/simple_regional_with_networking/versions.tf index 2d51f4c8f0..e8fbb1aadd 100644 --- a/examples/simple_regional_with_networking/versions.tf +++ b/examples/simple_regional_with_networking/versions.tf @@ -18,7 +18,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.45.0" + version = "~> 4.0" } kubernetes = { source = "hashicorp/kubernetes" From f9b7ec30436b25a01bae9f831ec44745b40d9974 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Sun, 28 Nov 2021 19:42:14 -0800 Subject: [PATCH 23/35] Addresses code review comments --- README.md | 8 +-- autogen/main/main.tf.tmpl | 12 ++--- autogen/main/outputs.tf.tmpl | 12 ++--- autogen/main/variables.tf.tmpl | 4 +- autogen/safer-cluster/main.tf.tmpl | 4 +- docs/upgrading_to_v18.0.md | 52 +++++++++++++------ examples/safer_cluster_iap_bastion/bastion.tf | 2 +- examples/safer_cluster_iap_bastion/cluster.tf | 2 +- examples/simple_regional_beta/README.md | 2 +- examples/simple_regional_beta/main.tf | 4 +- examples/simple_regional_beta/test_outputs.tf | 4 +- examples/simple_zonal_with_asm/README.md | 2 +- .../simple_zonal_with_asm/test_outputs.tf | 4 +- examples/workload_identity/main.tf | 2 +- main.tf | 12 ++--- .../README.md | 8 +-- .../main.tf | 12 ++--- .../outputs.tf | 12 ++--- .../variables.tf | 4 +- modules/beta-private-cluster/README.md | 8 +-- modules/beta-private-cluster/main.tf | 12 ++--- modules/beta-private-cluster/outputs.tf | 12 ++--- modules/beta-private-cluster/variables.tf | 4 +- .../README.md | 8 +-- .../main.tf | 12 ++--- .../outputs.tf | 12 ++--- .../variables.tf | 4 +- modules/beta-public-cluster/README.md | 8 +-- modules/beta-public-cluster/main.tf | 12 ++--- modules/beta-public-cluster/outputs.tf | 12 ++--- modules/beta-public-cluster/variables.tf | 4 +- .../private-cluster-update-variant/README.md | 8 +-- .../private-cluster-update-variant/main.tf | 12 ++--- .../private-cluster-update-variant/outputs.tf | 12 ++--- .../variables.tf | 4 +- modules/private-cluster/README.md | 8 +-- modules/private-cluster/main.tf | 12 ++--- modules/private-cluster/outputs.tf | 12 ++--- modules/private-cluster/variables.tf | 4 +- modules/safer-cluster-update-variant/main.tf | 4 +- modules/safer-cluster/main.tf | 4 +- outputs.tf | 12 ++--- test/fixtures/beta_cluster/outputs.tf | 4 +- test/integration/beta_cluster/inspec.yml | 2 +- .../workload_identity/controls/gcloud.rb | 2 +- variables.tf | 4 +- 46 files changed, 190 insertions(+), 184 deletions(-) diff --git a/README.md b/README.md index 8e38c48c14..1cff8f1dff 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -167,7 +168,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -188,7 +189,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -200,6 +200,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | @@ -208,14 +210,12 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | region | Cluster region | | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 826deccc8e..5a5c8d7d37 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -152,9 +152,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -173,13 +172,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] {% if beta_cluster %} # BETA features diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 79108e8199..35ed78c1ff 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2f0f116c35..0a64109aea 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -537,7 +537,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -551,7 +551,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 761826dd44..925b7b0408 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -160,8 +160,8 @@ module "gke" { enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling - // We enable identity namespace by default. - workload_pool = "${var.project_id}.svc.id.goog" + // We enable Workload Identity by default. + identity_namespace = "${var.project_id}.svc.id.goog" authenticator_security_group = var.authenticator_security_group diff --git a/docs/upgrading_to_v18.0.md b/docs/upgrading_to_v18.0.md index 652a12d3a3..1a759e78f2 100644 --- a/docs/upgrading_to_v18.0.md +++ b/docs/upgrading_to_v18.0.md @@ -2,6 +2,28 @@ The v18.0 release of *kubernetes-engine* is a backwards incompatible release. +### Google Cloud Platform Provider upgrade +The Terraform Kubernetes Engine Module now requires version 4.0 or higher of +the Google Cloud Platform Provider. + +```diff +terraform { + required_providers { + google = { + source = "hashicorp/google" +- version = "~> 3.0" ++ version = "~> 4.0" + } + google-beta = { + source = "hashicorp/google-beta" +- version = "~> 3.0" ++ version = "~> 4.0" + } + + } +} +``` + ### Kubernetes Basic Authentication removed Basic authentication is deprecated and has been removed in GKE 1.19 and later. Owing to this, the `basic_auth_username` and `basic_auth_password` variables @@ -18,26 +40,26 @@ have been eliminated. } ``` -### identity_namespace renamed to workload_pool -The `identity_namespace` variable has been renamed for consistency with the -Kubernetes API; the behavior (e.g. enabling Workload Identity by default) -remains the same. +### Acceptable values for node_metadata modified +The `node_metadata` variable should now be set to one of `GKE_METADATA`, +`GCE_METADATA` or `UNSPECIFIED`. `GKE_METADATA` replaces the previous +`GKE_METADATA_SERVER` value, `GCE_METADATA` should be used in place of +`EXPOSE`. The `SECURE` option, previously deprecated, has now been removed. ```diff - module "gke" { - source = "terraform-google-modules/kubernetes-engine/google" -- version = "~> 17.0" -+ version = "~> 18.0" +module "gke" { + source = "../../modules/safer-cluster" -- identity_namespace = null -+ workload_pool = null + node_pools = [ + { + +- node_metadata = "GKE_METADATA_SERVER" ++ node_metadata = "GKE_METADATA" + } + ] } ``` ### node_pools_versions is now keyed by node-pool name -The `node_pools_versions` output is now an object keyed by node-pool name, +The `node_pools_versions` output is now an object keyed by node pool name, rather than a list as previously. - -### instance_group_urls is now removed -The `instance_group_urls` output has been removed in favor of a node-pool level -output `node_pools_instance_group_urls`, keyed by node-pool name. diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index 268b761f66..99b8196802 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -30,7 +30,7 @@ module "bastion" { source = "github.com/terraform-google-modules/terraform-google-bastion-host.git?ref=master" #source = "terraform-google-modules/bastion-host/google" - #version = "~> 4.0" + #version = "~> 4.1" network = module.vpc.network_self_link subnet = module.vpc.subnets_self_links[0] diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index 8ec538b47b..b462784548 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -36,7 +36,7 @@ module "gke" { min_count = 1 max_count = 4 auto_upgrade = true - node_metadata = "GKE_METADATA_SERVER" + node_metadata = "GKE_METADATA" } ] } diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index bfc9eae7ee..5d301c9ad6 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -36,6 +36,7 @@ This example illustrates how to create a simple cluster with beta features. | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | +| identity\_namespace | n/a | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | @@ -46,7 +47,6 @@ This example illustrates how to create a simple cluster with beta features. | region | n/a | | service\_account | The default service account used for running nodes. | | subnetwork | n/a | -| workload\_pool | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index c397d89a69..a97cc09f1e 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -52,8 +52,8 @@ module "gke" { release_channel = "REGULAR" # Disable workload identity - workload_pool = null - node_metadata = "UNSPECIFIED" + identity_namespace = null + node_metadata = "UNSPECIFIED" # Enable Dataplane Setup datapath_provider = "ADVANCED_DATAPATH" diff --git a/examples/simple_regional_beta/test_outputs.tf b/examples/simple_regional_beta/test_outputs.tf index 786ff9ea29..71e5965e05 100644 --- a/examples/simple_regional_beta/test_outputs.tf +++ b/examples/simple_regional_beta/test_outputs.tf @@ -62,6 +62,6 @@ output "master_kubernetes_version" { value = module.gke.master_version } -output "workload_pool" { - value = module.gke.workload_pool +output "identity_namespace" { + value = module.gke.identity_namespace } diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index d7085148cd..ce486ec503 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -23,6 +23,7 @@ This example illustrates how to create a simple zonal cluster with ASM. | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | +| identity\_namespace | n/a | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | @@ -33,7 +34,6 @@ This example illustrates how to create a simple zonal cluster with ASM. | region | n/a | | service\_account | The default service account used for running nodes. | | subnetwork | n/a | -| workload\_pool | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_zonal_with_asm/test_outputs.tf b/examples/simple_zonal_with_asm/test_outputs.tf index 786ff9ea29..71e5965e05 100644 --- a/examples/simple_zonal_with_asm/test_outputs.tf +++ b/examples/simple_zonal_with_asm/test_outputs.tf @@ -62,6 +62,6 @@ output "master_kubernetes_version" { value = module.gke.master_version } -output "workload_pool" { - value = module.gke.workload_pool +output "identity_namespace" { + value = module.gke.identity_namespace } diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 8647836729..204e13b739 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -37,7 +37,7 @@ module "gke" { ip_range_services = var.ip_range_services remove_default_node_pool = true service_account = "create" - node_metadata = "GKE_METADATA_SERVER" + node_metadata = "GKE_METADATA" node_pools = [ { name = "wi-pool" diff --git a/main.tf b/main.tf index 5fc275a1d1..7b75b1a64f 100644 --- a/main.tf +++ b/main.tf @@ -112,9 +112,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -133,13 +132,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 4dea0eff02..bebc836f4b 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -197,6 +197,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -224,7 +225,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -248,7 +249,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -262,6 +262,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -273,7 +275,6 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | @@ -284,7 +285,6 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 29f9dbf9d4..dde89bc126 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -135,9 +135,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -156,13 +155,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index e73bb22528..ff32639181 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index a24fd968eb..299c6eea5e 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -515,7 +515,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -529,7 +529,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 5376310b47..e6c45504ed 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -175,6 +175,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -202,7 +203,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -226,7 +227,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -240,6 +240,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -251,7 +253,6 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | @@ -262,7 +263,6 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 29f9dbf9d4..dde89bc126 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -135,9 +135,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -156,13 +155,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index e73bb22528..ff32639181 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index a24fd968eb..299c6eea5e 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -515,7 +515,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -529,7 +529,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 64ee71668a..afa5c27400 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -188,6 +188,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -213,7 +214,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -237,7 +238,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -251,6 +251,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -261,7 +263,6 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | pod\_security\_policy\_enabled | Whether pod security policy is enabled | @@ -271,7 +272,6 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 9f5269fb6d..e8c80f5589 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -134,9 +134,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -155,13 +154,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index b12cb9db84..fe06ef81f0 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 6c35c434d6..5673405ab4 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -484,7 +484,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -498,7 +498,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 0c36a4cb09..c104f36a6c 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -166,6 +166,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -191,7 +192,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -215,7 +216,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -229,6 +229,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | @@ -239,7 +241,6 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | pod\_security\_policy\_enabled | Whether pod security policy is enabled | @@ -249,7 +250,6 @@ Then perform the following commands on the root folder: | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 9f5269fb6d..e8c80f5589 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -134,9 +134,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -155,13 +154,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index b12cb9db84..fe06ef81f0 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6c35c434d6..5673405ab4 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -484,7 +484,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -498,7 +498,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 3e25c588a4..a0eb953d74 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -199,7 +200,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -220,7 +221,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -232,6 +232,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | @@ -241,7 +243,6 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | @@ -249,7 +250,6 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 992a81b9c8..04b8b02158 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -113,9 +113,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -134,13 +133,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] } diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 2d6293f4f3..98336bf5bd 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 7fc0f4ab17..3e49e34663 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -390,7 +390,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -404,7 +404,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index af9b1c323e..3f7192f459 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | @@ -177,7 +178,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | @@ -198,7 +199,6 @@ Then perform the following commands on the root folder: | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_pool | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -210,6 +210,8 @@ Then perform the following commands on the root folder: | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| instance\_group\_urls | List of GKE generated instance groups | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | @@ -219,7 +221,6 @@ Then perform the following commands on the root folder: | monitoring\_service | Monitoring service used | | name | Cluster name | | network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_instance\_group\_urls | Lists of GKE generated instance groups by node pool name | | node\_pools\_names | List of node pools names | | node\_pools\_versions | Node pool versions by node pool name | | peering\_name | The name of the peering between this cluster and the Google owned VPC. | @@ -227,7 +228,6 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | -| workload\_pool | Workload Identity pool | | zones | List of zones in which the cluster resides | diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 992a81b9c8..04b8b02158 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -113,9 +113,8 @@ locals { cidr_blocks : var.master_authorized_networks }] - cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) - cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } - cluster_output_node_pools_instance_group_urls = { for np in google_container_node_pool.pools : np.name => np.managed_instance_group_urls } + cluster_output_node_pools_names = concat([for np in google_container_node_pool.pools : np.name], [""]) + cluster_output_node_pools_versions = { for np in google_container_node_pool.pools : np.name => np.version } cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] @@ -134,13 +133,12 @@ locals { cluster_monitoring_service = local.cluster_output_monitoring_service cluster_node_pools_names = local.cluster_output_node_pools_names cluster_node_pools_versions = local.cluster_output_node_pools_versions - cluster_node_pools_instance_group_urls = local.cluster_output_node_pools_instance_group_urls cluster_network_policy_enabled = !local.cluster_output_network_policy_enabled cluster_http_load_balancing_enabled = !local.cluster_output_http_load_balancing_enabled cluster_horizontal_pod_autoscaling_enabled = !local.cluster_output_horizontal_pod_autoscaling_enabled - workload_identity_enabled = !(var.workload_pool == null || var.workload_pool == "null") - cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.workload_pool == "enabled" ? [{ - workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.workload_pool + workload_identity_enabled = !(var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ + workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] } diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 2d6293f4f3..98336bf5bd 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 7fc0f4ab17..3e49e34663 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -390,7 +390,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -404,7 +404,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 26e62284f7..6242fc4665 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -156,8 +156,8 @@ module "gke" { enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling - // We enable identity namespace by default. - workload_pool = "${var.project_id}.svc.id.goog" + // We enable Workload Identity by default. + identity_namespace = "${var.project_id}.svc.id.goog" authenticator_security_group = var.authenticator_security_group diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 51831de376..567df7c61e 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -156,8 +156,8 @@ module "gke" { enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling - // We enable identity namespace by default. - workload_pool = "${var.project_id}.svc.id.goog" + // We enable Workload Identity by default. + identity_namespace = "${var.project_id}.svc.id.goog" authenticator_security_group = var.authenticator_security_group diff --git a/outputs.tf b/outputs.tf index 317ade8221..a6f20a6f3b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -118,22 +118,22 @@ output "node_pools_versions" { value = local.cluster_node_pools_versions } -output "node_pools_instance_group_urls" { - description = "Lists of GKE generated instance groups by node pool name" - value = local.cluster_node_pools_instance_group_urls -} - output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = local.service_account } +output "instance_group_urls" { + description = "List of GKE generated instance groups" + value = distinct(flatten([for np in google_container_node_pool.pools : np.managed_instance_group_urls])) +} + output "release_channel" { description = "The release channel of this cluster" value = var.release_channel } -output "workload_pool" { +output "identity_namespace" { description = "Workload Identity pool" value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null depends_on = [ diff --git a/test/fixtures/beta_cluster/outputs.tf b/test/fixtures/beta_cluster/outputs.tf index a5bdffd2fd..fdcc23db68 100644 --- a/test/fixtures/beta_cluster/outputs.tf +++ b/test/fixtures/beta_cluster/outputs.tf @@ -84,6 +84,6 @@ output "database_encryption_key_name" { value = google_kms_crypto_key.db.id } -output "workload_pool" { - value = module.this.workload_pool +output "identity_namespace" { + value = module.this.identity_namespace } diff --git a/test/integration/beta_cluster/inspec.yml b/test/integration/beta_cluster/inspec.yml index bc38a8915f..05762386b6 100644 --- a/test/integration/beta_cluster/inspec.yml +++ b/test/integration/beta_cluster/inspec.yml @@ -45,6 +45,6 @@ attributes: - name: database_encryption_key_name required: true type: string - - name: workload_pool + - name: identity_namespace required: true type: string diff --git a/test/integration/workload_identity/controls/gcloud.rb b/test/integration/workload_identity/controls/gcloud.rb index 1c956052eb..e88b076fd6 100644 --- a/test/integration/workload_identity/controls/gcloud.rb +++ b/test/integration/workload_identity/controls/gcloud.rb @@ -37,7 +37,7 @@ describe "workload metada config" do it "is secure" do - expect(data['nodePools'][0]["config"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'GKE_METADATA_SERVER' + expect(data['nodePools'][0]["config"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'GKE_METADATA' end end end diff --git a/variables.tf b/variables.tf index 3a0bafb6be..537716ea86 100644 --- a/variables.tf +++ b/variables.tf @@ -366,7 +366,7 @@ variable "authenticator_security_group" { variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA_SERVER" + default = "GKE_METADATA" type = string } @@ -380,7 +380,7 @@ variable "database_encryption" { }] } -variable "workload_pool" { +variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" From 8ea9a164a3ee69e326e1e2bd1a42a37e70f53da7 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Tue, 30 Nov 2021 18:21:29 -0800 Subject: [PATCH 24/35] Temporarily applies an empty source_tags setting. * this should be removed once https://github.com/hashicorp/terraform-provider-google/issues/10494 is addressed --- autogen/main/firewall.tf.tmpl | 1 + firewall.tf | 1 + modules/beta-private-cluster-update-variant/firewall.tf | 1 + modules/beta-private-cluster/firewall.tf | 1 + modules/beta-public-cluster-update-variant/firewall.tf | 1 + modules/beta-public-cluster/firewall.tf | 1 + modules/private-cluster-update-variant/firewall.tf | 1 + modules/private-cluster/firewall.tf | 1 + 8 files changed, 8 insertions(+) diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index 3826d30a15..eb8cafca42 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -112,6 +112,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/firewall.tf b/firewall.tf index 02df638f25..4382b86ff6 100644 --- a/firewall.tf +++ b/firewall.tf @@ -70,6 +70,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf index 75023e32ca..cec61225ce 100644 --- a/modules/beta-private-cluster-update-variant/firewall.tf +++ b/modules/beta-private-cluster-update-variant/firewall.tf @@ -100,6 +100,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf index 75023e32ca..cec61225ce 100644 --- a/modules/beta-private-cluster/firewall.tf +++ b/modules/beta-private-cluster/firewall.tf @@ -100,6 +100,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf index ce56926f37..eaeb530e0f 100644 --- a/modules/beta-public-cluster-update-variant/firewall.tf +++ b/modules/beta-public-cluster-update-variant/firewall.tf @@ -106,6 +106,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index ce56926f37..eaeb530e0f 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -106,6 +106,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf index 62d8463ee8..89249ca989 100644 --- a/modules/private-cluster-update-variant/firewall.tf +++ b/modules/private-cluster-update-variant/firewall.tf @@ -67,6 +67,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index 62d8463ee8..89249ca989 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -67,6 +67,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { From 6adaa60a250f83362dd283d7804fb6d7b8f12542 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Tue, 30 Nov 2021 18:28:11 -0800 Subject: [PATCH 25/35] Fixes indentation --- autogen/main/firewall.tf.tmpl | 2 +- firewall.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index eb8cafca42..60725b8f76 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -112,7 +112,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { diff --git a/firewall.tf b/firewall.tf index 4382b86ff6..613e1bd9a9 100644 --- a/firewall.tf +++ b/firewall.tf @@ -70,7 +70,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [""] target_tags = [local.cluster_network_tag] allow { From 5a9480aeedfae7e075e0721dc2b793a0325b58c5 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Tue, 7 Dec 2021 10:24:53 -0800 Subject: [PATCH 26/35] Uses newly-released version of project factory --- examples/acm-terraform-blog-part1/terraform/gke.tf | 6 ++---- examples/acm-terraform-blog-part2/terraform/gke.tf | 6 ++---- examples/acm-terraform-blog-part3/terraform/gke.tf | 6 ++---- examples/safer_cluster_iap_bastion/apis.tf | 6 ++---- modules/asm/main.tf | 6 ++---- modules/services/main.tf | 6 ++---- 6 files changed, 12 insertions(+), 24 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index e64875af4d..2b109fb20c 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -15,10 +15,8 @@ */ module "enabled_google_apis" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 3ab471f251..dae795b4c6 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -15,10 +15,8 @@ */ module "enabled_google_apis" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 62a5df9f6d..2dcf171f51 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -15,10 +15,8 @@ */ module "enabled_google_apis" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" project_id = var.project disable_services_on_destroy = false diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf index ae0db88553..bf4803cdfa 100644 --- a/examples/safer_cluster_iap_bastion/apis.tf +++ b/examples/safer_cluster_iap_bastion/apis.tf @@ -15,10 +15,8 @@ */ module "enabled_google_apis" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" project_id = var.project_id disable_services_on_destroy = false diff --git a/modules/asm/main.tf b/modules/asm/main.tf index d85a751a9a..84e3828c39 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -61,10 +61,8 @@ resource "google_project_iam_member" "asm_iam" { } module "asm-services" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" count = var.enable_gcp_apis ? 1 : 0 diff --git a/modules/services/main.tf b/modules/services/main.tf index be2643dd97..5d6d95d17b 100644 --- a/modules/services/main.tf +++ b/modules/services/main.tf @@ -15,10 +15,8 @@ */ module "services" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" project_id = var.project_id enable_apis = var.enable_apis From cfeb0db58960ba108ebd0e4d1bb20b8003ab99f3 Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Tue, 7 Dec 2021 10:30:00 -0800 Subject: [PATCH 27/35] Uses released version of bastion host --- examples/safer_cluster_iap_bastion/bastion.tf | 6 ++---- modules/binary-authorization/main.tf | 6 ++---- test/setup/main.tf | 12 ++++-------- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index 99b8196802..91592033f8 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -27,10 +27,8 @@ data "template_file" "startup_script" { } module "bastion" { - source = "github.com/terraform-google-modules/terraform-google-bastion-host.git?ref=master" - - #source = "terraform-google-modules/bastion-host/google" - #version = "~> 4.1" + source = "terraform-google-modules/bastion-host/google" + version = "~> 4.1" network = module.vpc.network_self_link subnet = module.vpc.subnets_self_links[0] diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf index c3d3d69709..e4a69c0b6e 100644 --- a/modules/binary-authorization/main.tf +++ b/modules/binary-authorization/main.tf @@ -24,10 +24,8 @@ locals { } module "project-services" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git//modules/project_services?ref=master" - - #source = "terraform-google-modules/project-factory/google//modules/project_services" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 11.3" project_id = var.project_id activate_apis = local.required_enabled_apis diff --git a/test/setup/main.tf b/test/setup/main.tf index e3d6264aea..a4bee2d789 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -19,10 +19,8 @@ resource "random_id" "random_project_id_suffix" { } module "gke-project-1" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" - - #source = "terraform-google-modules/project-factory/google" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google" + version = "~> 11.3" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -49,10 +47,8 @@ module "gke-project-1" { } module "gke-project-2" { - source = "github.com/terraform-google-modules/terraform-google-project-factory.git?ref=master" - - #source = "terraform-google-modules/project-factory/google" - #version = "~> 11.3" + source = "terraform-google-modules/project-factory/google" + version = "~> 11.3" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true From 8a6809a675435f6c4685e69677907226d3e1cbeb Mon Sep 17 00:00:00 2001 From: Jack Whelpton Date: Thu, 23 Dec 2021 10:03:00 -0800 Subject: [PATCH 28/35] Removes use of SECURE mode (deprecated) --- examples/workload_metadata_config/main.tf | 2 +- .../workload_metadata_config/controls/gcloud.rb | 12 ------------ 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index dd4b806feb..a1443f285f 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -49,7 +49,7 @@ module "gke" { enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "172.16.0.0/28" - node_metadata = "SECURE" + node_metadata = "GKE_METADATA" master_authorized_networks = [ { diff --git a/test/integration/workload_metadata_config/controls/gcloud.rb b/test/integration/workload_metadata_config/controls/gcloud.rb index 70d14a8608..55cbdd5066 100644 --- a/test/integration/workload_metadata_config/controls/gcloud.rb +++ b/test/integration/workload_metadata_config/controls/gcloud.rb @@ -31,12 +31,6 @@ {} end end - - describe "workload metada config" do - it "is secure" do - expect(data['nodePools'][0]["config"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'SECURE' - end - end end describe command("gcloud beta --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json --format=\"json(nodeConfig.workloadMetadataConfig)\"") do @@ -50,12 +44,6 @@ {} end end - - describe "workload metada config" do - it "is secure" do - expect(data["nodeConfig"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'SECURE' - end - end end registry_project_ids.each do |registry_project_id| From 88f2ab822e58bcdb4a1a7fa4c423efb46ba6a841 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Wed, 19 Jan 2022 15:36:43 -0600 Subject: [PATCH 29/35] test empty source tag workaround --- autogen/main/firewall.tf.tmpl | 2 +- firewall.tf | 2 +- modules/beta-private-cluster-update-variant/firewall.tf | 2 +- modules/beta-private-cluster/firewall.tf | 2 +- modules/beta-public-cluster-update-variant/firewall.tf | 2 +- modules/beta-public-cluster/firewall.tf | 2 +- modules/private-cluster-update-variant/firewall.tf | 2 +- modules/private-cluster/firewall.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index 60725b8f76..183e761f70 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -112,7 +112,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/firewall.tf b/firewall.tf index 613e1bd9a9..8ac7624d15 100644 --- a/firewall.tf +++ b/firewall.tf @@ -70,7 +70,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf index cec61225ce..e6318ff45b 100644 --- a/modules/beta-private-cluster-update-variant/firewall.tf +++ b/modules/beta-private-cluster-update-variant/firewall.tf @@ -100,7 +100,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf index cec61225ce..e6318ff45b 100644 --- a/modules/beta-private-cluster/firewall.tf +++ b/modules/beta-private-cluster/firewall.tf @@ -100,7 +100,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf index eaeb530e0f..b808dba1f3 100644 --- a/modules/beta-public-cluster-update-variant/firewall.tf +++ b/modules/beta-public-cluster-update-variant/firewall.tf @@ -106,7 +106,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index eaeb530e0f..b808dba1f3 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -106,7 +106,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf index 89249ca989..d913356276 100644 --- a/modules/private-cluster-update-variant/firewall.tf +++ b/modules/private-cluster-update-variant/firewall.tf @@ -67,7 +67,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index 89249ca989..d913356276 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -67,7 +67,7 @@ resource "google_compute_firewall" "master_webhooks" { direction = "INGRESS" source_ranges = [local.cluster_endpoint_for_nodes] - source_tags = [""] + source_tags = [] target_tags = [local.cluster_network_tag] allow { From c01a336f414f4d46324a23e8a2fb7d539cd8b19d Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Wed, 19 Jan 2022 23:03:05 -0600 Subject: [PATCH 30/35] fix wi test --- test/integration/workload_identity/controls/gcloud.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/workload_identity/controls/gcloud.rb b/test/integration/workload_identity/controls/gcloud.rb index e88b076fd6..1c956052eb 100644 --- a/test/integration/workload_identity/controls/gcloud.rb +++ b/test/integration/workload_identity/controls/gcloud.rb @@ -37,7 +37,7 @@ describe "workload metada config" do it "is secure" do - expect(data['nodePools'][0]["config"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'GKE_METADATA' + expect(data['nodePools'][0]["config"]["workloadMetadataConfig"]["nodeMetadata"]).to eq 'GKE_METADATA_SERVER' end end end From 2d8e5ebf2f53e7d40f7bd7bc77a02325ad81ebb7 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Thu, 20 Jan 2022 01:16:40 -0600 Subject: [PATCH 31/35] refactor IAM test for loose match --- .../workload_metadata_config/controls/gcloud.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/test/integration/workload_metadata_config/controls/gcloud.rb b/test/integration/workload_metadata_config/controls/gcloud.rb index 55cbdd5066..59250d4997 100644 --- a/test/integration/workload_metadata_config/controls/gcloud.rb +++ b/test/integration/workload_metadata_config/controls/gcloud.rb @@ -51,17 +51,21 @@ its(:exit_status) { should eq 0 } its(:stderr) { should eq '' } - let!(:iam) do + let(:bindings) do if subject.exit_status == 0 - JSON.parse(subject.stdout) + JSON.parse(subject.stdout, symbolize_names: true)[:bindings] else - {} + [] end end it "has expected registry roles" do - expect(iam['bindings']).to include( - {"members" => ["serviceAccount:#{service_account}"], "role" => "roles/storage.objectViewer"}, - {"members" => ["serviceAccount:#{service_account}"], "role" => "roles/artifactregistry.reader"} + expect(bindings).to include( + members: including("serviceAccount:#{service_account}"), + role: "roles/storage.objectViewer", + ) + expect(bindings).to include( + members: including("serviceAccount:#{service_account}"), + role: "roles/artifactregistry.reader", ) end end From 280cb8fa3aa247237aa8d241b4d4a64ad69b1b2d Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Fri, 21 Jan 2022 14:11:58 -0600 Subject: [PATCH 32/35] map old node meta value, add validations --- autogen/main/main.tf.tmpl | 8 ++++++-- autogen/main/variables.tf.tmpl | 5 +++++ main.tf | 8 ++++++-- modules/beta-private-cluster-update-variant/main.tf | 8 ++++++-- modules/beta-private-cluster-update-variant/variables.tf | 5 +++++ modules/beta-private-cluster/main.tf | 8 ++++++-- modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster-update-variant/main.tf | 8 ++++++-- modules/beta-public-cluster-update-variant/variables.tf | 5 +++++ modules/beta-public-cluster/main.tf | 8 ++++++-- modules/beta-public-cluster/variables.tf | 5 +++++ modules/private-cluster-update-variant/main.tf | 8 ++++++-- modules/private-cluster-update-variant/variables.tf | 5 +++++ modules/private-cluster/main.tf | 8 ++++++-- modules/private-cluster/variables.tf | 5 +++++ variables.tf | 5 +++++ 16 files changed, 88 insertions(+), 16 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 5a5c8d7d37..2ab904b5c9 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -111,8 +111,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 0a64109aea..521d844f5e 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -539,6 +539,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/main.tf b/main.tf index 7b75b1a64f..7c8512fcaa 100644 --- a/main.tf +++ b/main.tf @@ -86,8 +86,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index dde89bc126..fb36e1a093 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -101,8 +101,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 299c6eea5e..3c62620fd0 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -517,6 +517,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index dde89bc126..fb36e1a093 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -101,8 +101,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 299c6eea5e..3c62620fd0 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -517,6 +517,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index e8c80f5589..c3f01a5d33 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -101,8 +101,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 5673405ab4..95f274f897 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -486,6 +486,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index e8c80f5589..c3f01a5d33 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -101,8 +101,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 5673405ab4..95f274f897 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -486,6 +486,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 04b8b02158..bd6bae6ebc 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -86,8 +86,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 3e49e34663..fee0033366 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -392,6 +392,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 04b8b02158..bd6bae6ebc 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -86,8 +86,12 @@ locals { security_group = var.authenticator_security_group }] - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = var.node_metadata + // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 + old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } + mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) + + cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ + mode = local.mapped_node_metadata_config }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 3e49e34663..fee0033366 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -392,6 +392,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { diff --git a/variables.tf b/variables.tf index 537716ea86..b703c09dd7 100644 --- a/variables.tf +++ b/variables.tf @@ -368,6 +368,11 @@ variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + } } variable "database_encryption" { From e83bfc3b44cb12f4c31c36e3184e2ccfe8d58d74 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Fri, 21 Jan 2022 14:12:09 -0600 Subject: [PATCH 33/35] update docs --- docs/upgrading_to_v18.0.md | 5 +++-- docs/upgrading_to_v8.0.md | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/upgrading_to_v18.0.md b/docs/upgrading_to_v18.0.md index 1a759e78f2..7f503017a4 100644 --- a/docs/upgrading_to_v18.0.md +++ b/docs/upgrading_to_v18.0.md @@ -41,10 +41,11 @@ have been eliminated. ``` ### Acceptable values for node_metadata modified -The `node_metadata` variable should now be set to one of `GKE_METADATA`, +It is recommended to update `node_metadata` variable to one of `GKE_METADATA`, `GCE_METADATA` or `UNSPECIFIED`. `GKE_METADATA` replaces the previous `GKE_METADATA_SERVER` value, `GCE_METADATA` should be used in place of -`EXPOSE`. The `SECURE` option, previously deprecated, has now been removed. +`EXPOSE`, however old values continue to be supported for backwards compatibility. +The `SECURE` option, previously deprecated, has now been removed. ```diff module "gke" { diff --git a/docs/upgrading_to_v8.0.md b/docs/upgrading_to_v8.0.md index 913a9b060e..5d0f0aea7b 100644 --- a/docs/upgrading_to_v8.0.md +++ b/docs/upgrading_to_v8.0.md @@ -4,7 +4,7 @@ The v8.0 release of *kubernetes-engine* is a backwards incompatible release. ## Workload Identity (beta) -Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `workload_pool = null` +Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `identity_namespace = null` ## Shielded Nodes (beta) Beta clusters now have shielded nodes enabled by default. To disable, set `enable_shielded_nodes = false` From 616a0f7d59cf4bfb613c914d89134bffcb0d020e Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Fri, 21 Jan 2022 15:00:02 -0600 Subject: [PATCH 34/35] Update autogen/main/variables.tf.tmpl Co-authored-by: Morgante Pell --- autogen/main/variables.tf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 521d844f5e..d53d32cd9d 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -542,7 +542,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } From 3f9ebcece02d8e6329d9ca15abc2fccf46265466 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Fri, 21 Jan 2022 15:02:07 -0600 Subject: [PATCH 35/35] remove local --- autogen/main/main.tf.tmpl | 5 ++--- main.tf | 5 ++--- modules/beta-private-cluster-update-variant/main.tf | 5 ++--- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/main.tf | 5 ++--- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster-update-variant/main.tf | 5 ++--- modules/beta-public-cluster-update-variant/variables.tf | 2 +- modules/beta-public-cluster/main.tf | 5 ++--- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/main.tf | 5 ++--- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/main.tf | 5 ++--- modules/private-cluster/variables.tf | 2 +- variables.tf | 2 +- 15 files changed, 23 insertions(+), 31 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 2ab904b5c9..4b3f741051 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -113,10 +113,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/main.tf b/main.tf index 7c8512fcaa..34a0fc323d 100644 --- a/main.tf +++ b/main.tf @@ -88,10 +88,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index fb36e1a093..80449dd5bd 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -103,10 +103,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 3c62620fd0..0120274107 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -520,7 +520,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index fb36e1a093..80449dd5bd 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -103,10 +103,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 3c62620fd0..0120274107 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -520,7 +520,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index c3f01a5d33..cf2f7bc0e6 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -103,10 +103,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 95f274f897..18bc408e35 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -489,7 +489,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index c3f01a5d33..cf2f7bc0e6 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -103,10 +103,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 95f274f897..18bc408e35 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -489,7 +489,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index bd6bae6ebc..686bc61fa2 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -88,10 +88,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index fee0033366..eb1f464b67 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -395,7 +395,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index bd6bae6ebc..686bc61fa2 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -88,10 +88,9 @@ locals { // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - mapped_node_metadata_config = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - cluster_node_metadata_config = local.mapped_node_metadata_config == "UNSPECIFIED" ? [] : [{ - mode = local.mapped_node_metadata_config + cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ + mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] cluster_output_name = google_container_cluster.primary.name diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index fee0033366..eb1f464b67 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -395,7 +395,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } } diff --git a/variables.tf b/variables.tf index b703c09dd7..e0bd7dcb18 100644 --- a/variables.tf +++ b/variables.tf @@ -371,7 +371,7 @@ variable "node_metadata" { validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA,GCE_METADATA or UNSPECIFIED." + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." } }