From 0fe3f4ca75c96717cec1be6adc8d1d744cea1fee Mon Sep 17 00:00:00 2001 From: Jonathan Meyers Date: Wed, 14 Jun 2023 15:29:20 -0500 Subject: [PATCH 1/9] feat: dual stack (IPV4_IPV6) support --- .kitchen.yml | 7 + README.md | 1 + autogen/main/cluster.tf.tmpl | 1 + autogen/main/variables.tf.tmpl | 6 + cluster.tf | 1 + examples/deploy_service/README.md | 1 + examples/disable_client_cert/README.md | 1 + examples/node_pool/README.md | 1 + examples/shared_vpc/README.md | 1 + examples/simple_regional/README.md | 1 + examples/simple_regional_private/README.md | 1 + .../README.md | 1 + examples/simple_regional_with_ipv6/README.md | 46 +++++ examples/simple_regional_with_ipv6/main.tf | 44 ++++ examples/simple_regional_with_ipv6/outputs.tf | 35 ++++ .../simple_regional_with_ipv6/test_outputs.tf | 1 + .../simple_regional_with_ipv6/variables.tf | 52 +++++ .../simple_regional_with_ipv6/versions.tf | 28 +++ examples/simple_zonal_private/README.md | 1 + examples/stub_domains/README.md | 1 + .../beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 1 + .../variables.tf | 6 + .../beta-autopilot-public-cluster/README.md | 1 + .../beta-autopilot-public-cluster/cluster.tf | 1 + .../variables.tf | 6 + .../README.md | 1 + .../cluster.tf | 1 + .../variables.tf | 6 + modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 1 + modules/beta-private-cluster/variables.tf | 6 + .../README.md | 1 + .../cluster.tf | 1 + .../variables.tf | 6 + modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 1 + modules/beta-public-cluster/variables.tf | 6 + .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 1 + .../variables.tf | 6 + modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 1 + modules/private-cluster/variables.tf | 6 + test/fixtures/all_examples/test_outputs.tf | 5 + .../simple_regional_with_ipv6/example.tf | 34 ++++ .../simple_regional_with_ipv6/network.tf | 50 +++++ .../simple_regional_with_ipv6/outputs.tf | 1 + .../simple_regional_with_ipv6/variables.tf | 1 + .../controls/gcloud.rb | 192 ++++++++++++++++++ .../simple_regional_with_ipv6/inspec.yml | 31 +++ variables.tf | 6 + 52 files changed, 615 insertions(+) create mode 100644 examples/simple_regional_with_ipv6/README.md create mode 100644 examples/simple_regional_with_ipv6/main.tf create mode 100644 examples/simple_regional_with_ipv6/outputs.tf create mode 120000 examples/simple_regional_with_ipv6/test_outputs.tf create mode 100644 examples/simple_regional_with_ipv6/variables.tf create mode 100644 examples/simple_regional_with_ipv6/versions.tf create mode 100644 test/fixtures/simple_regional_with_ipv6/example.tf create mode 100644 test/fixtures/simple_regional_with_ipv6/network.tf create mode 120000 test/fixtures/simple_regional_with_ipv6/outputs.tf create mode 120000 test/fixtures/simple_regional_with_ipv6/variables.tf create mode 100644 test/integration/simple_regional_with_ipv6/controls/gcloud.rb create mode 100644 test/integration/simple_regional_with_ipv6/inspec.yml diff --git a/.kitchen.yml b/.kitchen.yml index a48a53aca2..68fd13b68a 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -87,6 +87,13 @@ suites: systems: - name: simple_regional_with_gateway_api backend: local + - name: "simple_regional_with_ipv6" + driver: + root_module_directory: test/fixtures/simple_regional_with_ipv6 + verifier: + systems: + - name: simple_regional_with_ipv6 + backend: local - name: "simple_regional_with_kubeconfig" driver: root_module_directory: test/fixtures/simple_regional_with_kubeconfig diff --git a/README.md b/README.md index d7b5c25962..3e5aab1551 100644 --- a/README.md +++ b/README.md @@ -208,6 +208,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 58ab5a57cb..68f53302a3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -326,6 +326,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d0d140b656..cc704ab8c9 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -144,6 +144,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + {% if autopilot_cluster != true %} variable "node_pools" { type = list(map(any)) diff --git a/cluster.tf b/cluster.tf index a6f45f0a3f..1d799cdaa5 100644 --- a/cluster.tf +++ b/cluster.tf @@ -205,6 +205,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/examples/deploy_service/README.md b/examples/deploy_service/README.md index 4e59320724..e3bc022dd3 100644 --- a/examples/deploy_service/README.md +++ b/examples/deploy_service/README.md @@ -38,6 +38,7 @@ It will: | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/disable_client_cert/README.md b/examples/disable_client_cert/README.md index 78c0fa501b..80322053a1 100644 --- a/examples/disable_client_cert/README.md +++ b/examples/disable_client_cert/README.md @@ -36,6 +36,7 @@ This example illustrates how to create a simple cluster and disable deprecated s | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md index b032cd2fa5..665c9fd648 100644 --- a/examples/node_pool/README.md +++ b/examples/node_pool/README.md @@ -34,6 +34,7 @@ This example illustrates how to create a cluster with multiple custom node-pool | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/shared_vpc/README.md b/examples/shared_vpc/README.md index 774d0b065c..c68d16a11d 100644 --- a/examples/shared_vpc/README.md +++ b/examples/shared_vpc/README.md @@ -33,6 +33,7 @@ This example illustrates how to create a simple cluster where the host network i | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional/README.md b/examples/simple_regional/README.md index ff250928da..6e409082c3 100644 --- a/examples/simple_regional/README.md +++ b/examples/simple_regional/README.md @@ -33,6 +33,7 @@ This example illustrates how to create a simple cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_private/README.md b/examples/simple_regional_private/README.md index d3336b512e..6b5e826ab8 100644 --- a/examples/simple_regional_private/README.md +++ b/examples/simple_regional_private/README.md @@ -32,6 +32,7 @@ This example illustrates how to create a simple private cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_with_gateway_api/README.md b/examples/simple_regional_with_gateway_api/README.md index 1bd3c19302..3681f6ab14 100644 --- a/examples/simple_regional_with_gateway_api/README.md +++ b/examples/simple_regional_with_gateway_api/README.md @@ -34,6 +34,7 @@ This example illustrates how to create a simple cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_with_ipv6/README.md b/examples/simple_regional_with_ipv6/README.md new file mode 100644 index 0000000000..16cee3dad2 --- /dev/null +++ b/examples/simple_regional_with_ipv6/README.md @@ -0,0 +1,46 @@ +# Simple Regional Cluster + +This example illustrates how to create a simple cluster. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | +| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes | +| ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes | +| ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes | +| network | The VPC network to host the cluster in | `any` | n/a | yes | +| project\_id | The project ID to host the cluster in | `any` | n/a | yes | +| region | The region to host the cluster in | `any` | n/a | yes | +| stack\_type | The stack type | `any` | n/a | yes | +| subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | n/a | +| client\_token | n/a | +| cluster\_name | Cluster name | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | +| kubernetes\_endpoint | n/a | +| location | n/a | +| master\_kubernetes\_version | The master Kubernetes version | +| network | n/a | +| project\_id | n/a | +| region | n/a | +| service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | +| subnetwork | n/a | +| zones | List of zones in which the cluster resides | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/simple_regional_with_ipv6/main.tf b/examples/simple_regional_with_ipv6/main.tf new file mode 100644 index 0000000000..8bd767c1d0 --- /dev/null +++ b/examples/simple_regional_with_ipv6/main.tf @@ -0,0 +1,44 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "simple-regional-ipv6" +} + +data "google_client_config" "default" {} + +provider "kubernetes" { + host = "https://${module.gke.endpoint}" + token = data.google_client_config.default.access_token + cluster_ca_certificate = base64decode(module.gke.ca_certificate) +} + +module "gke" { + source = "../../" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = true + region = var.region + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + stack_type = var.stack_type + create_service_account = false + service_account = var.compute_engine_service_account + enable_cost_allocation = true + datapath_provider = "ADVANCED_DATAPATH" +} diff --git a/examples/simple_regional_with_ipv6/outputs.tf b/examples/simple_regional_with_ipv6/outputs.tf new file mode 100644 index 0000000000..01a13147c2 --- /dev/null +++ b/examples/simple_regional_with_ipv6/outputs.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + sensitive = true + value = module.gke.endpoint +} + +output "client_token" { + sensitive = true + value = base64encode(data.google_client_config.default.access_token) +} + +output "ca_certificate" { + value = module.gke.ca_certificate +} + +output "service_account" { + description = "The default service account used for running nodes." + value = module.gke.service_account +} + diff --git a/examples/simple_regional_with_ipv6/test_outputs.tf b/examples/simple_regional_with_ipv6/test_outputs.tf new file mode 120000 index 0000000000..17b34213ba --- /dev/null +++ b/examples/simple_regional_with_ipv6/test_outputs.tf @@ -0,0 +1 @@ +../../test/fixtures/all_examples/test_outputs.tf \ No newline at end of file diff --git a/examples/simple_regional_with_ipv6/variables.tf b/examples/simple_regional_with_ipv6/variables.tf new file mode 100644 index 0000000000..d717933474 --- /dev/null +++ b/examples/simple_regional_with_ipv6/variables.tf @@ -0,0 +1,52 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" +} + +variable "cluster_name_suffix" { + description = "A suffix to append to the default cluster name" + default = "" +} + +variable "region" { + description = "The region to host the cluster in" +} + +variable "network" { + description = "The VPC network to host the cluster in" +} + +variable "subnetwork" { + description = "The subnetwork to host the cluster in" +} + +variable "ip_range_pods" { + description = "The secondary ip range to use for pods" +} + +variable "ip_range_services" { + description = "The secondary ip range to use for services" +} + +variable "stack_type" { + description = "The stack type" +} + +variable "compute_engine_service_account" { + description = "Service account to associate to the nodes in the cluster" +} diff --git a/examples/simple_regional_with_ipv6/versions.tf b/examples/simple_regional_with_ipv6/versions.tf new file mode 100644 index 0000000000..e8fbb1aadd --- /dev/null +++ b/examples/simple_regional_with_ipv6/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_zonal_private/README.md b/examples/simple_zonal_private/README.md index 5758a62f28..3033c7c86b 100644 --- a/examples/simple_zonal_private/README.md +++ b/examples/simple_zonal_private/README.md @@ -33,6 +33,7 @@ This example illustrates how to create a simple private cluster in a single zone | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/stub_domains/README.md b/examples/stub_domains/README.md index 1f250f8f2b..76e78e7aab 100644 --- a/examples/stub_domains/README.md +++ b/examples/stub_domains/README.md @@ -37,6 +37,7 @@ It will: | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | +| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 9a3871bed3..9064606876 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -125,6 +125,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 5d836127bc..860aade3af 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -138,6 +138,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index a9bd584314..075d1e91d5 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -136,6 +136,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 00b9a25f39..bcc92e1a4a 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -114,6 +114,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 75e6e67f31..e0d877d1b7 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -138,6 +138,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index e244b73728..8d443a72a6 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -136,6 +136,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index c782d85e1e..3615763683 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -259,6 +259,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 519c54d8f2..a5b0fc6800 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -266,6 +266,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 11bd398c68..91e1f0f167 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f707b3f289..c8b3fecf15 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -237,6 +237,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index b53205c4d8..7736ada800 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -266,6 +266,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 11bd398c68..91e1f0f167 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 233b62570d..ef8fd317fb 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -248,6 +248,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index c086223b59..1ca4210050 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -266,6 +266,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 5e033e3eb3..d89d94365c 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index be5efc9a01..f036c022c4 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -226,6 +226,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index ed021f26be..608f0ed0c3 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -266,6 +266,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 5e033e3eb3..d89d94365c 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 4e645df6bc..5b8aa9787a 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -241,6 +241,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index d54761c189..b8fc587f7d 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -205,6 +205,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c6f8db81e6..ee15a2cc87 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 23058af6eb..c11cf8b6d5 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -219,6 +219,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 22cceeb2f0..d62cd7115f 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -205,6 +205,7 @@ resource "google_container_cluster" "primary" { ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c6f8db81e6..ee15a2cc87 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/test/fixtures/all_examples/test_outputs.tf b/test/fixtures/all_examples/test_outputs.tf index e64c40e477..71224881cb 100755 --- a/test/fixtures/all_examples/test_outputs.tf +++ b/test/fixtures/all_examples/test_outputs.tf @@ -52,6 +52,11 @@ output "ip_range_services" { value = var.ip_range_services } +output "stack_type" { + description = "The stack type" + value = var.stack_type +} + output "zones" { description = "List of zones in which the cluster resides" value = module.gke.zones diff --git a/test/fixtures/simple_regional_with_ipv6/example.tf b/test/fixtures/simple_regional_with_ipv6/example.tf new file mode 100644 index 0000000000..f03848a8e3 --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/example.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_index = 1 +} + +module "example" { + source = "../../../examples/simple_regional_with_ipv6" + + project_id = var.project_ids[local.cluster_index] + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + stack_type = "IPV4_IPV6" + compute_engine_service_account = var.compute_engine_service_accounts[local.cluster_index] + +} diff --git a/test/fixtures/simple_regional_with_ipv6/network.tf b/test/fixtures/simple_regional_with_ipv6/network.tf new file mode 100644 index 0000000000..0a260d36fe --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/network.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +provider "google" { + project = var.project_ids[local.cluster_index] +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + stack_type = "IPV4_IPV6" + ipv6_access_type = "EXTERNAL" + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} + diff --git a/test/fixtures/simple_regional_with_ipv6/outputs.tf b/test/fixtures/simple_regional_with_ipv6/outputs.tf new file mode 120000 index 0000000000..726bdc722f --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/outputs.tf @@ -0,0 +1 @@ +../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/simple_regional_with_ipv6/variables.tf b/test/fixtures/simple_regional_with_ipv6/variables.tf new file mode 120000 index 0000000000..c113c00a3d --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/variables.tf @@ -0,0 +1 @@ +../shared/variables.tf \ No newline at end of file diff --git a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb new file mode 100644 index 0000000000..6b3e65e3ce --- /dev/null +++ b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb @@ -0,0 +1,192 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +location = attribute('location') +cluster_name = attribute('cluster_name') + +control "gcloud" do + title "Google Compute Engine GKE configuration" + describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "cluster" do + it "is running" do + expect(data['status']).to eq 'RUNNING' + end + + it "is regional" do + expect(data['location']).to match(/^.*[1-9]$/) + end + + it "uses public nodes and master endpoint" do + expect(data['privateClusterConfig']['enablePrivateEndpoint']).to eq nil + expect(data['privateClusterConfig']['enablePrivateNodes']).to eq nil + end + + it "has the expected addon settings" do + expect(data['addonsConfig']).to include( + "horizontalPodAutoscaling" => {}, + "httpLoadBalancing" => {}, + "kubernetesDashboard" => { + "disabled" => true, + }, + "networkPolicyConfig" => { + "disabled" => true, + }, + ) + end + + it "has dual stack enabled" do + expect(data['ipAllocationPolicy']).to include( + "stackType" => "IPV4_IPV6", + ) + end + + it "has the expected databaseEncryption config" do + expect(data['databaseEncryption']).to eq({ + "state" => 'DECRYPTED', + }) + end + + it "has the expected shieldedNodes config" do + expect(data['shieldedNodes']).to eq({ + "enabled" => true, + }) + end + + end + + describe "default node pool" do + let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } + + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "default-pool", + ) + ) + end + end + + describe "node pool" do + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + + it "has autoscaling enabled" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "enabled" => true, + ), + ) + ) + end + + it "has the expected minimum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "minNodeCount" => 1, + ), + ) + ) + end + + it "has the expected maximum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "maxNodeCount" => 100, + ), + ) + ) + end + + it "is the expected machine type" do + expect(node_pools).to include( + including( + "config" => including( + "machineType" => "e2-medium", + ), + ) + ) + end + + it "has the expected disk size" do + expect(node_pools).to include( + including( + "config" => including( + "diskSizeGb" => 100, + ), + ) + ) + end + + it "has the expected labels" do + expect(node_pools).to include( + including( + "config" => including( + "labels" => including( + "cluster_name" => cluster_name, + "node_pool" => "default-node-pool", + ), + ), + ) + ) + end + + it "has the expected network tags" do + expect(node_pools).to include( + including( + "config" => including( + "tags" => match_array([ + "gke-#{cluster_name}", + "gke-#{cluster_name}-default-node-pool", + ]), + ), + ) + ) + end + + it "has autorepair enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoRepair" => true, + ), + ) + ) + end + + it "has autoupgrade enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoUpgrade" => true, + ), + ) + ) + end + end + end +end diff --git a/test/integration/simple_regional_with_ipv6/inspec.yml b/test/integration/simple_regional_with_ipv6/inspec.yml new file mode 100644 index 0000000000..e91bbc6ca9 --- /dev/null +++ b/test/integration/simple_regional_with_ipv6/inspec.yml @@ -0,0 +1,31 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: simple_regional_with_gateway_api +attributes: + - name: project_id + required: true + type: string + - name: location + required: true + type: string + - name: cluster_name + required: true + type: string + - name: kubernetes_endpoint + required: true + type: string + - name: client_token + required: true + type: string diff --git a/variables.tf b/variables.tf index de94ee0c6d..eeaea6b363 100644 --- a/variables.tf +++ b/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" From 86de95237ecc209ae90d5db2f6c1b211d5557c61 Mon Sep 17 00:00:00 2001 From: Jonathan Meyers Date: Wed, 14 Jun 2023 18:31:37 -0500 Subject: [PATCH 2/9] fix: remove output --- examples/deploy_service/README.md | 1 - examples/disable_client_cert/README.md | 1 - examples/node_pool/README.md | 1 - examples/shared_vpc/README.md | 1 - examples/simple_regional/README.md | 1 - examples/simple_regional_private/README.md | 1 - examples/simple_regional_with_gateway_api/README.md | 1 - examples/simple_regional_with_ipv6/README.md | 1 - examples/simple_zonal_private/README.md | 1 - examples/stub_domains/README.md | 1 - test/fixtures/all_examples/test_outputs.tf | 5 ----- 11 files changed, 15 deletions(-) diff --git a/examples/deploy_service/README.md b/examples/deploy_service/README.md index e3bc022dd3..4e59320724 100644 --- a/examples/deploy_service/README.md +++ b/examples/deploy_service/README.md @@ -38,7 +38,6 @@ It will: | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/disable_client_cert/README.md b/examples/disable_client_cert/README.md index 80322053a1..78c0fa501b 100644 --- a/examples/disable_client_cert/README.md +++ b/examples/disable_client_cert/README.md @@ -36,7 +36,6 @@ This example illustrates how to create a simple cluster and disable deprecated s | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md index 665c9fd648..b032cd2fa5 100644 --- a/examples/node_pool/README.md +++ b/examples/node_pool/README.md @@ -34,7 +34,6 @@ This example illustrates how to create a cluster with multiple custom node-pool | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/shared_vpc/README.md b/examples/shared_vpc/README.md index c68d16a11d..774d0b065c 100644 --- a/examples/shared_vpc/README.md +++ b/examples/shared_vpc/README.md @@ -33,7 +33,6 @@ This example illustrates how to create a simple cluster where the host network i | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional/README.md b/examples/simple_regional/README.md index 6e409082c3..ff250928da 100644 --- a/examples/simple_regional/README.md +++ b/examples/simple_regional/README.md @@ -33,7 +33,6 @@ This example illustrates how to create a simple cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_private/README.md b/examples/simple_regional_private/README.md index 6b5e826ab8..d3336b512e 100644 --- a/examples/simple_regional_private/README.md +++ b/examples/simple_regional_private/README.md @@ -32,7 +32,6 @@ This example illustrates how to create a simple private cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_with_gateway_api/README.md b/examples/simple_regional_with_gateway_api/README.md index 3681f6ab14..1bd3c19302 100644 --- a/examples/simple_regional_with_gateway_api/README.md +++ b/examples/simple_regional_with_gateway_api/README.md @@ -34,7 +34,6 @@ This example illustrates how to create a simple cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_with_ipv6/README.md b/examples/simple_regional_with_ipv6/README.md index 16cee3dad2..e0442d4208 100644 --- a/examples/simple_regional_with_ipv6/README.md +++ b/examples/simple_regional_with_ipv6/README.md @@ -33,7 +33,6 @@ This example illustrates how to create a simple cluster. | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/simple_zonal_private/README.md b/examples/simple_zonal_private/README.md index 3033c7c86b..5758a62f28 100644 --- a/examples/simple_zonal_private/README.md +++ b/examples/simple_zonal_private/README.md @@ -33,7 +33,6 @@ This example illustrates how to create a simple private cluster in a single zone | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/examples/stub_domains/README.md b/examples/stub_domains/README.md index 76e78e7aab..1f250f8f2b 100644 --- a/examples/stub_domains/README.md +++ b/examples/stub_domains/README.md @@ -37,7 +37,6 @@ It will: | project\_id | n/a | | region | n/a | | service\_account | The default service account used for running nodes. | -| stack\_type | The stack type | | subnetwork | n/a | | zones | List of zones in which the cluster resides | diff --git a/test/fixtures/all_examples/test_outputs.tf b/test/fixtures/all_examples/test_outputs.tf index 71224881cb..e64c40e477 100755 --- a/test/fixtures/all_examples/test_outputs.tf +++ b/test/fixtures/all_examples/test_outputs.tf @@ -52,11 +52,6 @@ output "ip_range_services" { value = var.ip_range_services } -output "stack_type" { - description = "The stack type" - value = var.stack_type -} - output "zones" { description = "List of zones in which the cluster resides" value = module.gke.zones From a1896aea1faf3182346161fd4c65eafa2ccd57ca Mon Sep 17 00:00:00 2001 From: Ghaleb Al-Habian Date: Fri, 15 Dec 2023 00:13:44 +0000 Subject: [PATCH 3/9] Linter changes --- cluster.tf | 2 +- examples/simple_regional_with_ipv6/README.md | 10 --- .../simple_regional_with_ipv6/test_outputs.tf | 1 - .../beta-autopilot-private-cluster/cluster.tf | 2 +- .../beta-autopilot-public-cluster/cluster.tf | 2 +- .../cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- .../cluster.tf | 2 +- modules/beta-public-cluster/cluster.tf | 2 +- .../private-cluster-update-variant/cluster.tf | 2 +- modules/private-cluster/cluster.tf | 2 +- .../simple_regional_with_ipv6/outputs.tf | 86 ++++++++++++++++++- .../simple_regional_with_ipv6/variables.tf | 48 ++++++++++- 13 files changed, 141 insertions(+), 22 deletions(-) delete mode 120000 examples/simple_regional_with_ipv6/test_outputs.tf mode change 120000 => 100644 test/fixtures/simple_regional_with_ipv6/outputs.tf mode change 120000 => 100644 test/fixtures/simple_regional_with_ipv6/variables.tf diff --git a/cluster.tf b/cluster.tf index 3a6c35fd53..3429442a9c 100644 --- a/cluster.tf +++ b/cluster.tf @@ -232,7 +232,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/examples/simple_regional_with_ipv6/README.md b/examples/simple_regional_with_ipv6/README.md index e0442d4208..792c70be32 100644 --- a/examples/simple_regional_with_ipv6/README.md +++ b/examples/simple_regional_with_ipv6/README.md @@ -23,18 +23,8 @@ This example illustrates how to create a simple cluster. |------|-------------| | ca\_certificate | n/a | | client\_token | n/a | -| cluster\_name | Cluster name | -| ip\_range\_pods | The secondary IP range used for pods | -| ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | -| location | n/a | -| master\_kubernetes\_version | The master Kubernetes version | -| network | n/a | -| project\_id | n/a | -| region | n/a | | service\_account | The default service account used for running nodes. | -| subnetwork | n/a | -| zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_with_ipv6/test_outputs.tf b/examples/simple_regional_with_ipv6/test_outputs.tf deleted file mode 120000 index 17b34213ba..0000000000 --- a/examples/simple_regional_with_ipv6/test_outputs.tf +++ /dev/null @@ -1 +0,0 @@ -../../test/fixtures/all_examples/test_outputs.tf \ No newline at end of file diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 9a22869984..539b173783 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -155,7 +155,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 0ed0c28980..2c9bf25fc0 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -155,7 +155,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 5146fd4016..e211c69bf6 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -290,7 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 83d78274c4..e8d40bb54a 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -290,7 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index ebd55e67d5..5752bbaee2 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -290,7 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index e3314258f1..f64bae3fdb 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -290,7 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ef278b08af..210a883ad0 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -232,7 +232,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 84aaf99bfd..097fc722bd 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -232,7 +232,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } - stack_type = var.stack_type + stack_type = var.stack_type } maintenance_policy { diff --git a/test/fixtures/simple_regional_with_ipv6/outputs.tf b/test/fixtures/simple_regional_with_ipv6/outputs.tf deleted file mode 120000 index 726bdc722f..0000000000 --- a/test/fixtures/simple_regional_with_ipv6/outputs.tf +++ /dev/null @@ -1 +0,0 @@ -../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/simple_regional_with_ipv6/outputs.tf b/test/fixtures/simple_regional_with_ipv6/outputs.tf new file mode 100644 index 0000000000..a62317bf64 --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/outputs.tf @@ -0,0 +1,85 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "project_id" { + value = module.example.project_id +} + +output "region" { + value = module.example.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.example.cluster_name +} + +output "network" { + value = google_compute_network.main.name +} + +output "subnetwork" { + value = google_compute_subnetwork.main.name +} + +output "location" { + value = module.example.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = google_compute_subnetwork.main.secondary_ip_range[0].range_name +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = google_compute_subnetwork.main.secondary_ip_range[1].range_name +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.example.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.example.master_kubernetes_version +} + +output "kubernetes_endpoint" { + sensitive = true + value = module.example.kubernetes_endpoint +} + +output "client_token" { + sensitive = true + value = module.example.client_token +} + +output "ca_certificate" { + description = "The cluster CA certificate" + value = module.example.ca_certificate + sensitive = true +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.example.service_account +} + +output "registry_project_ids" { + value = var.registry_project_ids +} diff --git a/test/fixtures/simple_regional_with_ipv6/variables.tf b/test/fixtures/simple_regional_with_ipv6/variables.tf deleted file mode 120000 index c113c00a3d..0000000000 --- a/test/fixtures/simple_regional_with_ipv6/variables.tf +++ /dev/null @@ -1 +0,0 @@ -../shared/variables.tf \ No newline at end of file diff --git a/test/fixtures/simple_regional_with_ipv6/variables.tf b/test/fixtures/simple_regional_with_ipv6/variables.tf new file mode 100644 index 0000000000..8cf5823b20 --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/variables.tf @@ -0,0 +1,47 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_ids" { + type = list(string) + description = "The GCP projects to use for integration tests" +} + +variable "region" { + description = "The GCP region to create and test resources in" + default = "us-central1" +} + +variable "zones" { + type = list(string) + description = "The GCP zones to create and test resources in, for applicable tests" + default = ["us-central1-a", "us-central1-b", "us-central1-c"] +} + +variable "compute_engine_service_accounts" { + type = list(string) + description = "The email addresses of the service account to associate with the GKE cluster" +} + +variable "registry_project_ids" { + description = "Projects to use for granting access to GCR registries, if requested" + type = list(string) +} + +variable "kubernetes_version" { + type = string + description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region." + default = "latest" +} From 90cb9b907f4613b35eeda18b165f2a1c394ff6e0 Mon Sep 17 00:00:00 2001 From: Ghaleb Date: Fri, 15 Dec 2023 16:50:59 +0000 Subject: [PATCH 4/9] remove extra version contraint --- examples/simple_regional_with_ipv6/versions.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/simple_regional_with_ipv6/versions.tf b/examples/simple_regional_with_ipv6/versions.tf index e8fbb1aadd..61934a306b 100644 --- a/examples/simple_regional_with_ipv6/versions.tf +++ b/examples/simple_regional_with_ipv6/versions.tf @@ -17,8 +17,7 @@ terraform { required_providers { google = { - source = "hashicorp/google" - version = "~> 4.0" + source = "hashicorp/google" } kubernetes = { source = "hashicorp/kubernetes" From b7dd7fde4295236714a28435d0a70352ff11b388 Mon Sep 17 00:00:00 2001 From: Ghaleb Date: Fri, 15 Dec 2023 19:40:26 +0000 Subject: [PATCH 5/9] fix ipv6 example test_outputs --- examples/simple_regional_with_ipv6/README.md | 10 +++ .../simple_regional_with_ipv6/test_outputs.tf | 63 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100755 examples/simple_regional_with_ipv6/test_outputs.tf diff --git a/examples/simple_regional_with_ipv6/README.md b/examples/simple_regional_with_ipv6/README.md index 792c70be32..e0442d4208 100644 --- a/examples/simple_regional_with_ipv6/README.md +++ b/examples/simple_regional_with_ipv6/README.md @@ -23,8 +23,18 @@ This example illustrates how to create a simple cluster. |------|-------------| | ca\_certificate | n/a | | client\_token | n/a | +| cluster\_name | Cluster name | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | +| location | n/a | +| master\_kubernetes\_version | The master Kubernetes version | +| network | n/a | +| project\_id | n/a | +| region | n/a | | service\_account | The default service account used for running nodes. | +| subnetwork | n/a | +| zones | List of zones in which the cluster resides | diff --git a/examples/simple_regional_with_ipv6/test_outputs.tf b/examples/simple_regional_with_ipv6/test_outputs.tf new file mode 100755 index 0000000000..a0bc9a28f0 --- /dev/null +++ b/examples/simple_regional_with_ipv6/test_outputs.tf @@ -0,0 +1,63 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// These outputs are used to test the module with kitchen-terraform +// They do not need to be included in real-world uses of this module + +output "project_id" { + value = var.project_id +} + +output "region" { + value = module.gke.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.gke.name +} + +output "network" { + value = var.network +} + +output "subnetwork" { + value = var.subnetwork +} + +output "location" { + value = module.gke.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = var.ip_range_pods +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = var.ip_range_services +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.gke.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.gke.master_version +} From 64bfefdb089326338b8baba252b259d5512f1bc8 Mon Sep 17 00:00:00 2001 From: Ghaleb Date: Fri, 15 Dec 2023 21:26:04 +0000 Subject: [PATCH 6/9] add deletion_protection --- examples/simple_regional_with_ipv6/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/simple_regional_with_ipv6/main.tf b/examples/simple_regional_with_ipv6/main.tf index 8bd767c1d0..59831f93ce 100644 --- a/examples/simple_regional_with_ipv6/main.tf +++ b/examples/simple_regional_with_ipv6/main.tf @@ -41,4 +41,5 @@ module "gke" { service_account = var.compute_engine_service_account enable_cost_allocation = true datapath_provider = "ADVANCED_DATAPATH" + deletion_protection = false } From cafada527e7bd25a789311d70ac71c4160382ddd Mon Sep 17 00:00:00 2001 From: Ghaleb Date: Sat, 16 Dec 2023 19:12:16 +0000 Subject: [PATCH 7/9] fix deprecated url in acm.tf --- examples/simple_zonal_with_acm/acm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 3c8d299633..5118ac5498 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -28,7 +28,7 @@ module "acm" { secret_type = "ssh" - policy_bundles = ["https://github.com/GoogleCloudPlatform/acm-policy-controller-library/bundles/policy-essentials-v2022?ref=981cdf31878b886b53decdade23d8f76e80140fc"] + policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library/tree/main/bundles/policy-essentials-v2022"] create_metrics_gcp_sa = true } From 8f48a9147fcf94070fc076cbdab77522704f936c Mon Sep 17 00:00:00 2001 From: Ghaleb Al-Habian Date: Sun, 17 Dec 2023 01:16:18 +0000 Subject: [PATCH 8/9] ACM bundle url fix --- examples/simple_zonal_with_acm/acm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 5118ac5498..f9c870dabd 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -28,7 +28,7 @@ module "acm" { secret_type = "ssh" - policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library/tree/main/bundles/policy-essentials-v2022"] + policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/policy-essentials-v2022"] create_metrics_gcp_sa = true } From 14b721f3f99b544312b5a9d6a1bacf47f1c91e4a Mon Sep 17 00:00:00 2001 From: Ghaleb Al-Habian Date: Mon, 18 Dec 2023 22:07:26 +0000 Subject: [PATCH 9/9] adding ref to new policy_bundles URL --- examples/simple_zonal_with_acm/acm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index f9c870dabd..f88378a524 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -29,6 +29,6 @@ module "acm" { secret_type = "ssh" - policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/policy-essentials-v2022"] + policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library/bundles/policy-essentials-v2022?ref=7a5f87d7e1a2f63582505d14c2c90f496bcf263d"] create_metrics_gcp_sa = true }