From b0bd1a84ae7bcf110c8a06dc2e91f5320f24dabe Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Sat, 6 Feb 2021 19:50:21 +0000 Subject: [PATCH 1/8] Add support for multiple registry projects --- autogen/main/README.md | 2 +- autogen/main/sa.tf.tmpl | 18 ++++++++++-------- autogen/main/variables.tf.tmpl | 8 ++++---- autogen/safer-cluster/README.md | 4 ++-- autogen/safer-cluster/main.tf.tmpl | 2 +- autogen/safer-cluster/variables.tf.tmpl | 8 ++++---- 6 files changed, 22 insertions(+), 20 deletions(-) diff --git a/autogen/main/README.md b/autogen/main/README.md index a91f352e4d..c89e2e9ce7 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -241,7 +241,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 6eddbfea12..28074556ef 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 8b8d196501..90ba8aba59 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -358,10 +358,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/autogen/safer-cluster/README.md b/autogen/safer-cluster/README.md index 74a86dc21c..a785fa557f 100644 --- a/autogen/safer-cluster/README.md +++ b/autogen/safer-cluster/README.md @@ -53,7 +53,7 @@ developers, which mostly just want to deploy and debug applications. own projects, so that they can be administered independently (e.g., dev cluster; production clusters; staging clusters should go in different projects.) -- *A shared GCR project (`registry_project_id`):* all clusters can share the same GCR project. +- *A shared GCR project (`registry_project_ids`):* all clusters can share the same GCR project. - Easier to share images between environments. The same image could be progressively rolled-out in dev, staging, and then production. @@ -93,7 +93,7 @@ The Safer Cluster setup relies on several service accounts: ``` create_service_account = true -registry_project_id = +registry_project_ids = [] grant_registry_access = true ``` diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index f4e4146b1d..8432943d9b 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -100,7 +100,7 @@ module "gke" { // wants to maintain control of their service accounts. create_service_account = var.compute_engine_service_account == "" ? true : false service_account = var.compute_engine_service_account - registry_project_id = var.registry_project_id + registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access // Basic Auth disabled diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index f085d91933..5d7eaea695 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -208,10 +208,10 @@ variable "grant_registry_access" { default = true } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "cluster_resource_labels" { From 310c5349885e7eef95f59b8adfaa6e980a8ac56f Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Sat, 6 Feb 2021 21:30:12 +0000 Subject: [PATCH 2/8] Add autogenerated files --- README.md | 4 ++-- .../README.md | 4 ++-- .../beta-private-cluster-update-variant/sa.tf | 18 ++++++++++-------- .../variables.tf | 8 ++++---- modules/beta-private-cluster/README.md | 4 ++-- modules/beta-private-cluster/sa.tf | 18 ++++++++++-------- modules/beta-private-cluster/variables.tf | 8 ++++---- .../README.md | 4 ++-- .../beta-public-cluster-update-variant/sa.tf | 18 ++++++++++-------- .../variables.tf | 8 ++++---- modules/beta-public-cluster/README.md | 4 ++-- modules/beta-public-cluster/sa.tf | 18 ++++++++++-------- modules/beta-public-cluster/variables.tf | 8 ++++---- .../private-cluster-update-variant/README.md | 4 ++-- modules/private-cluster-update-variant/sa.tf | 18 ++++++++++-------- .../variables.tf | 8 ++++---- modules/private-cluster/README.md | 4 ++-- modules/private-cluster/sa.tf | 18 ++++++++++-------- modules/private-cluster/variables.tf | 8 ++++---- modules/safer-cluster-update-variant/README.md | 6 +++--- modules/safer-cluster-update-variant/main.tf | 2 +- .../safer-cluster-update-variant/variables.tf | 8 ++++---- modules/safer-cluster/README.md | 6 +++--- modules/safer-cluster/main.tf | 2 +- modules/safer-cluster/variables.tf | 8 ++++---- sa.tf | 18 ++++++++++-------- variables.tf | 8 ++++---- 27 files changed, 128 insertions(+), 114 deletions(-) diff --git a/README.md b/README.md index 023a464a2f..47b14a806b 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -280,7 +280,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index d0ff8ff174..cc7d2e8911 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -231,7 +231,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -350,7 +350,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 4436119aec..a5cad242ec 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -346,10 +346,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index af93e0cde3..7c8fe03907 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -209,7 +209,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -328,7 +328,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 4436119aec..a5cad242ec 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -346,10 +346,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 0411453cc9..d40da50e80 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -220,7 +220,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -337,7 +337,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index ad3a9643ba..9df4f686f7 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -346,10 +346,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index ceb1ff74d9..88cd672879 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -198,7 +198,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -315,7 +315,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index ad3a9643ba..9df4f686f7 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -346,10 +346,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index f43ef038eb..ed99b76adc 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -208,7 +208,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -314,7 +314,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 15e4d81d39..98b0a59746 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -310,10 +310,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0277fa9d73..42a391b614 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -186,7 +186,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | @@ -292,7 +292,7 @@ following project roles: - roles/iam.serviceAccountUser - roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`) -Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_id` project: +Additionally, if `service_account` is set to `create` and `grant_registry_access` is requested, the service account requires the following role on the `registry_project_ids` projects: - roles/resourcemanager.projectIamAdmin ### Enable APIs diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 15e4d81d39..98b0a59746 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -310,10 +310,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index e9955a8dee..dc7c543e53 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -53,7 +53,7 @@ developers, which mostly just want to deploy and debug applications. own projects, so that they can be administered independently (e.g., dev cluster; production clusters; staging clusters should go in different projects.) -- *A shared GCR project (`registry_project_id`):* all clusters can share the same GCR project. +- *A shared GCR project (`registry_project_ids`):* all clusters can share the same GCR project. - Easier to share images between environments. The same image could be progressively rolled-out in dev, staging, and then production. @@ -93,7 +93,7 @@ The Safer Cluster setup relies on several service accounts: ``` create_service_account = true -registry_project_id = +registry_project_ids = [] grant_registry_access = true ``` @@ -248,7 +248,7 @@ For simplicity, we suggest using `roles/container.admin` and | project\_id | The project ID to host the cluster in | `string` | n/a | yes | | region | The region to host the cluster in | `string` | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 55f5d024e0..36d63d05eb 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -96,7 +96,7 @@ module "gke" { // wants to maintain control of their service accounts. create_service_account = var.compute_engine_service_account == "" ? true : false service_account = var.compute_engine_service_account - registry_project_id = var.registry_project_id + registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access // Basic Auth disabled diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index e1c100b721..2bb14cbe76 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -208,10 +208,10 @@ variable "grant_registry_access" { default = true } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "cluster_resource_labels" { diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index e9955a8dee..dc7c543e53 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -53,7 +53,7 @@ developers, which mostly just want to deploy and debug applications. own projects, so that they can be administered independently (e.g., dev cluster; production clusters; staging clusters should go in different projects.) -- *A shared GCR project (`registry_project_id`):* all clusters can share the same GCR project. +- *A shared GCR project (`registry_project_ids`):* all clusters can share the same GCR project. - Easier to share images between environments. The same image could be progressively rolled-out in dev, staging, and then production. @@ -93,7 +93,7 @@ The Safer Cluster setup relies on several service accounts: ``` create_service_account = true -registry_project_id = +registry_project_ids = [] grant_registry_access = true ``` @@ -248,7 +248,7 @@ For simplicity, we suggest using `roles/container.admin` and | project\_id | The project ID to host the cluster in | `string` | n/a | yes | | region | The region to host the cluster in | `string` | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant\_registry\_access is true, storage.objectViewer role is assigned on this project. | `string` | `""` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 6f96694fc3..3b09c1dcac 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -96,7 +96,7 @@ module "gke" { // wants to maintain control of their service accounts. create_service_account = var.compute_engine_service_account == "" ? true : false service_account = var.compute_engine_service_account - registry_project_id = var.registry_project_id + registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access // Basic Auth disabled diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index e1c100b721..2bb14cbe76 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -208,10 +208,10 @@ variable "grant_registry_access" { default = true } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "cluster_resource_labels" { diff --git a/sa.tf b/sa.tf index 8c1e578609..b12b3befdb 100644 --- a/sa.tf +++ b/sa.tf @@ -25,6 +25,8 @@ locals { ) // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account + + registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids } resource "random_string" "cluster_service_account_suffix" { @@ -70,15 +72,15 @@ resource "google_project_iam_member" "cluster_service_account-resourceMetadata-w } resource "google_project_iam_member" "cluster_service_account-gcr" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/storage.objectViewer" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - count = var.create_service_account && var.grant_registry_access ? 1 : 0 - project = var.registry_project_id == "" ? var.project_id : var.registry_project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" + for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] + project = each.key + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } diff --git a/variables.tf b/variables.tf index 05b1549aba..b031accfd4 100644 --- a/variables.tf +++ b/variables.tf @@ -310,10 +310,10 @@ variable "grant_registry_access" { default = false } -variable "registry_project_id" { - type = string - description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project." - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." + default = [] } variable "service_account" { From 7be4161f3a0f8cfbfa37fdb0ef046426974d06f5 Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Sat, 6 Feb 2021 22:23:42 +0000 Subject: [PATCH 3/8] Update examples and test fixture tf files --- examples/workload_metadata_config/main.tf | 2 +- .../workload_metadata_config/variables.tf | 5 ++-- test/fixtures/shared/outputs.tf | 4 +-- test/fixtures/shared/variables.tf | 5 ++-- test/fixtures/workload_identity/outputs.tf | 4 +-- test/fixtures/workload_identity/variables.tf | 6 ++--- .../workload_metadata_config/example.tf | 18 ++++++------- .../controls/gcloud.rb | 26 ++++++++++--------- .../workload_metadata_config/inspec.yml | 4 +-- test/setup/outputs.tf | 4 +-- 10 files changed, 41 insertions(+), 37 deletions(-) diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 40601eace2..27e05448c4 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -51,7 +51,7 @@ module "gke" { ip_range_services = var.ip_range_services create_service_account = true grant_registry_access = true - registry_project_id = var.registry_project_id + registry_project_ids = var.registry_project_ids enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "172.16.0.0/28" diff --git a/examples/workload_metadata_config/variables.tf b/examples/workload_metadata_config/variables.tf index 7f07502786..603dc4c4fb 100644 --- a/examples/workload_metadata_config/variables.tf +++ b/examples/workload_metadata_config/variables.tf @@ -48,6 +48,7 @@ variable "ip_range_services" { description = "The secondary ip range to use for services" } -variable "registry_project_id" { - description = "Project name for the GCR registry" +variable "registry_project_ids" { + description = "Project names for GCR registries" + type = list(string) } diff --git a/test/fixtures/shared/outputs.tf b/test/fixtures/shared/outputs.tf index dfc0d02396..0e3b323647 100644 --- a/test/fixtures/shared/outputs.tf +++ b/test/fixtures/shared/outputs.tf @@ -79,6 +79,6 @@ output "service_account" { value = module.example.service_account } -output "registry_project_id" { - value = var.registry_project_id +output "registry_project_ids" { + value = var.registry_project_ids } diff --git a/test/fixtures/shared/variables.tf b/test/fixtures/shared/variables.tf index 56e5b63441..4465351548 100644 --- a/test/fixtures/shared/variables.tf +++ b/test/fixtures/shared/variables.tf @@ -35,6 +35,7 @@ variable "compute_engine_service_accounts" { description = "The email addresses of the service account to associate with the GKE cluster" } -variable "registry_project_id" { - description = "Project to use for granting access to the GCR registry, if requested" +variable "registry_project_ids" { + description = "Projects to use for granting access to GCR registries, if requested" + type = list(string) } diff --git a/test/fixtures/workload_identity/outputs.tf b/test/fixtures/workload_identity/outputs.tf index c83711862c..7990ef1013 100644 --- a/test/fixtures/workload_identity/outputs.tf +++ b/test/fixtures/workload_identity/outputs.tf @@ -65,8 +65,8 @@ output "service_account" { value = module.example.service_account } -output "registry_project_id" { - value = var.registry_project_id +output "registry_project_ids" { + value = var.registry_project_ids } output "cluster_name" { diff --git a/test/fixtures/workload_identity/variables.tf b/test/fixtures/workload_identity/variables.tf index 235e09644a..79f26c793d 100644 --- a/test/fixtures/workload_identity/variables.tf +++ b/test/fixtures/workload_identity/variables.tf @@ -35,7 +35,7 @@ variable "compute_engine_service_accounts" { description = "The email addresses of the service account to associate with the GKE cluster" } -variable "registry_project_id" { - description = "Project to use for granting access to the GCR registry, if requested" - default = "" +variable "registry_project_ids" { + type = list(string) + description = "Projects to use for granting access to GCR registries, if requested" } diff --git a/test/fixtures/workload_metadata_config/example.tf b/test/fixtures/workload_metadata_config/example.tf index ea9519579d..ef9895c666 100644 --- a/test/fixtures/workload_metadata_config/example.tf +++ b/test/fixtures/workload_metadata_config/example.tf @@ -17,13 +17,13 @@ module "example" { source = "../../../examples/workload_metadata_config" - project_id = var.project_ids[1] - cluster_name_suffix = "-${random_string.suffix.result}" - region = var.region - zones = slice(var.zones, 0, 1) - network = google_compute_network.main.name - subnetwork = google_compute_subnetwork.main.name - ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name - ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name - registry_project_id = var.registry_project_id + project_id = var.project_ids[1] + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + zones = slice(var.zones, 0, 1) + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + registry_project_ids = var.registry_project_ids } diff --git a/test/integration/workload_metadata_config/controls/gcloud.rb b/test/integration/workload_metadata_config/controls/gcloud.rb index ad642ff7c9..a46d7f08d2 100644 --- a/test/integration/workload_metadata_config/controls/gcloud.rb +++ b/test/integration/workload_metadata_config/controls/gcloud.rb @@ -13,7 +13,7 @@ # limitations under the License. project_id = attribute('project_id') -registry_project_id = attribute('registry_project_id') +registry_project_ids = attribute('registry_project_ids') location = attribute('location') cluster_name = attribute('cluster_name') service_account = attribute('service_account') @@ -58,19 +58,21 @@ end end - describe command("gcloud projects get-iam-policy #{registry_project_id} --format=json") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq '' } + registry_project_ids.each do |registry_project_id| + describe command("gcloud projects get-iam-policy #{registry_project_id} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } - let!(:iam) do - if subject.exit_status == 0 - JSON.parse(subject.stdout) - else - {} + let!(:iam) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + it "has expected registry roles" do + expect(iam['bindings']).to include("members" => ["serviceAccount:#{service_account}"], "role" => "roles/storage.objectViewer") end - end - it "has expected registry roles" do - expect(iam['bindings']).to include("members" => ["serviceAccount:#{service_account}"], "role" => "roles/storage.objectViewer") end end end diff --git a/test/integration/workload_metadata_config/inspec.yml b/test/integration/workload_metadata_config/inspec.yml index 4f2b7d40d6..30dbe71047 100644 --- a/test/integration/workload_metadata_config/inspec.yml +++ b/test/integration/workload_metadata_config/inspec.yml @@ -12,6 +12,6 @@ attributes: - name: service_account required: true type: string - - name: registry_project_id + - name: registry_project_ids required: false - type: string + type: array diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 8b85098fc8..b14d5daac6 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -31,6 +31,6 @@ output "compute_engine_service_accounts" { value = [google_service_account.gke_sa_1.email, google_service_account.gke_sa_2.email, google_service_account.gke_sa_asm.email] } -output "registry_project_id" { - value = module.gke-project-1.project_id +output "registry_project_ids" { + value = [module.gke-project-1.project_id] } From fc82316f2e20fbc7d89c62ece90728511dcfa9f0 Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Mon, 8 Feb 2021 21:04:56 +0000 Subject: [PATCH 4/8] Re-add old variable for backwards compatibility --- autogen/main/sa.tf.tmpl | 6 +++++- autogen/main/variables.tf.tmpl | 6 ++++++ autogen/safer-cluster/README.md | 3 ++- autogen/safer-cluster/main.tf.tmpl | 1 + autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 28074556ef..56d568cb70 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 90ba8aba59..e865b065b3 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -358,6 +358,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/autogen/safer-cluster/README.md b/autogen/safer-cluster/README.md index a785fa557f..772dff12d4 100644 --- a/autogen/safer-cluster/README.md +++ b/autogen/safer-cluster/README.md @@ -53,7 +53,8 @@ developers, which mostly just want to deploy and debug applications. own projects, so that they can be administered independently (e.g., dev cluster; production clusters; staging clusters should go in different projects.) -- *A shared GCR project (`registry_project_ids`):* all clusters can share the same GCR project. +- *Shared GCR projects (`registry_project_ids`):* all clusters can share the same + GCR projects. - Easier to share images between environments. The same image could be progressively rolled-out in dev, staging, and then production. diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 8432943d9b..7a871d3727 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -100,6 +100,7 @@ module "gke" { // wants to maintain control of their service accounts. create_service_account = var.compute_engine_service_account == "" ? true : false service_account = var.compute_engine_service_account + registry_project_id = var.registry_project_id registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 5d7eaea695..b64d63c7a9 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -208,6 +208,12 @@ variable "grant_registry_access" { default = true } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." From 1411e1f7230033dc6af3cf1bd105639513d90fd3 Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Mon, 8 Feb 2021 21:09:34 +0000 Subject: [PATCH 5/8] Add autogenerated files --- README.md | 1 + modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/sa.tf | 6 +++++- modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/sa.tf | 6 +++++- modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/sa.tf | 6 +++++- modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/sa.tf | 6 +++++- modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/sa.tf | 6 +++++- modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/sa.tf | 6 +++++- modules/private-cluster/variables.tf | 6 ++++++ modules/safer-cluster-update-variant/README.md | 4 +++- modules/safer-cluster-update-variant/main.tf | 1 + modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 4 +++- modules/safer-cluster/main.tf | 1 + modules/safer-cluster/variables.tf | 6 ++++++ sa.tf | 6 +++++- variables.tf | 6 ++++++ 27 files changed, 104 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 47b14a806b..3f55230080 100644 --- a/README.md +++ b/README.md @@ -176,6 +176,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index cc7d2e8911..8fd288d537 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -231,6 +231,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index a5cad242ec..f1db4403f8 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -346,6 +346,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 7c8fe03907..dd6201a82c 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -209,6 +209,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index a5cad242ec..f1db4403f8 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -346,6 +346,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index d40da50e80..ff6e741a19 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -220,6 +220,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 9df4f686f7..969c197793 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -346,6 +346,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 88cd672879..e6cbf5ac3d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -198,6 +198,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 9df4f686f7..969c197793 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -346,6 +346,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index ed99b76adc..86ab2504ef 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -208,6 +208,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 98b0a59746..b7bd162de1 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -310,6 +310,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 42a391b614..9089554948 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -186,6 +186,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 98b0a59746..b7bd162de1 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -310,6 +310,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index dc7c543e53..6127207634 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -53,7 +53,8 @@ developers, which mostly just want to deploy and debug applications. own projects, so that they can be administered independently (e.g., dev cluster; production clusters; staging clusters should go in different projects.) -- *A shared GCR project (`registry_project_ids`):* all clusters can share the same GCR project. +- *Shared GCR projects (`registry_project_ids`):* all clusters can share the same + GCR projects. - Easier to share images between environments. The same image could be progressively rolled-out in dev, staging, and then production. @@ -248,6 +249,7 @@ For simplicity, we suggest using `roles/container.admin` and | project\_id | The project ID to host the cluster in | `string` | n/a | yes | | region | The region to host the cluster in | `string` | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 36d63d05eb..1a9be43bc1 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -96,6 +96,7 @@ module "gke" { // wants to maintain control of their service accounts. create_service_account = var.compute_engine_service_account == "" ? true : false service_account = var.compute_engine_service_account + registry_project_id = var.registry_project_id registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 2bb14cbe76..83c3a6048b 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -208,6 +208,12 @@ variable "grant_registry_access" { default = true } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index dc7c543e53..6127207634 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -53,7 +53,8 @@ developers, which mostly just want to deploy and debug applications. own projects, so that they can be administered independently (e.g., dev cluster; production clusters; staging clusters should go in different projects.) -- *A shared GCR project (`registry_project_ids`):* all clusters can share the same GCR project. +- *Shared GCR projects (`registry_project_ids`):* all clusters can share the same + GCR projects. - Easier to share images between environments. The same image could be progressively rolled-out in dev, staging, and then production. @@ -248,6 +249,7 @@ For simplicity, we suggest using `roles/container.admin` and | project\_id | The project ID to host the cluster in | `string` | n/a | yes | | region | The region to host the cluster in | `string` | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 3b09c1dcac..c61689b09b 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -96,6 +96,7 @@ module "gke" { // wants to maintain control of their service accounts. create_service_account = var.compute_engine_service_account == "" ? true : false service_account = var.compute_engine_service_account + registry_project_id = var.registry_project_id registry_project_ids = var.registry_project_ids grant_registry_access = var.grant_registry_access diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 2bb14cbe76..83c3a6048b 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -208,6 +208,12 @@ variable "grant_registry_access" { default = true } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." diff --git a/sa.tf b/sa.tf index b12b3befdb..b2f9e9f08b 100644 --- a/sa.tf +++ b/sa.tf @@ -26,7 +26,11 @@ locals { // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account - registry_projects_list = length(var.registry_project_ids) == 0 ? [var.project_id] : var.registry_project_ids + registry_projects_list = compact( + length(var.registry_project_ids) == 0 && var.registry_project_id == "" + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) + ) } resource "random_string" "cluster_service_account_suffix" { diff --git a/variables.tf b/variables.tf index b031accfd4..485dd662c7 100644 --- a/variables.tf +++ b/variables.tf @@ -310,6 +310,12 @@ variable "grant_registry_access" { default = false } +variable "registry_project_id" { + type = string + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + default = "" +} + variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects." From 48dd945ba9ec96ed79105f86a9710339061566cf Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Mon, 8 Feb 2021 22:03:35 +0000 Subject: [PATCH 6/8] Changed a letter and forgot to run make --- README.md | 2 +- examples/workload_metadata_config/main.tf | 18 +++++++++--------- examples/workload_metadata_config/outputs.tf | 3 ++- .../README.md | 2 +- .../variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- .../README.md | 2 +- .../variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 2 +- .../private-cluster-update-variant/README.md | 2 +- .../variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- modules/safer-cluster-update-variant/README.md | 2 +- .../safer-cluster-update-variant/variables.tf | 2 +- modules/safer-cluster/README.md | 2 +- modules/safer-cluster/variables.tf | 2 +- variables.tf | 2 +- 20 files changed, 29 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 3f55230080..73e1200817 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 27e05448c4..fcfd276e92 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -27,7 +27,7 @@ data "google_client_config" "default" {} provider "kubernetes" { load_config_file = false - host = "https://${module.gke.endpoint}" + host = module.gke.endpoint token = data.google_client_config.default.access_token cluster_ca_certificate = base64decode(module.gke.ca_certificate) } @@ -53,14 +53,14 @@ module "gke" { grant_registry_access = true registry_project_ids = var.registry_project_ids enable_private_endpoint = true - enable_private_nodes = true - master_ipv4_cidr_block = "172.16.0.0/28" + enable_private_nodes = false + master_ipv4_cidr_block = "172.19.0.0/28" node_metadata = "SECURE" - master_authorized_networks = [ - { - cidr_block = data.google_compute_subnetwork.subnetwork.ip_cidr_range - display_name = "VPC" - }, - ] + # master_authorized_networks = [ + # { + # cidr_block = data.google_compute_subnetwork.subnetwork.ip_cidr_range + # display_name = "VPC" + # }, + # ] } diff --git a/examples/workload_metadata_config/outputs.tf b/examples/workload_metadata_config/outputs.tf index 01a13147c2..520ce78362 100644 --- a/examples/workload_metadata_config/outputs.tf +++ b/examples/workload_metadata_config/outputs.tf @@ -25,7 +25,8 @@ output "client_token" { } output "ca_certificate" { - value = module.gke.ca_certificate + sensitive = true + value = module.gke.ca_certificate } output "service_account" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 8fd288d537..fcf4a7bcaf 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -231,7 +231,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f1db4403f8..0d3157ff6d 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -348,7 +348,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index dd6201a82c..414ee503e0 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -209,7 +209,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f1db4403f8..0d3157ff6d 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -348,7 +348,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index ff6e741a19..0d823164c9 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -220,7 +220,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 969c197793..85049daaba 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -348,7 +348,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index e6cbf5ac3d..5bf6d9a9e1 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -198,7 +198,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 969c197793..85049daaba 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -348,7 +348,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 86ab2504ef..9840870f8d 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -208,7 +208,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index b7bd162de1..327ba22f71 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -312,7 +312,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9089554948..c02fa0f999 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -186,7 +186,7 @@ Then perform the following commands on the root folder: | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index b7bd162de1..327ba22f71 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -312,7 +312,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 6127207634..f6b997ebac 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -249,7 +249,7 @@ For simplicity, we suggest using `roles/container.admin` and | project\_id | The project ID to host the cluster in | `string` | n/a | yes | | region | The region to host the cluster in | `string` | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 83c3a6048b..6ac893416b 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -210,7 +210,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 6127207634..f6b997ebac 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -249,7 +249,7 @@ For simplicity, we suggest using `roles/container.admin` and | project\_id | The project ID to host the cluster in | `string` | n/a | yes | | region | The region to host the cluster in | `string` | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | +| registry\_project\_id | Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version. | `string` | `""` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 83c3a6048b..6ac893416b 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -210,7 +210,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } diff --git a/variables.tf b/variables.tf index 485dd662c7..842b8032ae 100644 --- a/variables.tf +++ b/variables.tf @@ -312,7 +312,7 @@ variable "grant_registry_access" { variable "registry_project_id" { type = string - description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purpose of backwards compatibility, but will be removed in a future version." + description = "Deprecated. Replaced by `registry_project_ids`. Still works for the purposes of backwards compatibility, but will be removed in a future version." default = "" } From 6cde002038194289f9d4e3576a23c9eb8d3f440c Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Mon, 8 Feb 2021 22:06:45 +0000 Subject: [PATCH 7/8] Fixing alignment to satisfy fmt reqs --- autogen/main/sa.tf.tmpl | 4 ++-- modules/beta-private-cluster-update-variant/sa.tf | 4 ++-- modules/beta-private-cluster/sa.tf | 4 ++-- modules/beta-public-cluster-update-variant/sa.tf | 4 ++-- modules/beta-public-cluster/sa.tf | 4 ++-- modules/private-cluster-update-variant/sa.tf | 4 ++-- modules/private-cluster/sa.tf | 4 ++-- sa.tf | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 56d568cb70..287072dea7 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } diff --git a/sa.tf b/sa.tf index b2f9e9f08b..7ea31ba05d 100644 --- a/sa.tf +++ b/sa.tf @@ -28,8 +28,8 @@ locals { registry_projects_list = compact( length(var.registry_project_ids) == 0 && var.registry_project_id == "" - ? [var.project_id] - : concat([var.registry_project_id], var.registry_project_ids) + ? [var.project_id] + : concat([var.registry_project_id], var.registry_project_ids) ) } From 9074f8f17d2d5a0a2049a2403bb19d120c05823c Mon Sep 17 00:00:00 2001 From: Dan Cassidy <5643061+rux616@users.noreply.github.com> Date: Mon, 8 Feb 2021 22:42:42 +0000 Subject: [PATCH 8/8] Reverting some testing values --- examples/workload_metadata_config/main.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index fcfd276e92..27e05448c4 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -27,7 +27,7 @@ data "google_client_config" "default" {} provider "kubernetes" { load_config_file = false - host = module.gke.endpoint + host = "https://${module.gke.endpoint}" token = data.google_client_config.default.access_token cluster_ca_certificate = base64decode(module.gke.ca_certificate) } @@ -53,14 +53,14 @@ module "gke" { grant_registry_access = true registry_project_ids = var.registry_project_ids enable_private_endpoint = true - enable_private_nodes = false - master_ipv4_cidr_block = "172.19.0.0/28" + enable_private_nodes = true + master_ipv4_cidr_block = "172.16.0.0/28" node_metadata = "SECURE" - # master_authorized_networks = [ - # { - # cidr_block = data.google_compute_subnetwork.subnetwork.ip_cidr_range - # display_name = "VPC" - # }, - # ] + master_authorized_networks = [ + { + cidr_block = data.google_compute_subnetwork.subnetwork.ip_cidr_range + display_name = "VPC" + }, + ] }