diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index ce486ec503..e6ffd9bc6a 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -13,6 +13,7 @@ This example illustrates how to create a simple zonal cluster with ASM. | network | The VPC network to host the cluster in | `any` | n/a | yes | | project\_id | The project ID to host the cluster in | `any` | n/a | yes | | region | The region to host the cluster in | `any` | n/a | yes | +| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no | | subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | | zones | The zone to host the cluster in (required if is a zonal cluster) | `list(string)` | n/a | yes | diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index ab83e92227..3b68190c75 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -67,9 +67,16 @@ module "gke" { } module "asm" { - source = "../../modules/asm" - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - project_id = var.project_id - location = module.gke.location + source = "../../modules/asm" + cluster_name = module.gke.name + cluster_endpoint = module.gke.endpoint + project_id = var.project_id + location = module.gke.location + enable_cluster_roles = true + enable_cluster_labels = true + enable_gcp_apis = true + enable_gcp_iam_roles = true + enable_gcp_components = true + options = ["envoy-access-log"] + outdir = "./${module.gke.name}-outdir" } diff --git a/examples/simple_zonal_with_asm/variables.tf b/examples/simple_zonal_with_asm/variables.tf index 6dd142621c..8e275434c5 100644 --- a/examples/simple_zonal_with_asm/variables.tf +++ b/examples/simple_zonal_with_asm/variables.tf @@ -47,3 +47,9 @@ variable "ip_range_pods" { variable "ip_range_services" { description = "The secondary ip range to use for services" } + +variable "service_account" { + description = "The GCP Service Account email address used to deploy ASM." + type = string + default = "" +} diff --git a/examples/simple_zonal_with_asm/versions.tf b/examples/simple_zonal_with_asm/versions.tf index 22884dadd4..1dcf340b5c 100644 --- a/examples/simple_zonal_with_asm/versions.tf +++ b/examples/simple_zonal_with_asm/versions.tf @@ -15,5 +15,5 @@ */ terraform { - required_version = ">=0.12" + required_version = ">=0.13" } diff --git a/modules/asm/README.md b/modules/asm/README.md index acc59489a6..c7282f6f07 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -1,51 +1,79 @@ # Terraform Kubernetes Engine ASM Submodule -This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes cluster. +This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes Engine (GKE) cluster. -Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install)) +Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install)). ## Usage -There is a [full example](../../examples/simple_zonal_with_asm) provided. Simple usage is as follows: +There is a [full example](../../examples/simple_zonal_with_asm) provided. Detailed usage example is as follows: ```tf module "asm" { - source = "terraform-google-modules/kubernetes-engine/google//modules/asm" + source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - project_id = "my-project-id" - cluster_name = "my-cluster-name" - location = module.gke.location - cluster_endpoint = module.gke.endpoint + project_id = "my-project-id" + cluster_name = "my-cluster-name" + location = module.gke.location + cluster_endpoint = module.gke.endpoint + enable_all = false + enable_cluster_roles = true + enable_cluster_labels = false + enable_gcp_apis = false + enable_gcp_iam_roles = true + enable_gcp_components = true + enable_registration = false + managed_control_plane = false + options = ["envoy-access-log,egressgateways"] + custom_overlays = ["./custom_ingress_gateway.yaml"] + skip_validation = true + outdir = "./${module.gke.name}-outdir-${var.asm_version}" } ``` To deploy this config: + 1. Run `terraform apply` ## Requirements -- Anthos Service Mesh [requires](https://cloud.google.com/service-mesh/docs/gke-install-existing-cluster#requirements) an active Anthos license. +- Anthos Service Mesh on GCP no longer requires an active Anthos license. You can use Anthos Service Mesh as a standalone product on GCP (on GKE) or as part of your Anthos subscription for hybrid and multi-cloud architectures. - GKE cluster must have minimum four nodes. - Minimum machine type is `e2-standard-4`. - GKE cluster must be enrolled in a release channel. ASM does not support static version. - ASM on a private GKE cluster requires adding a firewall rule to open port 15017 if you want to use [automatic sidecar injection](https://cloud.google.com/service-mesh/docs/proxy-injection). -- Only one ASM per Google Cloud project is supported. - +- One ASM mesh per Google Cloud project is supported. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| asm\_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no | -| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no | +| asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no | +| asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no | +| ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no | +| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | `{}` | no | | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | +| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | `[]` | no | +| enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no | +| enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no | +| enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no | +| enable\_gcp\_apis | Sets `--enable_gcp_apis` option if true. | `bool` | `false` | no | +| enable\_gcp\_components | Sets --enable\_gcp\_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `bool` | `false` | no | +| enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no | +| enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no | | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | +| key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no | | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | -| managed | Whether the control plane should be managed. | `bool` | `false` | no | +| managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | +| mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no | +| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | `[]` | no | +| outdir | Sets `--outdir` option. | `string` | `"none"` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | +| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no | | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | +| skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no | ## Outputs diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 1b0c9aaf82..b58837b1f6 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -19,7 +19,15 @@ data "google_project" "asm_project" { } locals { - kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}" + options_string = length(var.options) > 0 ? join(",", var.options) : "none" + custom_overlays_string = length(var.custom_overlays) > 0 ? join(",", var.custom_overlays) : "none" + asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) + service_account_string = (var.service_account == "" ? "none" : var.service_account) + key_file_string = (var.key_file == "" ? "none" : var.key_file) + ca_cert = lookup(var.ca_certs, "ca_cert", "none") + ca_key = lookup(var.ca_certs, "ca_key", "none") + root_cert = lookup(var.ca_certs, "root_cert", "none") + cert_chain = lookup(var.ca_certs, "cert_chain", "none") } module "asm_install" { @@ -35,6 +43,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - kubectl_create_command = var.managed ? "${local.kubectl_create_command_base} ${var.managed}" : local.kubectl_create_command_base + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index c63b8d2a44..b6a461a3d3 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -16,7 +16,7 @@ set -e -if [ "$#" -lt 4 ]; then +if [ "$#" -lt 5 ]; then >&2 echo "Not all expected arguments set." exit 1 fi @@ -25,31 +25,179 @@ PROJECT_ID=$1 CLUSTER_NAME=$2 CLUSTER_LOCATION=$3 ASM_VERSION=$4 -MANAGED=$5 -MODE="install" - -# Download the correct version of the install_asm script -curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm -chmod u+x install_asm - -declare -a params=( - "--verbose" - "--project_id ${PROJECT_ID}" - "--cluster_name ${CLUSTER_NAME}" - "--cluster_location ${CLUSTER_LOCATION}" - "--mode ${MODE}" - "--enable_cluster_labels" - "--enable_cluster_roles" -) - -# Add the --managed param if MANAGED is set to true -if [[ "${MANAGED}" == true ]]; then - params+=("--managed") -fi - -# Run the script with appropriate flags -echo "Running ./install_asm" "${params[@]}" - -# Disable shell linting. Other forms will prevent the command to work -# shellcheck disable=SC2046,SC2116 -./install_asm $(echo "${params[@]}") +MODE=$5 +MCP=$6 +SKIP_VALIDATION=$7 +OPTIONS_LIST=$8 +CUSTOM_OVERLAYS_LIST=$9 +ENABLE_ALL=${10} +ENABLE_CLUSTER_ROLES=${11} +ENABLE_CLUSTER_LABELS=${12} +ENABLE_GCP_APIS=${13} +ENABLE_GCP_IAM_ROLES=${14} +ENABLE_GCP_COMPONENTS=${15} +ENABLE_REGISTRATION=${16} +OUTDIR=${17} +CA=${18} +CA_CERT=${19} +CA_KEY=${20} +ROOT_CERT=${21} +CERT_CHAIN=${22} +SERVICE_ACCOUNT=${23} +KEY_FILE=${24} +ASM_GIT_TAG=${25} + +# Set SKIP_VALIDATION variable +if [[ ${SKIP_VALIDATION} = "true" ]]; then + export _CI_NO_VALIDATE=1 +else + export _CI_NO_VALIDATE=0 +fi + +# Create bash arrays from options and custom_overlays lists +if [[ ${OPTIONS_LIST} ]]; then + IFS=',' read -r -a OPTIONS <<< "${OPTIONS_LIST}" +elif [[ ${OPTIONS_LIST} = "" ]]; then + read -r -a OPTIONS <<< "none" +fi + +if [[ ${CUSTOM_OVERLAYS_LIST} ]]; then + IFS=',' read -r -a CUSTOM_OVERLAYS <<< "${CUSTOM_OVERLAYS_LIST}" +else + read -r -a CUSTOM_OVERLAYS <<< "none" +fi + +# Echo all values +echo -e "MODE is $MODE" +echo -e "MCP is $MCP" +echo -e "ASM_VERSION is $ASM_VERSION" +echo -e "ASM_GIT_TAG is $ASM_GIT_TAG" +echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" +echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" +echo -e "OPTIONS_LIST is ${OPTIONS_LIST}" +echo -e "OPTIONS array length is ${#OPTIONS[@]}" +# Create options command snippet +item="${OPTIONS[*]}";OPTIONS_COMMAND=$(echo "--option" "${item// / --option }") +echo -e "OPTIONS_COMMAND is $OPTIONS_COMMAND" +echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}" +# Create custom_overlays command snippet +item="${CUSTOM_OVERLAYS[*]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" "${item// / --custom_overlay }") +echo -e "CUSTOM_OVERLAYS_COMMAND is $CUSTOM_OVERLAYS_COMMAND" +echo -e "ENABLE_ALL is $ENABLE_ALL" +echo -e "ENABLE_CLUSTER_ROLES is $ENABLE_CLUSTER_ROLES" +echo -e "ENABLE_CLUSTER_LABELS is $ENABLE_CLUSTER_LABELS" +echo -e "ENABLE_GCP_APIS is $ENABLE_GCP_APIS" +echo -e "ENABLE_GCP_IAM_ROLES is $ENABLE_GCP_IAM_ROLES" +echo -e "ENABLE_GCP_COMPONENTS is $ENABLE_GCP_COMPONENTS" +echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION" +echo -e "OUTDIR is $OUTDIR" +echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT" +echo -e "KEY_FILE is $KEY_FILE" + +#download the correct version of the install_asm script +if [[ "${ASM_GIT_TAG}" = "none" ]]; then + echo -e "Downloading install_asm with latest git tag..." + curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" + chmod u+x install_asm_"${ASM_VERSION}" +else + ASM_GIT_TAG_FIXED=$(sed 's/+/-/g' <<<"$ASM_GIT_TAG") + echo -e "Downloading install_asm with git tag $ASM_GIT_TAG..." + curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_GIT_TAG_FIXED}" > install_asm_"${ASM_VERSION}" + chmod u+x install_asm_"${ASM_VERSION}" +fi + +# Craft MCP section for install_asm +if [[ "${MCP}" = true ]]; then + MCP_COMMAND_SNIPPET="--managed" +else + MCP_COMMAND_SNIPPET="" +fi + +# Craft service_account section for install_asm +if [[ "${SERVICE_ACCOUNT}" = "none" ]]; then + SERVICE_ACCOUNT_COMMAND_SNIPPET="" +else + SERVICE_ACCOUNT_COMMAND_SNIPPET="--service_account ${SERVICE_ACCOUNT}" +fi + +# Craft key_file section for install_asm +if [[ "${KEY_FILE}" = "none" ]]; then + KEY_FILE_COMMAND_SNIPPET="" +else + KEY_FILE_COMMAND_SNIPPET="--key_file $(pwd)/${KEY_FILE}" +fi + +# Craft options section for install_asm +if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then + OPTIONS_COMMAND_SNIPPET="" +else + OPTIONS_COMMAND_SNIPPET="${OPTIONS_COMMAND}" +fi + +if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]]; then + CUSTOM_OVERLAYS_COMMAND_SNIPPET="" +else + CUSTOM_OVERLAYS_COMMAND_SNIPPET="${CUSTOM_OVERLAYS_COMMAND}" +fi + +if [[ "${ENABLE_ALL}" = false ]]; then + ENABLE_ALL_COMMAND_SNIPPET="" +else + ENABLE_ALL_COMMAND_SNIPPET="--enable_all" +fi + +if [[ "${ENABLE_CLUSTER_ROLES}" = false ]]; then + ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="" +else + ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="--enable_cluster_roles" +fi + +if [[ "${ENABLE_CLUSTER_LABELS}" = false ]]; then + ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="" +else + ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="--enable_cluster_labels" +fi + +if [[ "${ENABLE_GCP_APIS}" = false ]]; then + ENABLE_GCP_APIS_COMMAND_SNIPPET="" +else + ENABLE_GCP_APIS_COMMAND_SNIPPET="--enable_gcp_apis" +fi + +if [[ "${ENABLE_GCP_IAM_ROLES}" = false ]]; then + ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET="" +else + ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET="--enable_gcp_iam_roles" +fi + +if [[ "${ENABLE_GCP_COMPONENTS}" = false ]]; then + ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="" +else + ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="--enable_gcp_components" +fi + +if [[ "${ENABLE_REGISTRATION}" = false ]]; then + ENABLE_REGISTRATION_COMMAND_SNIPPET="" +else + ENABLE_REGISTRATION_COMMAND_SNIPPET="--enable_registration" +fi + +if [[ "${OUTDIR}" = "none" ]]; then + OUTDIR_COMMAND_SNIPPET="" +else + OUTDIR_COMMAND_SNIPPET="--output_dir ${OUTDIR}" + mkdir -p "${OUTDIR}" +fi + +if [[ "${CA}" = "citadel" ]]; then + CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}" +else + CA_COMMAND_SNIPPET="" +fi + +# Echo the command before executing +echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}" + +# run the script with appropriate flags +# shellcheck disable=SC2086 +./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index 43ddfa3ab8..151fc1d7bd 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -40,11 +40,11 @@ variable "gcloud_sdk_version" { default = "296.0.1" } -variable "asm_dir" { - description = "Name of directory to keep ASM resource config files." - type = string - default = "asm-dir" -} +# variable "asm_dir" { +# description = "Name of directory to keep ASM resource config files." +# type = string +# default = "asm-dir" +# } variable "service_account_key_file" { description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`." @@ -52,13 +52,121 @@ variable "service_account_key_file" { } variable "asm_version" { - description = "ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = string + default = "1.9" +} + +variable "asm_git_tag" { + description = "ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable." + type = string + default = "" +} + +variable "mode" { + description = "ASM mode for deployment. Supported mode is `install` only." + type = string + default = "install" +} + +variable "service_account" { + description = "The GCP Service Account email address used to deploy ASM." type = string - default = "1.8" + default = "" } -variable "managed" { - description = "Whether the control plane should be managed." +variable "key_file" { + description = "The GCP Service Account credentials file path used to deploy ASM." + type = string + default = "" +} + +variable "managed_control_plane" { + description = "ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional." type = bool default = false } + +variable "options" { + description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features." + type = list + default = [] +} + +variable "custom_overlays" { + description = "Comma separated list of custom_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file" + type = list + default = [] +} + +variable "skip_validation" { + description = "Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc." + type = bool + default = false +} + +variable "enable_all" { + description = "Sets `--enable_all` option if true." + type = bool + default = false +} + +variable "enable_cluster_roles" { + description = "Sets `--enable_cluster_roles` option if true." + type = bool + default = false +} + +variable "enable_cluster_labels" { + description = "Sets `--enable_cluster_labels` option if true." + type = bool + default = false +} + +variable "enable_gcp_apis" { + description = "Sets `--enable_gcp_apis` option if true." + type = bool + default = false +} + +variable "enable_gcp_iam_roles" { + description = "Sets `--enable_gcp_iam_roles` option if true." + type = bool + default = false +} + +variable "enable_gcp_components" { + description = "Sets --enable_gcp_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = bool + default = false +} + +variable "enable_registration" { + description = "Sets `--enable_registration` option if true." + type = bool + default = false +} + +variable "outdir" { + description = "Sets `--outdir` option." + type = string + default = "none" +} + +variable "ca" { + description = "Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." + type = string + default = "meshca" +} + +variable "ca_certs" { + description = "Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." + type = map + default = {} + # default = { + # "ca_cert" = "none" + # "ca_key" = "none" + # "root_cert" = "none" + # "cert_chain" = "none" + # } +} diff --git a/test/fixtures/simple_zonal_with_asm/variables.tf b/test/fixtures/simple_zonal_with_asm/variables.tf index 16f1b9367c..5096c09ca6 100644 --- a/test/fixtures/simple_zonal_with_asm/variables.tf +++ b/test/fixtures/simple_zonal_with_asm/variables.tf @@ -29,3 +29,9 @@ variable "zones" { description = "The GCP zones to create and test resources in, for applicable tests" default = ["us-central1-a", "us-central1-b", "us-central1-c"] } + +variable "service_account" { + description = "The GCP Service Account email address used to deploy ASM." + type = string + default = "" +}