From 31cb015bbe05e81bd14d1a6a25e9b95ea760140c Mon Sep 17 00:00:00 2001 From: pp Date: Fri, 16 Aug 2019 11:25:14 +0300 Subject: [PATCH 01/13] Add storage.objectViewer role to SA * Added `grant_registry_access` variable to grant `roles/storage.objectViewer` to created SA (Fixes #229) --- CHANGELOG.md | 3 +++ README.md | 1 + autogen/sa.tf | 8 ++++++++ autogen/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/sa.tf | 8 ++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/sa.tf | 8 ++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/sa.tf | 8 ++++++++ modules/private-cluster/variables.tf | 6 ++++++ sa.tf | 8 ++++++++ variables.tf | 6 ++++++ 15 files changed, 77 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dcf45071b5..a926f5078f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added +* Added `grant_registry_access` variable to grant `roles/storage.objectViewer` to created SA [#236] + * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] @@ -168,6 +170,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214 [#210]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/210 diff --git a/README.md b/README.md index 8ea95f1635..f38023e600 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | diff --git a/autogen/sa.tf b/autogen/sa.tf index c5f7f132a1..62b31f457a 100644 --- a/autogen/sa.tf +++ b/autogen/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/autogen/variables.tf b/autogen/variables.tf index 48b5c97855..581be9b31c 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f2cd8c925a..6221322ced 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -153,6 +153,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | identity\_namespace | Workload Identity namespace | string | `""` | no | diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 3796c58e0f..54ac3edb25 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7240337192..9738ebb6d6 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -145,6 +145,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | identity\_namespace | Workload Identity namespace | string | `""` | no | diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 904d858b50..27682fa575 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 035adc403e..d3044b770d 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -145,6 +145,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 1aba1057a2..407787f143 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/sa.tf b/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/sa.tf +++ b/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/variables.tf b/variables.tf index 3c64fd5562..d8c339b50e 100644 --- a/variables.tf +++ b/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." From 5866e3a4f52cf4c50cf9c34c2e5f37f3f48e8ede Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Tue, 20 Aug 2019 17:19:37 +0100 Subject: [PATCH 02/13] Add authenticator_security_group --- autogen/cluster.tf | 7 +++++++ autogen/main.tf | 4 ++++ autogen/variables.tf | 5 +++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/main.tf | 4 ++++ modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/main.tf | 4 ++++ modules/beta-public-cluster/variables.tf | 5 +++++ 11 files changed, 50 insertions(+) diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 21dfdeb93c..664de67855 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -189,6 +189,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } {% endif %} } diff --git a/autogen/main.tf b/autogen/main.tf index cf67bd9e08..bec1db35ca 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -71,6 +71,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + security_group = var.authenticator_security_group + }] + {% endif %} cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/variables.tf b/autogen/variables.tf index 59f8408b2f..28a94d47c2 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -383,5 +383,10 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = "" +} {% endif %} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f2cd8c925a..20bc92e088 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ccffeb4ec..d887d332ed 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -176,6 +176,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } } /****************************************** diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 16da0d4ee9..cd84411a75 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,6 +66,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + security_group = var.authenticator_security_group + }] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cd8b420c1a..1e2570df58 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -380,4 +380,9 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = "" +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7240337192..37e20da9f8 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 802bcd25e9..c26d85ff50 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } } /****************************************** diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index f99d4d9056..6f30b50bc4 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,6 +66,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + security_group = var.authenticator_security_group + }] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 8699854665..48578c94cc 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -356,4 +356,9 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = "" +} From 7982705eff718419e074379a41467db1c2a812c2 Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 21 Aug 2019 12:27:48 +0100 Subject: [PATCH 03/13] Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 61d6432d64..bc8100810d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Extending the adopted spec, each change should have a link to its corresponding * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] +* Support for Google Groups based RBAC beta feature [#217] ## [v4.1.0] 2019-07-24 From 25aed4187743da7581342a89b8d8650b4861b6ba Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 21 Aug 2019 12:30:42 +0100 Subject: [PATCH 04/13] Change default value to null --- autogen/main.tf | 2 +- autogen/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/main.tf | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/main.tf | 2 +- modules/beta-public-cluster/variables.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/autogen/main.tf b/autogen/main.tf index bec1db35ca..9d6476b916 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -71,7 +71,7 @@ locals { node_metadata = var.node_metadata }] - cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] diff --git a/autogen/variables.tf b/autogen/variables.tf index 28a94d47c2..3a9ab150e0 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -386,7 +386,7 @@ variable "identity_namespace" { variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = "" + default = null } {% endif %} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 20bc92e088..05953da8cd 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -136,7 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index cd84411a75..43fea3b6dc 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,7 +66,7 @@ locals { node_metadata = var.node_metadata }] - cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 1e2570df58..b7bcdc6254 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -383,6 +383,6 @@ variable "identity_namespace" { variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = "" + default = null } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 37e20da9f8..f0c94af027 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,7 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 6f30b50bc4..db5138e99f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,7 +66,7 @@ locals { node_metadata = var.node_metadata }] - cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 48578c94cc..ec4e5fdb8d 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -359,6 +359,6 @@ variable "identity_namespace" { variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = "" + default = null } From ca1788cf52e370e2e4553766f302800703598eb6 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Wed, 21 Aug 2019 20:44:34 -0400 Subject: [PATCH 05/13] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bc8100810d..c0a7a243d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -169,6 +169,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214 From a95ce1b7d4b017d24b4583d2a7dfa04fa85e0a6f Mon Sep 17 00:00:00 2001 From: Richard Song Date: Mon, 12 Aug 2019 15:36:37 -0400 Subject: [PATCH 06/13] added check for optional fields added optional field lookup and resource usage export config changed to dataset_id revert examples fixed bug where resource_usage_export_dataset_id was being set even if empty string check for null --- autogen/cluster.tf | 10 +++++++++- autogen/main.tf | 6 +++--- autogen/variables.tf | 5 +++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 10 +++++++++- modules/beta-private-cluster/main.tf | 6 +++--- modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 10 +++++++++- modules/beta-public-cluster/main.tf | 6 +++--- modules/beta-public-cluster/variables.tf | 5 +++++ 11 files changed, 53 insertions(+), 12 deletions(-) diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 664de67855..8f169c1f16 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -66,7 +66,15 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value.enabled } } - + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] + content { + enable_network_egress_metering = true + bigquery_destination { + dataset_id = resource_usage_export_dataset_id.value + } + } + } {% endif %} dynamic "master_authorized_networks_config" { for_each = var.master_authorized_networks_config diff --git a/autogen/main.tf b/autogen/main.tf index 9d6476b916..9988aa7b4b 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -102,10 +102,10 @@ locals { {% if beta_cluster %} # BETA features - cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config.0.disabled - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config.0.enabled + cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config != null ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : "true" + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null ? google_container_cluster.primary.pod_security_policy_config.0.enabled : "false" cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling.0.enabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : "false" # /BETA features {% endif %} diff --git a/autogen/variables.tf b/autogen/variables.tf index 9a956194e0..04b55cb5b3 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -366,6 +366,11 @@ variable "pod_security_policy_config" { }] } +variable "resource_usage_export_dataset_id" { + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "UNSPECIFIED" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index eba9f48d31..6b6096e389 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -191,6 +191,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d887d332ed..00b751c440 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -61,7 +61,15 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value.enabled } } - + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] + content { + enable_network_egress_metering = true + bigquery_destination { + dataset_id = resource_usage_export_dataset_id.value + } + } + } dynamic "master_authorized_networks_config" { for_each = var.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 43fea3b6dc..4ed2381da2 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -91,10 +91,10 @@ locals { cluster_output_kubernetes_dashboard_enabled = google_container_cluster.primary.addons_config.0.kubernetes_dashboard.0.disabled # BETA features - cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config.0.disabled - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config.0.enabled + cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config != null ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : "true" + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null ? google_container_cluster.primary.pod_security_policy_config.0.enabled : "false" cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling.0.enabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : "false" # /BETA features diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6aa50eafff..f2ac656def 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -363,6 +363,11 @@ variable "pod_security_policy_config" { }] } +variable "resource_usage_export_dataset_id" { + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "UNSPECIFIED" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 49ffddedc1..eaca891ea0 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -182,6 +182,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index c26d85ff50..228722017c 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -61,7 +61,15 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value.enabled } } - + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] + content { + enable_network_egress_metering = true + bigquery_destination { + dataset_id = resource_usage_export_dataset_id.value + } + } + } dynamic "master_authorized_networks_config" { for_each = var.master_authorized_networks_config content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index db5138e99f..ed7c1864b5 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -91,10 +91,10 @@ locals { cluster_output_kubernetes_dashboard_enabled = google_container_cluster.primary.addons_config.0.kubernetes_dashboard.0.disabled # BETA features - cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config.0.disabled - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config.0.enabled + cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config != null ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : "true" + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null ? google_container_cluster.primary.pod_security_policy_config.0.enabled : "false" cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling.0.enabled + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : "false" # /BETA features diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index d8b68de69b..e48b57b14c 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -339,6 +339,11 @@ variable "pod_security_policy_config" { }] } +variable "resource_usage_export_dataset_id" { + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "UNSPECIFIED" From 99d8e374abb11a6681fe8a5f398ed8cdbd51d12c Mon Sep 17 00:00:00 2001 From: pp Date: Mon, 19 Aug 2019 18:21:16 +0300 Subject: [PATCH 07/13] Added support for resource usage export config * Based on PR https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/230 * Add support for beta feature resource_usage_export_config (Fixes #232) --- CHANGELOG.md | 2 ++ autogen/cluster.tf | 3 ++- autogen/main.tf | 6 +++--- autogen/variables.tf | 1 + modules/beta-private-cluster/cluster.tf | 3 ++- modules/beta-private-cluster/main.tf | 6 +++--- modules/beta-private-cluster/variables.tf | 1 + modules/beta-public-cluster/cluster.tf | 3 ++- modules/beta-public-cluster/main.tf | 6 +++--- modules/beta-public-cluster/variables.tf | 1 + 10 files changed, 20 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 706682fbf1..55fe78f7c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added +* Added support for resource usage export config [#238] * Added `grant_registry_access` variable to grant Container Registry access to created SA [#236] * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] @@ -170,6 +171,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#238]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/238 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 8f169c1f16..94621de2eb 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -66,12 +66,13 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value.enabled } } + dynamic "resource_usage_export_config" { for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] content { enable_network_egress_metering = true bigquery_destination { - dataset_id = resource_usage_export_dataset_id.value + dataset_id = resource_usage_export_config.value } } } diff --git a/autogen/main.tf b/autogen/main.tf index 9988aa7b4b..9d6476b916 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -102,10 +102,10 @@ locals { {% if beta_cluster %} # BETA features - cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config != null ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : "true" - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null ? google_container_cluster.primary.pod_security_policy_config.0.enabled : "false" + cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config.0.disabled + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config.0.enabled cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : "false" + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling.0.enabled # /BETA features {% endif %} diff --git a/autogen/variables.tf b/autogen/variables.tf index 04b55cb5b3..04712c35a9 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -367,6 +367,7 @@ variable "pod_security_policy_config" { } variable "resource_usage_export_dataset_id" { + type = string description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." default = "" } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 00b751c440..6af7a005d8 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -61,12 +61,13 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value.enabled } } + dynamic "resource_usage_export_config" { for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] content { enable_network_egress_metering = true bigquery_destination { - dataset_id = resource_usage_export_dataset_id.value + dataset_id = resource_usage_export_config.value } } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 4ed2381da2..43fea3b6dc 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -91,10 +91,10 @@ locals { cluster_output_kubernetes_dashboard_enabled = google_container_cluster.primary.addons_config.0.kubernetes_dashboard.0.disabled # BETA features - cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config != null ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : "true" - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null ? google_container_cluster.primary.pod_security_policy_config.0.enabled : "false" + cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config.0.disabled + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config.0.enabled cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : "false" + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling.0.enabled # /BETA features diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f2ac656def..5d505f6d1f 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -364,6 +364,7 @@ variable "pod_security_policy_config" { } variable "resource_usage_export_dataset_id" { + type = string description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." default = "" } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 228722017c..6d2a7c975e 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -61,12 +61,13 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value.enabled } } + dynamic "resource_usage_export_config" { for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] content { enable_network_egress_metering = true bigquery_destination { - dataset_id = resource_usage_export_dataset_id.value + dataset_id = resource_usage_export_config.value } } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index ed7c1864b5..db5138e99f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -91,10 +91,10 @@ locals { cluster_output_kubernetes_dashboard_enabled = google_container_cluster.primary.addons_config.0.kubernetes_dashboard.0.disabled # BETA features - cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config != null ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : "true" - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null ? google_container_cluster.primary.pod_security_policy_config.0.enabled : "false" + cluster_output_istio_enabled = google_container_cluster.primary.addons_config.0.istio_config.0.disabled + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config.0.enabled cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : "false" + cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling.0.enabled # /BETA features diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e48b57b14c..040dab3b99 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -340,6 +340,7 @@ variable "pod_security_policy_config" { } variable "resource_usage_export_dataset_id" { + type = string description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." default = "" } From e17a76127afbfe2eedc874884692d245460e274b Mon Sep 17 00:00:00 2001 From: anantasty Date: Mon, 26 Aug 2019 00:20:10 -0600 Subject: [PATCH 08/13] Removes shell check issue in make.sh script. This was preventing the linter from moving forward --- test/make.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/make.sh b/test/make.sh index e3937328c0..ec1cd6b01d 100755 --- a/test/make.sh +++ b/test/make.sh @@ -25,7 +25,8 @@ finish() { trap finish EXIT # Create a temporary file in the auto-cleaned up directory while avoiding # overwriting TMPDIR for other processes. -# shellcheck disable=SC2120 # (Arguments may be passed, e.g. maketemp -d) +# shellcheck disable=SC2120 +# (Arguments may be passed, e.g. maketemp -d) maketemp() { TMPDIR="${DELETE_AT_EXIT}" mktemp "$@" } From 2ccc0f33381a114e82cf010103043cba0d229b0c Mon Sep 17 00:00:00 2001 From: pp Date: Wed, 21 Aug 2019 18:36:48 +0300 Subject: [PATCH 09/13] Add flag to enable GKE Sandbox * Add `sandbox_enabled` variable to use GKE Sandbox (Fixes #240) --- CHANGELOG.md | 2 ++ autogen/cluster.tf | 8 ++++++++ autogen/main.tf | 2 ++ autogen/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/main.tf | 2 ++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/main.tf | 2 ++ modules/beta-public-cluster/variables.tf | 6 ++++++ 12 files changed, 52 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 706682fbf1..eef59ce695 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added +* Added `sandbox_enabled` variable to use GKE Sandbox [#241] * Added `grant_registry_access` variable to grant Container Registry access to created SA [#236] * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] @@ -170,6 +171,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#241]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/241 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 664de67855..aa89d96076 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -158,6 +158,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } {% endif %} } } diff --git a/autogen/main.tf b/autogen/main.tf index 9d6476b916..2e60262e44 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -75,6 +75,8 @@ locals { security_group = var.authenticator_security_group }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + {% endif %} cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/variables.tf b/autogen/variables.tf index 9a956194e0..e8e569cf1e 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -371,6 +371,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index eba9f48d31..dcb14943be 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -191,6 +191,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d887d332ed..49ef6364ae 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 43fea3b6dc..ad6116e7ef 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -70,6 +70,8 @@ locals { security_group = var.authenticator_security_group }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6aa50eafff..d1f4a91e72 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -368,6 +368,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 49ffddedc1..047a12eac1 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -182,6 +182,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index c26d85ff50..82c67f4f03 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index db5138e99f..c956463414 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -70,6 +70,8 @@ locals { security_group = var.authenticator_security_group }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index d8b68de69b..c52b0b7a83 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -344,6 +344,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" From b2a0f59ee8eadcfc4814818ab462d666b51f9e2c Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 28 Aug 2019 11:58:19 +0100 Subject: [PATCH 10/13] WIP autoscaling opt out --- autogen/cluster.tf | 8 +++++--- autogen/variables.tf | 2 +- cluster.tf | 8 +++++--- modules/beta-private-cluster/cluster.tf | 8 +++++--- modules/beta-public-cluster/cluster.tf | 8 +++++--- modules/private-cluster/cluster.tf | 8 +++++--- 6 files changed, 26 insertions(+), 16 deletions(-) diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 664de67855..7f4a600e4b 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -223,9 +223,11 @@ resource "google_container_node_pool" "pools" { max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) {% endif %} - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count } management { diff --git a/autogen/variables.tf b/autogen/variables.tf index 9a956194e0..4e7e04b491 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -377,7 +377,7 @@ variable "enable_intranode_visibility" { default = false } - variable "enable_vertical_pod_autoscaling" { +variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" default = false diff --git a/cluster.tf b/cluster.tf index 499e689a4b..2530b5e8fe 100644 --- a/cluster.tf +++ b/cluster.tf @@ -142,9 +142,11 @@ resource "google_container_node_pool" "pools" { lookup(var.node_pools[count.index], "min_count", 1), ) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count } management { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d887d332ed..50d6552da1 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -207,9 +207,11 @@ resource "google_container_node_pool" "pools" { ) max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count } management { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index c26d85ff50..0862e84c07 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -202,9 +202,11 @@ resource "google_container_node_pool" "pools" { ) max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count } management { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 6ea5394b02..d950217728 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -147,9 +147,11 @@ resource "google_container_node_pool" "pools" { lookup(var.node_pools[count.index], "min_count", 1), ) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count } management { From 39cf3a5a8c9f7848dadd47f62da4fdedf14519ea Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 28 Aug 2019 12:02:43 +0100 Subject: [PATCH 11/13] Fix syntax --- autogen/cluster.tf | 7 +++++-- cluster.tf | 9 ++++++--- modules/beta-private-cluster/cluster.tf | 9 ++++++--- modules/beta-public-cluster/cluster.tf | 9 ++++++--- modules/private-cluster/cluster.tf | 9 ++++++--- 5 files changed, 29 insertions(+), 14 deletions(-) diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 7f4a600e4b..95a34089bf 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -224,10 +224,13 @@ resource "google_container_node_pool" "pools" { {% endif %} node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + content { + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count + } } management { diff --git a/cluster.tf b/cluster.tf index 2530b5e8fe..9b3f142fc1 100644 --- a/cluster.tf +++ b/cluster.tf @@ -143,10 +143,13 @@ resource "google_container_node_pool" "pools" { ) node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { - for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count + } } management { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 50d6552da1..836bc2397c 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -208,10 +208,13 @@ resource "google_container_node_pool" "pools" { max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { - for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count + } } management { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0862e84c07..3eb5d107b2 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -203,10 +203,13 @@ resource "google_container_node_pool" "pools" { max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { - for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count + } } management { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index d950217728..619e46b719 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -148,10 +148,13 @@ resource "google_container_node_pool" "pools" { ) node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + dynamic "autoscaling" { - for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = autoscaling.value.min_count + max_node_count = autoscaling.value.max_count + } } management { From 773eb570ed1b18926cd8909eda3b0ed1d6b697f2 Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 28 Aug 2019 12:05:16 +0100 Subject: [PATCH 12/13] Make min/max optional vars --- autogen/cluster.tf | 4 ++-- cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 95a34089bf..5efeb49483 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -228,8 +228,8 @@ resource "google_container_node_pool" "pools" { dynamic "autoscaling" { for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] content { - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) } } diff --git a/cluster.tf b/cluster.tf index 9b3f142fc1..6ee6edbf52 100644 --- a/cluster.tf +++ b/cluster.tf @@ -147,8 +147,8 @@ resource "google_container_node_pool" "pools" { dynamic "autoscaling" { for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] content { - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) } } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 836bc2397c..7259ef47ee 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -212,8 +212,8 @@ resource "google_container_node_pool" "pools" { dynamic "autoscaling" { for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] content { - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) } } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3eb5d107b2..f18d434321 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -207,8 +207,8 @@ resource "google_container_node_pool" "pools" { dynamic "autoscaling" { for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] content { - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) } } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 619e46b719..b0006553e1 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -152,8 +152,8 @@ resource "google_container_node_pool" "pools" { dynamic "autoscaling" { for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] content { - min_node_count = autoscaling.value.min_count - max_node_count = autoscaling.value.max_count + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) } } From b65204fa376277e8f4d262e2fc89f47ec74f408a Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Wed, 28 Aug 2019 14:49:37 -0400 Subject: [PATCH 13/13] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 706682fbf1..bfbcc1cba3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ Extending the adopted spec, each change should have a link to its corresponding * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] * Support for Google Groups based RBAC beta feature [#217] +* Support for disabling node pool autoscaling by setting `autoscaling` to `false` within the node pool variable. [#250] ## [v4.1.0] 2019-07-24 @@ -170,6 +171,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#250]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/250 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234