From dc7d24ee3bfd79ea17c7b9c903de052d610bd5a3 Mon Sep 17 00:00:00 2001 From: Till Adam Date: Mon, 16 Dec 2024 10:01:14 +0100 Subject: [PATCH 1/4] fix: allow dns endpoints only --- autogen/main/cluster.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/cluster.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 +- modules/private-cluster/cluster.tf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index b493d04f7c..45be8e4c72 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -266,7 +266,7 @@ resource "google_container_cluster" "primary" { enable_autopilot = true {% endif %} dynamic "master_authorized_networks_config" { - for_each = {% if private_cluster %}var.enable_private_endpoint || {% endif %}var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = {% if private_cluster %}(var.enable_private_endpoint && !var.deploy_using_private_endpoint) || {% endif %}var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index bddef25b74..520f47191a 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -121,7 +121,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d4f320e369..81970da3f6 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 29f11bb7ee..a4a6ea0523 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index fa03099a0c..25e6e1ec96 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -200,7 +200,7 @@ resource "google_container_cluster" "primary" { } dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 3ca8117ae6..e00de8327e 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -200,7 +200,7 @@ resource "google_container_cluster" "primary" { } dynamic "master_authorized_networks_config" { - for_each = var.enable_private_endpoint || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { From 86991feef055ca1b8798608b6819c460ebe80d88 Mon Sep 17 00:00:00 2001 From: Till Adam Date: Mon, 16 Dec 2024 21:44:35 +0100 Subject: [PATCH 2/4] fix: depend master_athorized_networks_config on master_authorized_networks --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 2 +- modules/beta-autopilot-private-cluster/cluster.tf | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 2 +- modules/beta-public-cluster/cluster.tf | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 +- modules/private-cluster/cluster.tf | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 45be8e4c72..36fa7ebb2c 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -266,7 +266,7 @@ resource "google_container_cluster" "primary" { enable_autopilot = true {% endif %} dynamic "master_authorized_networks_config" { - for_each = {% if private_cluster %}(var.enable_private_endpoint && !var.deploy_using_private_endpoint) || {% endif %}var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/cluster.tf b/cluster.tf index d53799e500..f2718cf36d 100644 --- a/cluster.tf +++ b/cluster.tf @@ -200,7 +200,7 @@ resource "google_container_cluster" "primary" { } dynamic "master_authorized_networks_config" { - for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 520f47191a..967bccefc0 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -121,7 +121,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 4baca3ecac..9c18bfacbf 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -121,7 +121,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 81970da3f6..bbbca44d0a 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index a4a6ea0523..26c20110dd 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index b20fa74835..b008f3aec7 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index d76574eb39..fc6387727a 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 25e6e1ec96..d61ab7d102 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -200,7 +200,7 @@ resource "google_container_cluster" "primary" { } dynamic "master_authorized_networks_config" { - for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e00de8327e..f5583b565f 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -200,7 +200,7 @@ resource "google_container_cluster" "primary" { } dynamic "master_authorized_networks_config" { - for_each = (var.enable_private_endpoint && !var.deploy_using_private_endpoint) || var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : [] + for_each = var.master_authorized_networks != null ? [true] : [] content { gcp_public_cidrs_access_enabled = var.gcp_public_cidrs_access_enabled dynamic "cidr_blocks" { From e451d971ef556c77668786065d2f0be39641cc7f Mon Sep 17 00:00:00 2001 From: Till Adam Date: Tue, 17 Dec 2024 08:12:27 +0100 Subject: [PATCH 3/4] fix: default master_authorized_networks to null --- README.md | 2 +- autogen/main/variables.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 2 +- modules/beta-autopilot-public-cluster/README.md | 2 +- modules/beta-autopilot-public-cluster/variables.tf | 2 +- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster-update-variant/README.md | 2 +- modules/beta-public-cluster-update-variant/variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- variables.tf | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index ea612e0a92..b18eefdc21 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 704915adf8..e2914957cb 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 888c450654..14154874a9 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -126,7 +126,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 813d42b716..6d08c61873 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 729039e281..f62397196d 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -118,7 +118,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index f212deff44..881a3b89d8 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 45d57d1651..eb0c29a1a2 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -248,7 +248,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 8c2e2de46c..54fac1a510 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 30e38fb25f..59fadf126e 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -226,7 +226,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 8c2e2de46c..54fac1a510 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index abdc91ce57..3a465d0674 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -240,7 +240,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 2d5c215ddd..7e1c3d3ce4 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 2b2789a5ce..7ad919acd2 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -218,7 +218,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2d5c215ddd..7e1c3d3ce4 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 7a2b611385..ac8eb4ebbf 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -236,7 +236,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 769a67bb4f..cde3ded22c 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 49d64bad5f..de0f516088 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -214,7 +214,7 @@ Then perform the following commands on the root folder: | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `null` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 769a67bb4f..cde3ded22c 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { diff --git a/variables.tf b/variables.tf index 6b3018c7a5..c6f999681a 100644 --- a/variables.tf +++ b/variables.tf @@ -75,7 +75,7 @@ variable "kubernetes_version" { variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." - default = [] + default = null } variable "gcp_public_cidrs_access_enabled" { From 8337620033367a6ca428ee41b8420bd0bd325f3b Mon Sep 17 00:00:00 2001 From: Till Adam Date: Tue, 17 Dec 2024 19:57:33 +0100 Subject: [PATCH 4/4] fix: add upgrade notes for v36 --- docs/upgrading_to_v36.0.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/upgrading_to_v36.0.md diff --git a/docs/upgrading_to_v36.0.md b/docs/upgrading_to_v36.0.md new file mode 100644 index 0000000000..6f93d4353a --- /dev/null +++ b/docs/upgrading_to_v36.0.md @@ -0,0 +1,19 @@ +# Upgrading to v36.0 + +The v36.0 release of _kubernetes-engine_ is a backwards incompatible release. + +### master_authorized_networks default value + +The default value for `master_authorized_networks` has been changed from `[]` to `null`. To maintain the previous default behavior, set `master_authorized_networks` to `[]`. This change is because the API interprets an existing `master_authorized_networks_config` to enable authorized networks, but we want to be explicit about enabling this option. + +``` + module "gke" { + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 36.0" + + project_id = var.project_id + name = var.cluster_name + ++ master_authorized_networks = [] + } +```