Add support for CMEK in logging bucket, big query dataset and gke notifications (#3558)
This commit is contained in:
Vannick Trinquier
committed by
GitHub
GitHub
parent
ad9b71442a
commit
171a2c6690
@@ -353,27 +353,27 @@ module "bigquery-dataset" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [id](variables.tf#L111) | Dataset id. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L175) | Id of the project where datasets will be created. | <code>string</code> | ✓ | |
|
||||
| [id](variables.tf#L112) | Dataset id. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L176) | Id of the project where datasets will be created. | <code>string</code> | ✓ | |
|
||||
| [access](variables.tf#L17) | Map of access rules with role and identity type. Keys are arbitrary and must match those in the `access_identities` variable, types are `domain`, `group`, `special_group`, `user`, `view`. | <code title="map(object({ role = string type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_identities](variables.tf#L33) | Map of access identities used for basic access roles. View identities have the format 'project_id\|dataset_id\|table_id'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [authorized_datasets](variables.tf#L39) | An array of datasets to be authorized on the dataset. | <code title="list(object({ dataset_id = string, project_id = string, }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [authorized_routines](variables.tf#L48) | An array of routines to be authorized on the dataset. | <code title="list(object({ project_id = string, dataset_id = string, routine_id = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [authorized_views](variables.tf#L58) | An array of views to be authorized on the dataset. | <code title="list(object({ dataset_id = string, project_id = string, table_id = string # this is the view id, but we keep table_id to stay consistent as the resource }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [context](variables.tf#L68) | Context-specific interpolations. | <code title="object({ custom_roles = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) project_ids = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [dataset_access](variables.tf#L81) | Set access in the dataset resource instead of using separate resources. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L87) | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| [encryption_key](variables.tf#L93) | Self link of the KMS key that will be used to protect destination table. | <code>string</code> | | <code>null</code> |
|
||||
| [friendly_name](variables.tf#L99) | Dataset friendly name. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L105) | IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L116) | Dataset labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L122) | Dataset location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| [materialized_views](variables.tf#L128) | Materialized views definitions. | <code title="map(object({ query = string allow_non_incremental_definition = optional(bool) deletion_protection = optional(bool) description = optional(string, "Terraform managed.") enable_refresh = optional(bool) friendly_name = optional(string) labels = optional(map(string), {}) refresh_interval_ms = optional(bool) require_partition_filter = optional(bool) options = optional(object({ clustering = optional(list(string)) expiration_time = optional(number) }), {}) partitioning = optional(object({ field = optional(string) range = optional(object({ end = number interval = number start = number })) time = optional(object({ type = string expiration_ms = optional(number) field = optional(string) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L161) | Dataset options. | <code title="object({ default_collation = optional(string) default_table_expiration_ms = optional(number) default_partition_expiration_ms = optional(number) delete_contents_on_destroy = optional(bool, false) is_case_insensitive = optional(bool) max_time_travel_hours = optional(number, 168) storage_billing_model = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [routines](variables.tf#L180) | Routine definitions. | <code title="map(object({ description = optional(string) routine_type = string language = optional(string) definition_body = string imported_libraries = optional(list(string)) determinism_level = optional(string) data_governance_type = optional(string) return_type = optional(string) return_table_type = optional(string) arguments = optional(map(object({ argument_kind = optional(string) mode = optional(string) data_type = optional(string) })), {}) spark_options = optional(object({ archive_uris = optional(list(string), []) connection = string container_image = optional(string) file_uris = optional(list(string), []) jar_uris = optional(list(string), []) main_file_uri = optional(string) main_class = optional(string) properties = optional(map(string), {}) py_file_uris = optional(list(string), []) runtime_version = optional(string) })) remote_function_options = optional(object({ connection = string endpoint = optional(string) max_batching_rows = optional(string) user_defined_context = optional(map(string), {}) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tables](variables.tf#L219) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | <code title="map(object({ deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) require_partition_filter = optional(bool) schema = optional(string) external_data_configuration = optional(object({ autodetect = bool source_uris = list(string) avro_logical_types = optional(bool) compression = optional(string) connection_id = optional(string) file_set_spec_type = optional(string) ignore_unknown_values = optional(bool) metadata_cache_mode = optional(string) object_metadata = optional(string) json_options_encoding = optional(string) reference_file_schema_uri = optional(string) schema = optional(string) source_format = optional(string) max_bad_records = optional(number) csv_options = optional(object({ quote = string allow_jagged_rows = optional(bool) allow_quoted_newlines = optional(bool) encoding = optional(string) field_delimiter = optional(string) skip_leading_rows = optional(number) })) google_sheets_options = optional(object({ range = optional(string) skip_leading_rows = optional(number) })) hive_partitioning_options = optional(object({ mode = optional(string) require_partition_filter = optional(bool) source_uri_prefix = optional(string) })) parquet_options = optional(object({ enum_as_string = optional(bool) enable_list_inference = optional(bool) })) })) options = optional(object({ clustering = optional(list(string)) encryption_key = optional(string) expiration_time = optional(number) max_staleness = optional(string) }), {}) partitioning = optional(object({ field = optional(string) range = optional(object({ end = number interval = number start = number })) time = optional(object({ type = string expiration_ms = optional(number) field = optional(string) })) })) table_constraints = optional(object({ primary_key_columns = optional(list(string)) foreign_keys = optional(object({ referenced_table = object({ project_id = string dataset_id = string table_id = string }) column_references = object({ referencing_column = string referenced_column = string }) name = optional(string) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L304) | Tag bindings for this dataset, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L311) | View definitions. | <code title="map(object({ query = string deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) use_legacy_sql = optional(bool) schema = optional(list(object({ name = string type = string description = string mode = optional(string) }))) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [context](variables.tf#L68) | Context-specific interpolations. | <code title="object({ custom_roles = optional(map(string), {}) kms_keys = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) project_ids = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [dataset_access](variables.tf#L82) | Set access in the dataset resource instead of using separate resources. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L88) | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| [encryption_key](variables.tf#L94) | Self link of the KMS key that will be used to protect destination table. | <code>string</code> | | <code>null</code> |
|
||||
| [friendly_name](variables.tf#L100) | Dataset friendly name. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L106) | IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L117) | Dataset labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L123) | Dataset location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| [materialized_views](variables.tf#L129) | Materialized views definitions. | <code title="map(object({ query = string allow_non_incremental_definition = optional(bool) deletion_protection = optional(bool) description = optional(string, "Terraform managed.") enable_refresh = optional(bool) friendly_name = optional(string) labels = optional(map(string), {}) refresh_interval_ms = optional(bool) require_partition_filter = optional(bool) options = optional(object({ clustering = optional(list(string)) expiration_time = optional(number) }), {}) partitioning = optional(object({ field = optional(string) range = optional(object({ end = number interval = number start = number })) time = optional(object({ type = string expiration_ms = optional(number) field = optional(string) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L162) | Dataset options. | <code title="object({ default_collation = optional(string) default_table_expiration_ms = optional(number) default_partition_expiration_ms = optional(number) delete_contents_on_destroy = optional(bool, false) is_case_insensitive = optional(bool) max_time_travel_hours = optional(number, 168) storage_billing_model = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [routines](variables.tf#L181) | Routine definitions. | <code title="map(object({ description = optional(string) routine_type = string language = optional(string) definition_body = string imported_libraries = optional(list(string)) determinism_level = optional(string) data_governance_type = optional(string) return_type = optional(string) return_table_type = optional(string) arguments = optional(map(object({ argument_kind = optional(string) mode = optional(string) data_type = optional(string) })), {}) spark_options = optional(object({ archive_uris = optional(list(string), []) connection = string container_image = optional(string) file_uris = optional(list(string), []) jar_uris = optional(list(string), []) main_file_uri = optional(string) main_class = optional(string) properties = optional(map(string), {}) py_file_uris = optional(list(string), []) runtime_version = optional(string) })) remote_function_options = optional(object({ connection = string endpoint = optional(string) max_batching_rows = optional(string) user_defined_context = optional(map(string), {}) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tables](variables.tf#L220) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | <code title="map(object({ deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) require_partition_filter = optional(bool) schema = optional(string) external_data_configuration = optional(object({ autodetect = bool source_uris = list(string) avro_logical_types = optional(bool) compression = optional(string) connection_id = optional(string) file_set_spec_type = optional(string) ignore_unknown_values = optional(bool) metadata_cache_mode = optional(string) object_metadata = optional(string) json_options_encoding = optional(string) reference_file_schema_uri = optional(string) schema = optional(string) source_format = optional(string) max_bad_records = optional(number) csv_options = optional(object({ quote = string allow_jagged_rows = optional(bool) allow_quoted_newlines = optional(bool) encoding = optional(string) field_delimiter = optional(string) skip_leading_rows = optional(number) })) google_sheets_options = optional(object({ range = optional(string) skip_leading_rows = optional(number) })) hive_partitioning_options = optional(object({ mode = optional(string) require_partition_filter = optional(bool) source_uri_prefix = optional(string) })) parquet_options = optional(object({ enum_as_string = optional(bool) enable_list_inference = optional(bool) })) })) options = optional(object({ clustering = optional(list(string)) encryption_key = optional(string) expiration_time = optional(number) max_staleness = optional(string) }), {}) partitioning = optional(object({ field = optional(string) range = optional(object({ end = number interval = number start = number })) time = optional(object({ type = string expiration_ms = optional(number) field = optional(string) })) })) table_constraints = optional(object({ primary_key_columns = optional(list(string)) foreign_keys = optional(object({ referenced_table = object({ project_id = string dataset_id = string table_id = string }) column_references = object({ referencing_column = string referenced_column = string }) name = optional(string) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L305) | Tag bindings for this dataset, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L312) | View definitions. | <code title="map(object({ query = string deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) use_legacy_sql = optional(bool) schema = optional(list(object({ name = string type = string description = string mode = optional(string) }))) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -43,7 +43,8 @@ locals {
|
||||
for kk, vv in v : "${local.ctx_p}${k}:${kk}" => vv
|
||||
} if k != "condition_vars"
|
||||
}
|
||||
ctx_p = "$"
|
||||
ctx_p = "$"
|
||||
ctx_kms_keys = try(local.ctx.kms_keys, {})
|
||||
identities_view = {
|
||||
for k, v in local.access_view : k => try(
|
||||
zipmap(
|
||||
@@ -144,7 +145,11 @@ resource "google_bigquery_dataset" "default" {
|
||||
dynamic "default_encryption_configuration" {
|
||||
for_each = var.encryption_key == null ? [] : [""]
|
||||
content {
|
||||
kms_key_name = var.encryption_key
|
||||
kms_key_name = lookup(
|
||||
local.ctx_kms_keys,
|
||||
var.encryption_key,
|
||||
var.encryption_key
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -255,7 +260,11 @@ resource "google_bigquery_table" "default" {
|
||||
dynamic "encryption_configuration" {
|
||||
for_each = each.value.options.encryption_key != null ? [""] : []
|
||||
content {
|
||||
kms_key_name = each.value.options.encryption_key
|
||||
kms_key_name = lookup(
|
||||
local.ctx_kms_keys,
|
||||
each.value.options.encryption_key,
|
||||
each.value.options.encryption_key
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -69,6 +69,7 @@ variable "context" {
|
||||
description = "Context-specific interpolations."
|
||||
type = object({
|
||||
custom_roles = optional(map(string), {})
|
||||
kms_keys = optional(map(string), {})
|
||||
iam_principals = optional(map(string), {})
|
||||
locations = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
|
||||
@@ -10,6 +10,7 @@ This module offers a way to create and manage Google Kubernetes Engine (GKE) [Au
|
||||
- [Backup for GKE](#backup-for-gke)
|
||||
- [Allowing access from Google Cloud services](#allowing-access-from-google-cloud-services)
|
||||
- [Disable PSC endpoint creation](#disable-psc-endpoint-creation)
|
||||
- [Upgrade notifications](#upgrade-notifications)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
@@ -263,31 +264,57 @@ module "cluster-1" {
|
||||
}
|
||||
# tftest modules=1 resources=1 inventory=no-ip-access.yaml
|
||||
```
|
||||
|
||||
## Upgrade notifications
|
||||
|
||||
Upgrade notifications are configured via the `enable_features.upgrade_notifications`. An existing PubSub topic can be defined via its `topic` attribute, or a new one can be created if the attribute is not set. The `event_types` attribute can be used to control which event types are sent. The `kms_key_name` attribute can be used to control which KMS key is used to encrypt the notification messages.
|
||||
|
||||
```hcl
|
||||
module "cluster-1" {
|
||||
source = "./fabric/modules/gke-cluster-autopilot"
|
||||
project_id = var.project_id
|
||||
name = "cluster-1"
|
||||
location = "europe-west1"
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
secondary_range_names = {}
|
||||
}
|
||||
enable_features = {
|
||||
upgrade_notifications = {
|
||||
event_types = ["SECURITY_BULLETIN_EVENT", "UPGRADE_EVENT"]
|
||||
kms_key_name = "projects/myproject/locations/global/keyRings/mykeyring/cryptoKeys/mykey"
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=notifications.yaml
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [location](variables.tf#L172) | Autopilot clusters are always regional. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L251) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L284) | Cluster project ID. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L300) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [location](variables.tf#L173) | Autopilot clusters are always regional. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L252) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L285) | Cluster project ID. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L301) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object({ dns_access = optional(bool, true) ip_access = optional(object({ authorized_ranges = optional(map(string)) disable_public_endpoint = optional(bool) gcp_public_cidrs_access_enabled = optional(bool) private_endpoint_authorized_ranges_enforcement = optional(bool) private_endpoint_config = optional(object({ endpoint_subnetwork = optional(string) global_access = optional(bool, true) })) })) private_nodes = optional(bool, true) master_ipv4_cidr_block = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [backup_configs](variables.tf#L45) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) permissive_mode = optional(bool) region = string schedule = string retention_policy_days = optional(string) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(string) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L67) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L74) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L80) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [enable_features](variables.tf#L94) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) gateway_api = optional(bool, false) groups_for_rbac = optional(string) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_manager_config = optional(bool) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) allow_net_admin = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) })) vertical_pod_autoscaling = optional(bool, false) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L154) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L160) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L166) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L177) | Logging configuration. | <code title="object({ enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L188) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [min_master_version](variables.tf#L211) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L217) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L256) | Configuration for nodes and nodepools. | <code title="object({ boot_disk_kms_key = optional(string) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L277) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [release_channel](variables.tf#L289) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> | | <code>"REGULAR"</code> |
|
||||
| [enable_features](variables.tf#L94) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) gateway_api = optional(bool, false) groups_for_rbac = optional(string) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_manager_config = optional(bool) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) allow_net_admin = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) kms_key_name = optional(string) })) vertical_pod_autoscaling = optional(bool, false) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L155) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L161) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L167) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L178) | Logging configuration. | <code title="object({ enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L189) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [min_master_version](variables.tf#L212) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L218) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L257) | Configuration for nodes and nodepools. | <code title="object({ boot_disk_kms_key = optional(string) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L278) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [release_channel](variables.tf#L290) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> | | <code>"REGULAR"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -438,4 +438,5 @@ resource "google_pubsub_topic" "notifications" {
|
||||
labels = {
|
||||
content = "gke-notifications"
|
||||
}
|
||||
kms_key_name = try(var.enable_features.upgrade_notifications.kms_key_name, null)
|
||||
}
|
||||
|
||||
@@ -131,9 +131,10 @@ variable "enable_features" {
|
||||
service_external_ips = optional(bool, true)
|
||||
tpu = optional(bool, false)
|
||||
upgrade_notifications = optional(object({
|
||||
enabled = optional(bool, true)
|
||||
event_types = optional(list(string), [])
|
||||
topic_id = optional(string)
|
||||
enabled = optional(bool, true)
|
||||
event_types = optional(list(string), [])
|
||||
topic_id = optional(string)
|
||||
kms_key_name = optional(string)
|
||||
}))
|
||||
vertical_pod_autoscaling = optional(bool, false)
|
||||
enterprise_cluster = optional(bool)
|
||||
|
||||
@@ -225,7 +225,7 @@ module "cluster-1" {
|
||||
|
||||
## Upgrade notifications
|
||||
|
||||
Upgrade notifications are configured via the `enable_features.upgrade_notifications`. An existing PubSub topic can be defined via its `topic` attribute, or a new one can be created if the attribute is not set. The `event_types` attribute can be used to control which event types are sent.
|
||||
Upgrade notifications are configured via the `enable_features.upgrade_notifications`. An existing PubSub topic can be defined via its `topic` attribute, or a new one can be created if the attribute is not set. The `event_types` attribute can be used to control which event types are sent. The `kms_key_name` attribute can be used to control which KMS key is used to encrypt the notification messages.
|
||||
|
||||
```hcl
|
||||
module "cluster-1" {
|
||||
@@ -240,7 +240,8 @@ module "cluster-1" {
|
||||
}
|
||||
enable_features = {
|
||||
upgrade_notifications = {
|
||||
event_types = ["SECURITY_BULLETIN_EVENT", "UPGRADE_EVENT"]
|
||||
event_types = ["SECURITY_BULLETIN_EVENT", "UPGRADE_EVENT"]
|
||||
kms_key_name = "projects/myproject/locations/global/keyRings/mykeyring/cryptoKeys/mykey"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -510,10 +511,10 @@ module "cluster-1" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [location](variables.tf#L292) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L407) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L459) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L470) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [location](variables.tf#L293) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L408) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L460) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L471) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object({ dns_access = optional(bool, true) ip_access = optional(object({ authorized_ranges = optional(map(string)) disable_public_endpoint = optional(bool) gcp_public_cidrs_access_enabled = optional(bool) private_endpoint_authorized_ranges_enforcement = optional(bool) private_endpoint_config = optional(object({ endpoint_subnetwork = optional(string) global_access = optional(bool, true) })) })) master_ipv4_cidr_block = optional(string) private_nodes = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [backup_configs](variables.tf#L45) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ region = string applications = optional(map(list(string))) encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) permissive_mode = optional(bool) schedule = optional(string) retention_policy_days = optional(number) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(number) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [cluster_autoscaling](variables.tf#L68) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = optional(bool, true) autoscaling_profile = optional(string, "BALANCED") auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) disk_size = optional(number) disk_type = optional(string, "pd-standard") image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) management = optional(object({ auto_repair = optional(bool, true) auto_upgrade = optional(bool, true) })) shielded_instance_config = optional(object({ integrity_monitoring = optional(bool, true) secure_boot = optional(bool, false) })) upgrade_settings = optional(object({ blue_green = optional(object({ node_pool_soak_duration = optional(string) standard_rollout_policy = optional(object({ batch_percentage = optional(number) batch_node_count = optional(number) batch_soak_duration = optional(string) })) })) surge = optional(object({ max = optional(number) unavailable = optional(number) })) })) })) auto_provisioning_locations = optional(list(string)) cpu_limits = optional(object({ min = optional(number, 0) max = number })) mem_limits = optional(object({ min = optional(number, 0) max = number })) accelerator_resources = optional(list(object({ resource_type = string min = optional(number, 0) max = number }))) })">object({…})</code> | | <code>null</code> |
|
||||
@@ -521,19 +522,19 @@ module "cluster-1" {
|
||||
| [deletion_protection](variables.tf#L166) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L173) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L179) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, true) gce_persistent_disk_csi_driver = optional(bool, true) gcp_filestore_csi_driver = optional(bool, true) gcs_fuse_csi_driver = optional(bool, true) horizontal_pod_autoscaling = optional(bool, true) http_load_balancing = optional(bool, true) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) stateful_ha = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [enable_features](variables.tf#L201) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cilium_clusterwide_network_policy = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, true) fqdn_network_policy = optional(bool, true) gateway_api = optional(bool, false) groups_for_rbac = optional(string) image_streaming = optional(bool, false) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_manager_config = optional(bool) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L273) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L279) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L285) | Cluster resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_config](variables.tf#L297) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L318) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L341) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L347) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L353) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) advanced_datapath_observability = optional(object({ enable_metrics = bool enable_relay = bool })) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L412) | Node-level configuration. | <code title="object({ boot_disk_kms_key = optional(string) k8s_labels = optional(map(string)) labels = optional(map(string)) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L435) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [node_pool_auto_config](variables.tf#L442) | Node pool configs that apply to auto-provisioned node pools in autopilot clusters and node auto-provisioning-enabled clusters. | <code title="object({ cgroup_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) network_tags = optional(list(string), []) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [release_channel](variables.tf#L464) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_features](variables.tf#L201) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cilium_clusterwide_network_policy = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, true) fqdn_network_policy = optional(bool, true) gateway_api = optional(bool, false) groups_for_rbac = optional(string) image_streaming = optional(bool, false) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_manager_config = optional(bool) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) kms_key_name = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L274) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L280) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L286) | Cluster resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_config](variables.tf#L298) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L319) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L342) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L348) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L354) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) advanced_datapath_observability = optional(object({ enable_metrics = bool enable_relay = bool })) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L413) | Node-level configuration. | <code title="object({ boot_disk_kms_key = optional(string) k8s_labels = optional(map(string)) labels = optional(map(string)) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L436) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [node_pool_auto_config](variables.tf#L443) | Node pool configs that apply to auto-provisioned node pools in autopilot clusters and node auto-provisioning-enabled clusters. | <code title="object({ cgroup_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) network_tags = optional(list(string), []) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [release_channel](variables.tf#L465) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -689,4 +689,5 @@ resource "google_pubsub_topic" "notifications" {
|
||||
labels = {
|
||||
content = "gke-notifications"
|
||||
}
|
||||
kms_key_name = try(var.enable_features.upgrade_notifications.kms_key_name, null)
|
||||
}
|
||||
|
||||
@@ -243,9 +243,10 @@ variable "enable_features" {
|
||||
shielded_nodes = optional(bool, false)
|
||||
tpu = optional(bool, false)
|
||||
upgrade_notifications = optional(object({
|
||||
enabled = optional(bool, true)
|
||||
event_types = optional(list(string), [])
|
||||
topic_id = optional(string)
|
||||
enabled = optional(bool, true)
|
||||
event_types = optional(list(string), [])
|
||||
topic_id = optional(string)
|
||||
kms_key_name = optional(string)
|
||||
}))
|
||||
vertical_pod_autoscaling = optional(bool, false)
|
||||
workload_identity = optional(bool, true)
|
||||
|
||||
@@ -118,17 +118,17 @@ module "bucket" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L60) | Name of the logging bucket. | <code>string</code> | ✓ | |
|
||||
| [parent](variables.tf#L65) | ID of the parent resource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | <code>string</code> | ✓ | |
|
||||
| [context](variables.tf#L17) | Context-specific interpolations. | <code title="object({ custom_roles = optional(map(string), {}) folder_ids = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) project_ids = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [description](variables.tf#L31) | Human-readable description for the logging bucket. | <code>string</code> | | <code>null</code> |
|
||||
| [kms_key_name](variables.tf#L37) | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key. | <code>string</code> | | <code>null</code> |
|
||||
| [location](variables.tf#L43) | Location of the bucket. | <code>string</code> | | <code>"global"</code> |
|
||||
| [log_analytics](variables.tf#L49) | Enable and configure Analytics Log. | <code title="object({ enable = optional(bool, false) dataset_link_id = optional(string) description = optional(string, "Log Analytics Dataset") })">object({…})</code> | | <code>{}</code> |
|
||||
| [parent_type](variables.tf#L73) | Parent object type for the bucket (project, folder, organization, billing_account). | <code>string</code> | | <code>"project"</code> |
|
||||
| [retention](variables.tf#L80) | Retention time in days for the logging bucket. | <code>number</code> | | <code>30</code> |
|
||||
| [tag_bindings](variables.tf#L86) | Tag bindings for this bucket, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L93) | Log views for this bucket. | <code title="map(object({ filter = string location = optional(string) description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L61) | Name of the logging bucket. | <code>string</code> | ✓ | |
|
||||
| [parent](variables.tf#L66) | ID of the parent resource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | <code>string</code> | ✓ | |
|
||||
| [context](variables.tf#L17) | Context-specific interpolations. | <code title="object({ custom_roles = optional(map(string), {}) folder_ids = optional(map(string), {}) iam_principals = optional(map(string), {}) kms_keys = optional(map(string), {}) locations = optional(map(string), {}) project_ids = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [description](variables.tf#L32) | Human-readable description for the logging bucket. | <code>string</code> | | <code>null</code> |
|
||||
| [kms_key_name](variables.tf#L38) | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key. | <code>string</code> | | <code>null</code> |
|
||||
| [location](variables.tf#L44) | Location of the bucket. | <code>string</code> | | <code>"global"</code> |
|
||||
| [log_analytics](variables.tf#L50) | Enable and configure Analytics Log. | <code title="object({ enable = optional(bool, false) dataset_link_id = optional(string) description = optional(string, "Log Analytics Dataset") })">object({…})</code> | | <code>{}</code> |
|
||||
| [parent_type](variables.tf#L74) | Parent object type for the bucket (project, folder, organization, billing_account). | <code>string</code> | | <code>"project"</code> |
|
||||
| [retention](variables.tf#L81) | Retention time in days for the logging bucket. | <code>number</code> | | <code>30</code> |
|
||||
| [tag_bindings](variables.tf#L87) | Tag bindings for this bucket, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L94) | Log views for this bucket. | <code title="map(object({ filter = string location = optional(string) description = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -42,6 +42,7 @@ locals {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
resource "google_logging_project_bucket_config" "bucket" {
|
||||
count = var.parent_type == "project" ? 1 : 0
|
||||
project = local.parent_id
|
||||
@@ -53,7 +54,7 @@ resource "google_logging_project_bucket_config" "bucket" {
|
||||
dynamic "cmek_settings" {
|
||||
for_each = var.kms_key_name == null ? [] : [""]
|
||||
content {
|
||||
kms_key_name = var.kms_key_name
|
||||
kms_key_name = lookup(local.ctx.kms_keys, var.kms_key_name, var.kms_key_name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@ variable "context" {
|
||||
custom_roles = optional(map(string), {})
|
||||
folder_ids = optional(map(string), {})
|
||||
iam_principals = optional(map(string), {})
|
||||
kms_keys = optional(map(string), {})
|
||||
locations = optional(map(string), {})
|
||||
project_ids = optional(map(string), {})
|
||||
tag_values = optional(map(string), {})
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -18,11 +18,12 @@ locals {
|
||||
projects_bigquery_datasets = flatten([
|
||||
for k, v in local.projects_input : [
|
||||
for name, opts in lookup(v, "datasets", {}) : {
|
||||
project_key = k
|
||||
project_name = v.name
|
||||
id = name
|
||||
friendly_name = lookup(opts, "friendly_name", null)
|
||||
location = lookup(opts, "location", null)
|
||||
project_key = k
|
||||
project_name = v.name
|
||||
id = name
|
||||
encryption_key = lookup(opts, "encryption_key", null)
|
||||
friendly_name = lookup(opts, "friendly_name", null)
|
||||
location = lookup(opts, "location", null)
|
||||
}
|
||||
]
|
||||
])
|
||||
@@ -33,7 +34,7 @@ module "bigquery-datasets" {
|
||||
for_each = {
|
||||
for k in local.projects_bigquery_datasets : "${k.project_key}/${k.id}" => k
|
||||
}
|
||||
project_id = module.projects[each.value.project_key].project_id
|
||||
project_id = module.projects-iam[each.value.project_key].project_id
|
||||
id = each.value.id
|
||||
context = merge(local.ctx, {
|
||||
iam_principals = merge(
|
||||
@@ -46,7 +47,8 @@ module "bigquery-datasets" {
|
||||
locations = local.ctx.locations
|
||||
project_ids = local.ctx_project_ids
|
||||
})
|
||||
friendly_name = each.value.friendly_name
|
||||
encryption_key = each.value.encryption_key
|
||||
friendly_name = each.value.friendly_name
|
||||
location = coalesce(
|
||||
local.data_defaults.overrides.locations.bigquery,
|
||||
lookup(each.value, "location", null),
|
||||
|
||||
@@ -62,7 +62,7 @@ module "buckets" {
|
||||
for_each = {
|
||||
for k in local.projects_buckets : "${k.project_key}/${k.name}" => k
|
||||
}
|
||||
project_id = module.projects[each.value.project_key].project_id
|
||||
project_id = module.projects-iam[each.value.project_key].project_id
|
||||
prefix = each.value.prefix
|
||||
name = "${each.value.project_name}-${each.value.name}"
|
||||
bucket_create = each.value.create
|
||||
|
||||
@@ -154,8 +154,9 @@ variable "projects" {
|
||||
})), {})
|
||||
contacts = optional(map(list(string)), {})
|
||||
datasets = optional(map(object({
|
||||
friendly_name = optional(string)
|
||||
location = optional(string)
|
||||
encryption_key = optional(string)
|
||||
friendly_name = optional(string)
|
||||
location = optional(string)
|
||||
})), {})
|
||||
iam = optional(map(list(string)), {})
|
||||
iam_bindings = optional(map(object({
|
||||
|
||||
@@ -31,7 +31,7 @@ locals {
|
||||
# https://cloud.google.com/composer/docs/composer-3/configure-cmek-encryption#grant-roles-permissions
|
||||
"composer.googleapis.com" : ["composer", "storage"]
|
||||
"compute.googleapis.com" : ["compute"]
|
||||
"container.googleapis.com" : ["compute"]
|
||||
"container.googleapis.com" : ["compute", "container-engine-robot"]
|
||||
"dataflow.googleapis.com" : ["dataflow", "compute"]
|
||||
"dataform.googleapis.com" : ["dataform"]
|
||||
"datafusion.googleapis.com" : [
|
||||
@@ -42,12 +42,13 @@ locals {
|
||||
"datastream.googleapis.com" : ["datastream"]
|
||||
"dialogflow.googleapis.com" : ["dialogflow-cmek"]
|
||||
"file.googleapis.com" : ["cloud-filer"]
|
||||
"logging.googleapis.com" : ["logging"]
|
||||
"pubsub.googleapis.com" : ["pubsub"]
|
||||
"run.googleapis.com" : ["cloudrun"]
|
||||
"secretmanager.googleapis.com" : ["secretmanager"]
|
||||
"spanner.googleapis.com" : ["spanner"]
|
||||
"sqladmin.googleapis.com" : ["cloud-sql"]
|
||||
"storage.googleapis.com" : ["storage"]
|
||||
"run.googleapis.com" : ["cloudrun"]
|
||||
}
|
||||
_all_cmek_bindings = flatten([
|
||||
for service, keys in var.service_encryption_key_ids : [
|
||||
|
||||
@@ -11,6 +11,9 @@ context = {
|
||||
myuser = "user:test-user@example.com"
|
||||
myuser2 = "user:test-user2@example.com"
|
||||
}
|
||||
kms_keys = {
|
||||
mykey = "projects/366118655033/locations/europe-west8/keyRings/mykeyring/cryptoKeys/mykey"
|
||||
}
|
||||
locations = {
|
||||
ew8 = "europe-west8"
|
||||
}
|
||||
@@ -21,9 +24,10 @@ context = {
|
||||
"test/one" = "tagValues/1234567890"
|
||||
}
|
||||
}
|
||||
project_id = "$project_ids:test"
|
||||
id = "dataset_0"
|
||||
location = "$locations:ew8"
|
||||
project_id = "$project_ids:test"
|
||||
id = "dataset_0"
|
||||
location = "$locations:ew8"
|
||||
encryption_key = "$kms_keys:mykey"
|
||||
iam = {
|
||||
"$custom_roles:myrole_one" = [
|
||||
"$iam_principals:myuser"
|
||||
|
||||
@@ -15,7 +15,8 @@
|
||||
values:
|
||||
google_bigquery_dataset.default:
|
||||
dataset_id: dataset_0
|
||||
default_encryption_configuration: []
|
||||
default_encryption_configuration:
|
||||
- kms_key_name: projects/366118655033/locations/europe-west8/keyRings/mykeyring/cryptoKeys/mykey
|
||||
default_partition_expiration_ms: null
|
||||
default_table_expiration_ms: null
|
||||
delete_contents_on_destroy: false
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cluster-1.google_container_cluster.cluster:
|
||||
notification_config:
|
||||
- pubsub:
|
||||
- enabled: true
|
||||
filter:
|
||||
- event_type:
|
||||
- SECURITY_BULLETIN_EVENT
|
||||
- UPGRADE_EVENT
|
||||
|
||||
module.cluster-1.google_pubsub_topic.notifications[0]:
|
||||
effective_labels:
|
||||
content: gke-notifications
|
||||
goog-terraform-provisioned: 'true'
|
||||
ingestion_data_source_settings: []
|
||||
kms_key_name: projects/myproject/locations/global/keyRings/mykeyring/cryptoKeys/mykey
|
||||
labels:
|
||||
content: gke-notifications
|
||||
message_retention_duration: null
|
||||
message_transforms: []
|
||||
name: gke-pubsub-notifications
|
||||
project: project-id
|
||||
schema_settings: []
|
||||
tags: null
|
||||
terraform_labels:
|
||||
content: gke-notifications
|
||||
goog-terraform-provisioned: 'true'
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_container_cluster: 1
|
||||
google_pubsub_topic: 1
|
||||
modules: 1
|
||||
resources: 2
|
||||
@@ -160,7 +160,7 @@ values:
|
||||
content: gke-notifications
|
||||
goog-terraform-provisioned: 'true'
|
||||
ingestion_data_source_settings: []
|
||||
kms_key_name: null
|
||||
kms_key_name: projects/myproject/locations/global/keyRings/mykeyring/cryptoKeys/mykey
|
||||
labels:
|
||||
content: gke-notifications
|
||||
message_retention_duration: null
|
||||
|
||||
@@ -11,6 +11,9 @@ context = {
|
||||
myuser = "user:test-user@example.com"
|
||||
myuser2 = "user:test-user2@example.com"
|
||||
}
|
||||
kms_keys = {
|
||||
mykey = "projects/366118655033/locations/europe-west8/keyRings/mykeyring/cryptoKeys/mykey"
|
||||
}
|
||||
locations = {
|
||||
ew8 = "europe-west8"
|
||||
}
|
||||
@@ -21,9 +24,10 @@ context = {
|
||||
"test/one" = "tagValues/1234567890"
|
||||
}
|
||||
}
|
||||
name = "mybucket"
|
||||
location = "$locations:ew8"
|
||||
parent = "$project_ids:myproject"
|
||||
kms_key_name = "$kms_keys:mykey"
|
||||
name = "mybucket"
|
||||
location = "$locations:ew8"
|
||||
parent = "$project_ids:myproject"
|
||||
tag_bindings = {
|
||||
foo = "$tag_values:test/one"
|
||||
}
|
||||
|
||||
@@ -35,7 +35,8 @@ values:
|
||||
role: roles/viewer
|
||||
google_logging_project_bucket_config.bucket[0]:
|
||||
bucket_id: mybucket
|
||||
cmek_settings: []
|
||||
cmek_settings:
|
||||
- kms_key_name: projects/366118655033/locations/europe-west8/keyRings/mykeyring/cryptoKeys/mykey
|
||||
enable_analytics: false
|
||||
index_configs: []
|
||||
location: europe-west8
|
||||
|
||||
Reference in New Issue
Block a user