diff --git a/modules/gke-cluster-autopilot/README.md b/modules/gke-cluster-autopilot/README.md
index 5fb61ee9b..b35ffd7da 100644
--- a/modules/gke-cluster-autopilot/README.md
+++ b/modules/gke-cluster-autopilot/README.md
@@ -8,6 +8,7 @@ This module offers a way to create and manage Google Kubernetes Engine (GKE) [Au
- [Logging configuration](#logging-configuration)
- [Monitoring configuration](#monitoring-configuration)
- [Backup for GKE](#backup-for-gke)
+ - [Allowing access from Google Cloud services](#allowing-access-from-google-cloud-services)
- [Variables](#variables)
- [Outputs](#outputs)
@@ -200,30 +201,63 @@ module "cluster-1" {
}
# tftest modules=1 resources=2 inventory=backup.yaml
```
+
+### Allowing access from Google Cloud services
+
+To allow access to your cluster from Google Cloud services (like Cloud Shell, Cloud Build, etc.) without needing to manually specify all Google Cloud IP ranges, you can use the `gcp_public_cidrs_access_enabled` parameter:
+
+```hcl
+module "cluster-1" {
+ source = "./fabric/modules/gke-cluster-autopilot"
+ project_id = "myproject"
+ name = "cluster-1"
+ location = "europe-west1"
+ access_config = {
+ ip_access = {
+ gcp_public_cidrs_access_enabled = true
+ authorized_ranges = {
+ internal-vms = "10.0.0.0/8"
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = {
+ pods = "pods"
+ services = "services"
+ }
+ }
+ labels = {
+ environment = "dev"
+ }
+}
+# tftest modules=1 resources=1 inventory=access-google.yaml
+```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [location](variables.tf#L144) | Autopilot clusters are always regional. | string | ✓ | |
-| [name](variables.tf#L223) | Cluster name. | string | ✓ | |
-| [project_id](variables.tf#L254) | Cluster project ID. | string | ✓ | |
-| [vpc_config](variables.tf#L270) | VPC-level configuration. | object({…}) | ✓ | |
-| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | object({…}) | | {} |
-| [backup_configs](variables.tf#L42) | Configuration for Backup for GKE. | object({…}) | | {} |
-| [deletion_protection](variables.tf#L63) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true |
-| [description](variables.tf#L70) | Cluster description. | string | | null |
-| [enable_addons](variables.tf#L76) | Addons enabled in the cluster (true means enabled). | object({…}) | | {} |
-| [enable_features](variables.tf#L90) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {} |
-| [issue_client_certificate](variables.tf#L132) | Enable issuing client certificate. | bool | | false |
-| [labels](variables.tf#L138) | Cluster resource labels. | map(string) | | null |
-| [logging_config](variables.tf#L149) | Logging configuration. | object({…}) | | {} |
-| [maintenance_config](variables.tf#L160) | Maintenance window configuration. | object({…}) | | {…} |
-| [min_master_version](variables.tf#L183) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
-| [monitoring_config](variables.tf#L189) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} |
-| [node_config](variables.tf#L228) | Configuration for nodes and nodepools. | object({…}) | | {} |
-| [node_locations](variables.tf#L247) | Zones in which the cluster's nodes are located. | list(string) | | [] |
-| [release_channel](variables.tf#L259) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | string | | "REGULAR" |
+| [location](variables.tf#L145) | Autopilot clusters are always regional. | string | ✓ | |
+| [name](variables.tf#L224) | Cluster name. | string | ✓ | |
+| [project_id](variables.tf#L255) | Cluster project ID. | string | ✓ | |
+| [vpc_config](variables.tf#L271) | VPC-level configuration. | object({…}) | ✓ | |
+| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | object({…}) | | {} |
+| [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | object({…}) | | {} |
+| [deletion_protection](variables.tf#L64) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true |
+| [description](variables.tf#L71) | Cluster description. | string | | null |
+| [enable_addons](variables.tf#L77) | Addons enabled in the cluster (true means enabled). | object({…}) | | {} |
+| [enable_features](variables.tf#L91) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {} |
+| [issue_client_certificate](variables.tf#L133) | Enable issuing client certificate. | bool | | false |
+| [labels](variables.tf#L139) | Cluster resource labels. | map(string) | | null |
+| [logging_config](variables.tf#L150) | Logging configuration. | object({…}) | | {} |
+| [maintenance_config](variables.tf#L161) | Maintenance window configuration. | object({…}) | | {…} |
+| [min_master_version](variables.tf#L184) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [monitoring_config](variables.tf#L190) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} |
+| [node_config](variables.tf#L229) | Configuration for nodes and nodepools. | object({…}) | | {} |
+| [node_locations](variables.tf#L248) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [release_channel](variables.tf#L260) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | string | | "REGULAR" |
## Outputs
diff --git a/modules/gke-cluster-autopilot/main.tf b/modules/gke-cluster-autopilot/main.tf
index 8a60908f5..3049561ce 100644
--- a/modules/gke-cluster-autopilot/main.tf
+++ b/modules/gke-cluster-autopilot/main.tf
@@ -208,10 +208,15 @@ resource "google_container_cluster" "cluster" {
}
}
dynamic "master_authorized_networks_config" {
- for_each = try(var.access_config.ip_access.authorized_ranges, null) != null ? [""] : []
+ for_each = (
+ try(var.access_config.ip_access.authorized_ranges, null) != null ||
+ try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null) != null
+ ) ? [""] : []
content {
+ gcp_public_cidrs_access_enabled = try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null)
+
dynamic "cidr_blocks" {
- for_each = var.access_config.ip_access.authorized_ranges
+ for_each = try(var.access_config.ip_access.authorized_ranges, {})
iterator = range
content {
cidr_block = range.value
diff --git a/modules/gke-cluster-autopilot/variables.tf b/modules/gke-cluster-autopilot/variables.tf
index 000496e8a..acba8317e 100644
--- a/modules/gke-cluster-autopilot/variables.tf
+++ b/modules/gke-cluster-autopilot/variables.tf
@@ -19,8 +19,9 @@ variable "access_config" {
type = object({
dns_access = optional(bool, true)
ip_access = optional(object({
- authorized_ranges = optional(map(string), {})
- disable_public_endpoint = optional(bool, true)
+ authorized_ranges = optional(map(string), {})
+ disable_public_endpoint = optional(bool, true)
+ gcp_public_cidrs_access_enabled = optional(bool, true)
private_endpoint_config = optional(object({
endpoint_subnetwork = optional(string)
global_access = optional(bool, true)
diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index e6dbd08b3..e0e188b1b 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -9,6 +9,7 @@ This module offers a way to create and manage Google Kubernetes Engine (GKE) [St
- [Cluster access configurations](#cluster-access-configurations)
- [Private cluster with DNS endpoint enabled](#private-cluster-with-dns-endpoint-enabled)
- [Public cluster](#public-cluster)
+ - [Allowing access from Google Cloud services](#allowing-access-from-google-cloud-services)
- [Regional cluster](#regional-cluster)
- [Enable Dataplane V2](#enable-dataplane-v2)
- [Managing GKE logs](#managing-gke-logs)
@@ -104,6 +105,43 @@ module "cluster-1" {
# tftest modules=1 resources=1 inventory=access-public.yaml
```
+### Allowing access from Google Cloud services
+
+To allow access to your cluster from Google Cloud services (like Cloud Shell, Cloud Build, etc.) without needing to manually specify all Google Cloud IP ranges, you can use the `gcp_public_cidrs_access_enabled` parameter:
+
+```hcl
+module "cluster-1" {
+ source = "./fabric/modules/gke-cluster-standard"
+ project_id = "myproject"
+ name = "cluster-1"
+ location = "europe-west1-b"
+ access_config = {
+ dns_access = false
+ gcp_public_cidrs_access_enabled = true
+ ip_access = {
+ authorized_ranges = {
+ internal-vms = "10.0.0.0/8"
+ }
+ disable_public_endpoint = false
+ }
+ private_nodes = false
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_names = {
+ pods = "pods"
+ services = "services"
+ }
+ }
+ max_pods_per_node = 32
+ labels = {
+ environment = "dev"
+ }
+}
+# tftest modules=1 resources=1 inventory=access-google.yaml
+```
+
## Regional cluster
Regional clusters are created by setting `location` to a GCP region and then configuring `node_locations`, as shown in the example below.
@@ -240,7 +278,7 @@ module "cluster-1" {
enable_storage_metrics = true
# Kube state metrics collection requires Google Cloud Managed Service for Prometheus,
# which is enabled by default.
- # enable_managed_prometheus = true
+ # enable_managed_prometheus = true
}
}
# tftest modules=1 resources=1 inventory=monitoring-config-kube-state.yaml
@@ -428,28 +466,28 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [location](variables.tf#L263) | Cluster zone or region. | string | ✓ | |
-| [name](variables.tf#L378) | Cluster name. | string | ✓ | |
-| [project_id](variables.tf#L411) | Cluster project id. | string | ✓ | |
-| [vpc_config](variables.tf#L422) | VPC-level configuration. | object({…}) | ✓ | |
-| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | object({…}) | | {} |
-| [backup_configs](variables.tf#L42) | Configuration for Backup for GKE. | object({…}) | | {} |
-| [cluster_autoscaling](variables.tf#L64) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
-| [default_nodepool](variables.tf#L143) | Enable default nodepool. | object({…}) | | {} |
-| [deletion_protection](variables.tf#L161) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true |
-| [description](variables.tf#L168) | Cluster description. | string | | null |
-| [enable_addons](variables.tf#L174) | Addons enabled in the cluster (true means enabled). | object({…}) | | {} |
-| [enable_features](variables.tf#L196) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {} |
-| [issue_client_certificate](variables.tf#L250) | Enable issuing client certificate. | bool | | false |
-| [labels](variables.tf#L256) | Cluster resource labels. | map(string) | | {} |
-| [logging_config](variables.tf#L268) | Logging configuration. | object({…}) | | {} |
-| [maintenance_config](variables.tf#L289) | Maintenance window configuration. | object({…}) | | {…} |
-| [max_pods_per_node](variables.tf#L312) | Maximum number of pods per node in this cluster. | number | | 110 |
-| [min_master_version](variables.tf#L318) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
-| [monitoring_config](variables.tf#L324) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} |
-| [node_config](variables.tf#L383) | Node-level configuration. | object({…}) | | {} |
-| [node_locations](variables.tf#L404) | Zones in which the cluster's nodes are located. | list(string) | | [] |
-| [release_channel](variables.tf#L416) | Release channel for GKE upgrades. | string | | null |
+| [location](variables.tf#L264) | Cluster zone or region. | string | ✓ | |
+| [name](variables.tf#L379) | Cluster name. | string | ✓ | |
+| [project_id](variables.tf#L412) | Cluster project id. | string | ✓ | |
+| [vpc_config](variables.tf#L423) | VPC-level configuration. | object({…}) | ✓ | |
+| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | object({…}) | | {} |
+| [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | object({…}) | | {} |
+| [cluster_autoscaling](variables.tf#L65) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
+| [default_nodepool](variables.tf#L144) | Enable default nodepool. | object({…}) | | {} |
+| [deletion_protection](variables.tf#L162) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true |
+| [description](variables.tf#L169) | Cluster description. | string | | null |
+| [enable_addons](variables.tf#L175) | Addons enabled in the cluster (true means enabled). | object({…}) | | {} |
+| [enable_features](variables.tf#L197) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {} |
+| [issue_client_certificate](variables.tf#L251) | Enable issuing client certificate. | bool | | false |
+| [labels](variables.tf#L257) | Cluster resource labels. | map(string) | | {} |
+| [logging_config](variables.tf#L269) | Logging configuration. | object({…}) | | {} |
+| [maintenance_config](variables.tf#L290) | Maintenance window configuration. | object({…}) | | {…} |
+| [max_pods_per_node](variables.tf#L313) | Maximum number of pods per node in this cluster. | number | | 110 |
+| [min_master_version](variables.tf#L319) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [monitoring_config](variables.tf#L325) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} |
+| [node_config](variables.tf#L384) | Node-level configuration. | object({…}) | | {} |
+| [node_locations](variables.tf#L405) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [release_channel](variables.tf#L417) | Release channel for GKE upgrades. | string | | null |
## Outputs
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index eaa50464e..ca5eee35a 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -392,10 +392,15 @@ resource "google_container_cluster" "cluster" {
}
}
dynamic "master_authorized_networks_config" {
- for_each = try(var.access_config.ip_access.authorized_ranges, null) != null ? [""] : []
+ for_each = (
+ try(var.access_config.ip_access.authorized_ranges, null) != null ||
+ try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null) != null
+ ) ? [""] : []
content {
+ gcp_public_cidrs_access_enabled = try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null)
+
dynamic "cidr_blocks" {
- for_each = var.access_config.ip_access.authorized_ranges
+ for_each = try(var.access_config.ip_access.authorized_ranges, {})
iterator = range
content {
cidr_block = range.value
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index ee2f7d8e7..197c0e109 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -19,8 +19,9 @@ variable "access_config" {
type = object({
dns_access = optional(bool, true)
ip_access = optional(object({
- authorized_ranges = optional(map(string), {})
- disable_public_endpoint = optional(bool, true)
+ authorized_ranges = optional(map(string), {})
+ disable_public_endpoint = optional(bool, true)
+ gcp_public_cidrs_access_enabled = optional(bool, true)
private_endpoint_config = optional(object({
endpoint_subnetwork = optional(string)
global_access = optional(bool, true)
diff --git a/tests/modules/gke_cluster_autopilot/examples/access-google.yaml b/tests/modules/gke_cluster_autopilot/examples/access-google.yaml
new file mode 100644
index 000000000..44d66cdc2
--- /dev/null
+++ b/tests/modules/gke_cluster_autopilot/examples/access-google.yaml
@@ -0,0 +1,119 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.cluster-1.google_container_cluster.cluster:
+ addons_config:
+ - cloudrun_config:
+ - disabled: true
+ load_balancer_type: null
+ config_connector_config:
+ - enabled: false
+ gke_backup_agent_config:
+ - enabled: false
+ horizontal_pod_autoscaling:
+ - disabled: false
+ http_load_balancing:
+ - disabled: false
+ kalm_config:
+ - enabled: false
+ allow_net_admin: false
+ binary_authorization: []
+ cluster_autoscaling:
+ - auto_provisioning_defaults:
+ - boot_disk_kms_key: null
+ disk_size: null
+ disk_type: null
+ image_type: null
+ min_cpu_platform: null
+ service_account: default
+ shielded_instance_config: []
+ autoscaling_profile: null
+ resource_limits: []
+ control_plane_endpoints_config:
+ - dns_endpoint_config:
+ - allow_external_traffic: true
+ deletion_protection: true
+ description: null
+ dns_config: []
+ effective_labels:
+ environment: dev
+ goog-terraform-provisioned: 'true'
+ enable_autopilot: true
+ enable_cilium_clusterwide_network_policy: false
+ enable_fqdn_network_policy: false
+ enable_intranode_visibility: true
+ enable_k8s_beta_apis: []
+ enable_kubernetes_alpha: false
+ enable_l4_ilb_subsetting: false
+ enable_legacy_abac: false
+ enable_multi_networking: false
+ enable_shielded_nodes: true
+ enable_tpu: false
+ fleet: []
+ initial_node_count: 1
+ ip_allocation_policy:
+ - additional_pod_ranges_config: []
+ cluster_secondary_range_name: pods
+ services_secondary_range_name: services
+ stack_type: IPV4
+ location: europe-west1
+ logging_config:
+ - enable_components:
+ - SYSTEM_COMPONENTS
+ - WORKLOADS
+ maintenance_policy:
+ - daily_maintenance_window:
+ - start_time: 03:00
+ maintenance_exclusion: []
+ recurring_window: []
+ master_auth:
+ - client_certificate_config:
+ - issue_client_certificate: false
+ master_authorized_networks_config:
+ - cidr_blocks:
+ - cidr_block: 10.0.0.0/8
+ display_name: internal-vms
+ gcp_public_cidrs_access_enabled: true
+ min_master_version: null
+ monitoring_config:
+ - enable_components:
+ - SYSTEM_COMPONENTS
+ managed_prometheus:
+ - enabled: true
+ name: cluster-1
+ network: projects/xxx/global/networks/aaa
+ network_policy: []
+ networking_mode: VPC_NATIVE
+ pod_security_policy_config: []
+ private_cluster_config:
+ - enable_private_endpoint: true
+ enable_private_nodes: true
+ master_global_access_config:
+ - enabled: true
+ private_endpoint_subnetwork: null
+ project: myproject
+ release_channel:
+ - channel: REGULAR
+ remove_default_node_pool: null
+ resource_labels:
+ environment: dev
+ resource_usage_export_config: []
+ secret_manager_config: []
+ subnetwork: subnet_self_link
+ terraform_labels:
+ environment: dev
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ user_managed_keys_config: []
diff --git a/tests/modules/gke_cluster_standard/examples/access-google.yaml b/tests/modules/gke_cluster_standard/examples/access-google.yaml
new file mode 100644
index 000000000..a480fb446
--- /dev/null
+++ b/tests/modules/gke_cluster_standard/examples/access-google.yaml
@@ -0,0 +1,155 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.cluster-1.google_container_cluster.cluster:
+ addons_config:
+ - cloudrun_config:
+ - disabled: true
+ load_balancer_type: null
+ config_connector_config:
+ - enabled: false
+ dns_cache_config:
+ - enabled: true
+ gce_persistent_disk_csi_driver_config:
+ - enabled: true
+ gcp_filestore_csi_driver_config:
+ - enabled: true
+ gcs_fuse_csi_driver_config:
+ - enabled: true
+ gke_backup_agent_config:
+ - enabled: false
+ horizontal_pod_autoscaling:
+ - disabled: false
+ http_load_balancing:
+ - disabled: false
+ istio_config:
+ - auth: null
+ disabled: true
+ kalm_config:
+ - enabled: false
+ network_policy_config:
+ - disabled: true
+ stateful_ha_config:
+ - enabled: false
+ allow_net_admin: null
+ binary_authorization: []
+ cost_management_config:
+ - enabled: true
+ datapath_provider: ADVANCED_DATAPATH
+ default_max_pods_per_node: 32
+ deletion_protection: true
+ description: null
+ dns_config: []
+ effective_labels:
+ environment: dev
+ goog-terraform-provisioned: 'true'
+ enable_autopilot: null
+ enable_cilium_clusterwide_network_policy: false
+ enable_fqdn_network_policy: true
+ enable_intranode_visibility: false
+ enable_k8s_beta_apis: []
+ enable_kubernetes_alpha: false
+ enable_l4_ilb_subsetting: false
+ enable_legacy_abac: false
+ enable_multi_networking: false
+ enable_shielded_nodes: false
+ enable_tpu: false
+ fleet: []
+ initial_node_count: 1
+ ip_allocation_policy:
+ - additional_pod_ranges_config: []
+ cluster_secondary_range_name: pods
+ services_secondary_range_name: services
+ stack_type: IPV4
+ location: europe-west1-b
+ logging_config:
+ - enable_components:
+ - SYSTEM_COMPONENTS
+ maintenance_policy:
+ - daily_maintenance_window:
+ - start_time: 03:00
+ maintenance_exclusion: []
+ recurring_window: []
+ master_auth:
+ - client_certificate_config:
+ - issue_client_certificate: false
+ master_authorized_networks_config:
+ - cidr_blocks:
+ - cidr_block: 10.0.0.0/8
+ display_name: internal-vms
+ gcp_public_cidrs_access_enabled: true
+ min_master_version: null
+ monitoring_config:
+ - enable_components:
+ - SYSTEM_COMPONENTS
+ managed_prometheus:
+ - enabled: true
+ name: cluster-1
+ network: projects/xxx/global/networks/aaa
+ network_policy: []
+ node_config:
+ - advanced_machine_features: []
+ boot_disk_kms_key: null
+ containerd_config: []
+ enable_confidential_storage: null
+ ephemeral_storage_config: []
+ ephemeral_storage_local_ssd_config: []
+ fast_socket: []
+ gvnic: []
+ host_maintenance_policy: []
+ linux_node_config: []
+ local_nvme_ssd_block_config: []
+ local_ssd_encryption_mode: null
+ max_run_duration: null
+ node_group: null
+ preemptible: false
+ reservation_affinity: []
+ resource_labels: null
+ resource_manager_tags: null
+ sandbox_config: []
+ secondary_boot_disks: []
+ sole_tenant_config: []
+ spot: false
+ storage_pools: null
+ tags: null
+ taint: []
+ node_pool_defaults:
+ - node_config_defaults:
+ - containerd_config: []
+ gcfs_config:
+ - enabled: false
+ pod_security_policy_config: []
+ private_cluster_config: []
+ project: myproject
+ remove_default_node_pool: true
+ resource_labels:
+ environment: dev
+ resource_usage_export_config: []
+ secret_manager_config: []
+ subnetwork: subnet_self_link
+ terraform_labels:
+ environment: dev
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ user_managed_keys_config: []
+ workload_identity_config:
+ - workload_pool: myproject.svc.id.goog
+
+counts:
+ google_container_cluster: 1
+ modules: 1
+ resources: 1
+
+outputs: {}