kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add gcp_public_cidrs_access_enabled to gke-cluster-{autopilot,standard} (#2993)

Browse Source
This commit is contained in:
Marco Cadetg
2025-04-01 08:17:44 +02:00
committed by GitHub
parent 196b06441b
commit 2b2e52fecd
8 changed files with 408 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
modules/gke-cluster-autopilot/README.md
View File

@@ -8,6 +8,7 @@ This module offers a way to create and manage Google Kubernetes Engine (GKE) [Au
- [Logging configuration](#logging-configuration)
- [Monitoring configuration](#monitoring-configuration)
- [Backup for GKE](#backup-for-gke)
- [Allowing access from Google Cloud services](#allowing-access-from-google-cloud-services)
- [Variables](#variables)
- [Outputs](#outputs)
<!-- END TOC -->
@@ -200,30 +201,63 @@ module "cluster-1" {
}
# tftest modules=1 resources=2 inventory=backup.yaml
```
### Allowing access from Google Cloud services
To allow access to your cluster from Google Cloud services (like Cloud Shell, Cloud Build, etc.) without needing to manually specify all Google Cloud IP ranges, you can use the `gcp_public_cidrs_access_enabled` parameter:
```hcl
module "cluster-1" {
source = "./fabric/modules/gke-cluster-autopilot"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1"
access_config = {
ip_access = {
gcp_public_cidrs_access_enabled = true
authorized_ranges = {
internal-vms = "10.0.0.0/8"
}
}
}
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_names = {
pods = "pods"
services = "services"
}
}
labels = {
environment = "dev"
}
}
# tftest modules=1 resources=1 inventory=access-google.yaml
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [location](variables.tf#L144) | Autopilot clusters are always regional. | <code>string</code> | ✓ | |
| [name](variables.tf#L223) | Cluster name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L254) | Cluster project ID. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L270) | VPC-level configuration. | <code title="object&#40;&#123;&#10; disable_default_snat &#61; optional&#40;bool&#41;&#10; network &#61; string&#10; subnetwork &#61; string&#10; secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;&#41;&#10; secondary_range_names &#61; optional&#40;object&#40;&#123;&#10; pods &#61; optional&#40;string&#41;&#10; services &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; additional_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10; stack_type &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10; dns_access &#61; optional&#40;bool, true&#41;&#10; ip_access &#61; optional&#40;object&#40;&#123;&#10; authorized_ranges &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; disable_public_endpoint &#61; optional&#40;bool, true&#41;&#10; private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10; endpoint_subnetwork &#61; optional&#40;string&#41;&#10; global_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [backup_configs](variables.tf#L42) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10; enable_backup_agent &#61; optional&#40;bool, false&#41;&#10; backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10; encryption_key &#61; optional&#40;string&#41;&#10; include_secrets &#61; optional&#40;bool, true&#41;&#10; include_volume_data &#61; optional&#40;bool, true&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; namespaces &#61; optional&#40;list&#40;string&#41;&#41;&#10; region &#61; string&#10; schedule &#61; string&#10; retention_policy_days &#61; optional&#40;string&#41;&#10; retention_policy_lock &#61; optional&#40;bool, false&#41;&#10; retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [deletion_protection](variables.tf#L63) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L70) | Cluster description. | <code>string</code> | | <code>null</code> |
| [enable_addons](variables.tf#L76) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10; cloudrun &#61; optional&#40;bool, false&#41;&#10; config_connector &#61; optional&#40;bool, false&#41;&#10; istio &#61; optional&#40;object&#40;&#123;&#10; enable_tls &#61; bool&#10; &#125;&#41;&#41;&#10; kalm &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [enable_features](variables.tf#L90) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10; beta_apis &#61; optional&#40;list&#40;string&#41;&#41;&#10; binary_authorization &#61; optional&#40;bool, false&#41;&#10; cost_management &#61; optional&#40;bool, true&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; provider &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; domain &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; database_encryption &#61; optional&#40;object&#40;&#123;&#10; state &#61; string&#10; key_name &#61; string&#10; &#125;&#41;&#41;&#10; gateway_api &#61; optional&#40;bool, false&#41;&#10; groups_for_rbac &#61; optional&#40;string&#41;&#10; l4_ilb_subsetting &#61; optional&#40;bool, false&#41;&#10; mesh_certificates &#61; optional&#40;bool&#41;&#10; pod_security_policy &#61; optional&#40;bool, false&#41;&#10; secret_manager_config &#61; optional&#40;bool&#41;&#10; security_posture_config &#61; optional&#40;object&#40;&#123;&#10; mode &#61; string&#10; vulnerability_mode &#61; string&#10; &#125;&#41;&#41;&#10; allow_net_admin &#61; optional&#40;bool, false&#41;&#10; resource_usage_export &#61; optional&#40;object&#40;&#123;&#10; dataset &#61; string&#10; enable_network_egress_metering &#61; optional&#40;bool&#41;&#10; enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; service_external_ips &#61; optional&#40;bool, true&#41;&#10; tpu &#61; optional&#40;bool, false&#41;&#10; upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10; topic_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10; enterprise_cluster &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [issue_client_certificate](variables.tf#L132) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
| [labels](variables.tf#L138) | Cluster resource labels. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [logging_config](variables.tf#L149) | Logging configuration. | <code title="object&#40;&#123;&#10; enable_api_server_logs &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_logs &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [maintenance_config](variables.tf#L160) | Maintenance window configuration. | <code title="object&#40;&#123;&#10; daily_window_start_time &#61; optional&#40;string&#41;&#10; recurring_window &#61; optional&#40;object&#40;&#123;&#10; start_time &#61; string&#10; end_time &#61; string&#10; recurrence &#61; string&#10; &#125;&#41;&#41;&#10; maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10; name &#61; string&#10; start_time &#61; string&#10; end_time &#61; string&#10; scope &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; daily_window_start_time &#61; &#34;03:00&#34;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [min_master_version](variables.tf#L183) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
| [monitoring_config](variables.tf#L189) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10; enable_api_server_metrics &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_metrics &#61; optional&#40;bool, false&#41;&#10; enable_daemonset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_deployment_metrics &#61; optional&#40;bool, false&#41;&#10; enable_hpa_metrics &#61; optional&#40;bool, false&#41;&#10; enable_pod_metrics &#61; optional&#40;bool, false&#41;&#10; enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_storage_metrics &#61; optional&#40;bool, false&#41;&#10; enable_cadvisor_metrics &#61; optional&#40;bool, false&#41;&#10; enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_config](variables.tf#L228) | Configuration for nodes and nodepools. | <code title="object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; workload_metadata_config_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_locations](variables.tf#L247) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [release_channel](variables.tf#L259) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> | | <code>&#34;REGULAR&#34;</code> |
| [location](variables.tf#L145) | Autopilot clusters are always regional. | <code>string</code> | ✓ | |
| [name](variables.tf#L224) | Cluster name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L255) | Cluster project ID. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L271) | VPC-level configuration. | <code title="object&#40;&#123;&#10; disable_default_snat &#61; optional&#40;bool&#41;&#10; network &#61; string&#10; subnetwork &#61; string&#10; secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;&#41;&#10; secondary_range_names &#61; optional&#40;object&#40;&#123;&#10; pods &#61; optional&#40;string&#41;&#10; services &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; additional_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10; stack_type &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10; dns_access &#61; optional&#40;bool, true&#41;&#10; ip_access &#61; optional&#40;object&#40;&#123;&#10; authorized_ranges &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; disable_public_endpoint &#61; optional&#40;bool, true&#41;&#10; gcp_public_cidrs_access_enabled &#61; optional&#40;bool, true&#41;&#10; private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10; endpoint_subnetwork &#61; optional&#40;string&#41;&#10; global_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10; enable_backup_agent &#61; optional&#40;bool, false&#41;&#10; backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10; encryption_key &#61; optional&#40;string&#41;&#10; include_secrets &#61; optional&#40;bool, true&#41;&#10; include_volume_data &#61; optional&#40;bool, true&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; namespaces &#61; optional&#40;list&#40;string&#41;&#41;&#10; region &#61; string&#10; schedule &#61; string&#10; retention_policy_days &#61; optional&#40;string&#41;&#10; retention_policy_lock &#61; optional&#40;bool, false&#41;&#10; retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [deletion_protection](variables.tf#L64) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L71) | Cluster description. | <code>string</code> | | <code>null</code> |
| [enable_addons](variables.tf#L77) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10; cloudrun &#61; optional&#40;bool, false&#41;&#10; config_connector &#61; optional&#40;bool, false&#41;&#10; istio &#61; optional&#40;object&#40;&#123;&#10; enable_tls &#61; bool&#10; &#125;&#41;&#41;&#10; kalm &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [enable_features](variables.tf#L91) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10; beta_apis &#61; optional&#40;list&#40;string&#41;&#41;&#10; binary_authorization &#61; optional&#40;bool, false&#41;&#10; cost_management &#61; optional&#40;bool, true&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; provider &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; domain &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; database_encryption &#61; optional&#40;object&#40;&#123;&#10; state &#61; string&#10; key_name &#61; string&#10; &#125;&#41;&#41;&#10; gateway_api &#61; optional&#40;bool, false&#41;&#10; groups_for_rbac &#61; optional&#40;string&#41;&#10; l4_ilb_subsetting &#61; optional&#40;bool, false&#41;&#10; mesh_certificates &#61; optional&#40;bool&#41;&#10; pod_security_policy &#61; optional&#40;bool, false&#41;&#10; secret_manager_config &#61; optional&#40;bool&#41;&#10; security_posture_config &#61; optional&#40;object&#40;&#123;&#10; mode &#61; string&#10; vulnerability_mode &#61; string&#10; &#125;&#41;&#41;&#10; allow_net_admin &#61; optional&#40;bool, false&#41;&#10; resource_usage_export &#61; optional&#40;object&#40;&#123;&#10; dataset &#61; string&#10; enable_network_egress_metering &#61; optional&#40;bool&#41;&#10; enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; service_external_ips &#61; optional&#40;bool, true&#41;&#10; tpu &#61; optional&#40;bool, false&#41;&#10; upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10; topic_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10; enterprise_cluster &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [issue_client_certificate](variables.tf#L133) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
| [labels](variables.tf#L139) | Cluster resource labels. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [logging_config](variables.tf#L150) | Logging configuration. | <code title="object&#40;&#123;&#10; enable_api_server_logs &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_logs &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [maintenance_config](variables.tf#L161) | Maintenance window configuration. | <code title="object&#40;&#123;&#10; daily_window_start_time &#61; optional&#40;string&#41;&#10; recurring_window &#61; optional&#40;object&#40;&#123;&#10; start_time &#61; string&#10; end_time &#61; string&#10; recurrence &#61; string&#10; &#125;&#41;&#41;&#10; maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10; name &#61; string&#10; start_time &#61; string&#10; end_time &#61; string&#10; scope &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; daily_window_start_time &#61; &#34;03:00&#34;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [min_master_version](variables.tf#L184) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
| [monitoring_config](variables.tf#L190) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10; enable_api_server_metrics &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_metrics &#61; optional&#40;bool, false&#41;&#10; enable_daemonset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_deployment_metrics &#61; optional&#40;bool, false&#41;&#10; enable_hpa_metrics &#61; optional&#40;bool, false&#41;&#10; enable_pod_metrics &#61; optional&#40;bool, false&#41;&#10; enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_storage_metrics &#61; optional&#40;bool, false&#41;&#10; enable_cadvisor_metrics &#61; optional&#40;bool, false&#41;&#10; enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_config](variables.tf#L229) | Configuration for nodes and nodepools. | <code title="object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; workload_metadata_config_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_locations](variables.tf#L248) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [release_channel](variables.tf#L260) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> | | <code>&#34;REGULAR&#34;</code> |
## Outputs

9
modules/gke-cluster-autopilot/main.tf
View File

@@ -208,10 +208,15 @@ resource "google_container_cluster" "cluster" {
}
}
dynamic "master_authorized_networks_config" {
for_each = try(var.access_config.ip_access.authorized_ranges, null) != null ? [""] : []
for_each = (
try(var.access_config.ip_access.authorized_ranges, null) != null ||
try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null) != null
) ? [""] : []
content {
gcp_public_cidrs_access_enabled = try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null)
dynamic "cidr_blocks" {
for_each = var.access_config.ip_access.authorized_ranges
for_each = try(var.access_config.ip_access.authorized_ranges, {})
iterator = range
content {
cidr_block = range.value

5
modules/gke-cluster-autopilot/variables.tf
View File

@@ -19,8 +19,9 @@ variable "access_config" {
type = object({
dns_access = optional(bool, true)
ip_access = optional(object({
authorized_ranges = optional(map(string), {})
disable_public_endpoint = optional(bool, true)
authorized_ranges = optional(map(string), {})
disable_public_endpoint = optional(bool, true)
gcp_public_cidrs_access_enabled = optional(bool, true)
private_endpoint_config = optional(object({
endpoint_subnetwork = optional(string)
global_access = optional(bool, true)

84
modules/gke-cluster-standard/README.md
View File

@@ -9,6 +9,7 @@ This module offers a way to create and manage Google Kubernetes Engine (GKE) [St
- [Cluster access configurations](#cluster-access-configurations)
- [Private cluster with DNS endpoint enabled](#private-cluster-with-dns-endpoint-enabled)
- [Public cluster](#public-cluster)
- [Allowing access from Google Cloud services](#allowing-access-from-google-cloud-services)
- [Regional cluster](#regional-cluster)
- [Enable Dataplane V2](#enable-dataplane-v2)
- [Managing GKE logs](#managing-gke-logs)
@@ -104,6 +105,43 @@ module "cluster-1" {
# tftest modules=1 resources=1 inventory=access-public.yaml
```
### Allowing access from Google Cloud services
To allow access to your cluster from Google Cloud services (like Cloud Shell, Cloud Build, etc.) without needing to manually specify all Google Cloud IP ranges, you can use the `gcp_public_cidrs_access_enabled` parameter:
```hcl
module "cluster-1" {
source = "./fabric/modules/gke-cluster-standard"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1-b"
access_config = {
dns_access = false
gcp_public_cidrs_access_enabled = true
ip_access = {
authorized_ranges = {
internal-vms = "10.0.0.0/8"
}
disable_public_endpoint = false
}
private_nodes = false
}
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_names = {
pods = "pods"
services = "services"
}
}
max_pods_per_node = 32
labels = {
environment = "dev"
}
}
# tftest modules=1 resources=1 inventory=access-google.yaml
```
## Regional cluster
Regional clusters are created by setting `location` to a GCP region and then configuring `node_locations`, as shown in the example below.
@@ -240,7 +278,7 @@ module "cluster-1" {
enable_storage_metrics = true
# Kube state metrics collection requires Google Cloud Managed Service for Prometheus,
# which is enabled by default.
# enable_managed_prometheus = true
# enable_managed_prometheus = true
}
}
# tftest modules=1 resources=1 inventory=monitoring-config-kube-state.yaml
@@ -428,28 +466,28 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [location](variables.tf#L263) | Cluster zone or region. | <code>string</code> | ✓ | |
| [name](variables.tf#L378) | Cluster name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L411) | Cluster project id. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L422) | VPC-level configuration. | <code title="object&#40;&#123;&#10; disable_default_snat &#61; optional&#40;bool&#41;&#10; network &#61; string&#10; subnetwork &#61; string&#10; secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;&#41;&#10; secondary_range_names &#61; optional&#40;object&#40;&#123;&#10; pods &#61; optional&#40;string&#41;&#10; services &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; additional_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10; stack_type &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10; dns_access &#61; optional&#40;bool, true&#41;&#10; ip_access &#61; optional&#40;object&#40;&#123;&#10; authorized_ranges &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; disable_public_endpoint &#61; optional&#40;bool, true&#41;&#10; private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10; endpoint_subnetwork &#61; optional&#40;string&#41;&#10; global_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [backup_configs](variables.tf#L42) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10; enable_backup_agent &#61; optional&#40;bool, false&#41;&#10; backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10; region &#61; string&#10; applications &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10; encryption_key &#61; optional&#40;string&#41;&#10; include_secrets &#61; optional&#40;bool, true&#41;&#10; include_volume_data &#61; optional&#40;bool, true&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; namespaces &#61; optional&#40;list&#40;string&#41;&#41;&#10; schedule &#61; optional&#40;string&#41;&#10; retention_policy_days &#61; optional&#40;number&#41;&#10; retention_policy_lock &#61; optional&#40;bool, false&#41;&#10; retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [cluster_autoscaling](variables.tf#L64) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10; auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; disk_size &#61; optional&#40;number&#41;&#10; disk_type &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10; image_type &#61; optional&#40;string&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; management &#61; optional&#40;object&#40;&#123;&#10; auto_repair &#61; optional&#40;bool, true&#41;&#10; auto_upgrade &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;&#10; shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10; integrity_monitoring &#61; optional&#40;bool, true&#41;&#10; secure_boot &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; upgrade_settings &#61; optional&#40;object&#40;&#123;&#10; blue_green &#61; optional&#40;object&#40;&#123;&#10; node_pool_soak_duration &#61; optional&#40;string&#41;&#10; standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10; batch_percentage &#61; optional&#40;number&#41;&#10; batch_node_count &#61; optional&#40;number&#41;&#10; batch_soak_duration &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; surge &#61; optional&#40;object&#40;&#123;&#10; max &#61; optional&#40;number&#41;&#10; unavailable &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; cpu_limits &#61; optional&#40;object&#40;&#123;&#10; min &#61; optional&#40;number, 0&#41;&#10; max &#61; number&#10; &#125;&#41;&#41;&#10; mem_limits &#61; optional&#40;object&#40;&#123;&#10; min &#61; optional&#40;number, 0&#41;&#10; max &#61; number&#10; &#125;&#41;&#41;&#10; accelerator_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10; resource_type &#61; string&#10; min &#61; optional&#40;number, 0&#41;&#10; max &#61; number&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [default_nodepool](variables.tf#L143) | Enable default nodepool. | <code title="object&#40;&#123;&#10; remove_pool &#61; optional&#40;bool, true&#41;&#10; initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [deletion_protection](variables.tf#L161) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L168) | Cluster description. | <code>string</code> | | <code>null</code> |
| [enable_addons](variables.tf#L174) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10; cloudrun &#61; optional&#40;bool, false&#41;&#10; config_connector &#61; optional&#40;bool, false&#41;&#10; dns_cache &#61; optional&#40;bool, true&#41;&#10; gce_persistent_disk_csi_driver &#61; optional&#40;bool, true&#41;&#10; gcp_filestore_csi_driver &#61; optional&#40;bool, true&#41;&#10; gcs_fuse_csi_driver &#61; optional&#40;bool, true&#41;&#10; horizontal_pod_autoscaling &#61; optional&#40;bool, true&#41;&#10; http_load_balancing &#61; optional&#40;bool, true&#41;&#10; istio &#61; optional&#40;object&#40;&#123;&#10; enable_tls &#61; bool&#10; &#125;&#41;&#41;&#10; kalm &#61; optional&#40;bool, false&#41;&#10; network_policy &#61; optional&#40;bool, false&#41;&#10; stateful_ha &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [enable_features](variables.tf#L196) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10; beta_apis &#61; optional&#40;list&#40;string&#41;&#41;&#10; binary_authorization &#61; optional&#40;bool, false&#41;&#10; cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10; cost_management &#61; optional&#40;bool, true&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; provider &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; domain &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; database_encryption &#61; optional&#40;object&#40;&#123;&#10; state &#61; string&#10; key_name &#61; string&#10; &#125;&#41;&#41;&#10; dataplane_v2 &#61; optional&#40;bool, true&#41;&#10; fqdn_network_policy &#61; optional&#40;bool, true&#41;&#10; gateway_api &#61; optional&#40;bool, false&#41;&#10; groups_for_rbac &#61; optional&#40;string&#41;&#10; image_streaming &#61; optional&#40;bool, false&#41;&#10; intranode_visibility &#61; optional&#40;bool, false&#41;&#10; l4_ilb_subsetting &#61; optional&#40;bool, false&#41;&#10; mesh_certificates &#61; optional&#40;bool&#41;&#10; pod_security_policy &#61; optional&#40;bool, false&#41;&#10; secret_manager_config &#61; optional&#40;bool&#41;&#10; security_posture_config &#61; optional&#40;object&#40;&#123;&#10; mode &#61; string&#10; vulnerability_mode &#61; string&#10; &#125;&#41;&#41;&#10; resource_usage_export &#61; optional&#40;object&#40;&#123;&#10; dataset &#61; string&#10; enable_network_egress_metering &#61; optional&#40;bool&#41;&#10; enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; service_external_ips &#61; optional&#40;bool, true&#41;&#10; shielded_nodes &#61; optional&#40;bool, false&#41;&#10; tpu &#61; optional&#40;bool, false&#41;&#10; upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10; topic_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10; workload_identity &#61; optional&#40;bool, true&#41;&#10; enterprise_cluster &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [issue_client_certificate](variables.tf#L250) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
| [labels](variables.tf#L256) | Cluster resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [logging_config](variables.tf#L268) | Logging configuration. | <code title="object&#40;&#123;&#10; enable_system_logs &#61; optional&#40;bool, true&#41;&#10; enable_workloads_logs &#61; optional&#40;bool, false&#41;&#10; enable_api_server_logs &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_logs &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [maintenance_config](variables.tf#L289) | Maintenance window configuration. | <code title="object&#40;&#123;&#10; daily_window_start_time &#61; optional&#40;string&#41;&#10; recurring_window &#61; optional&#40;object&#40;&#123;&#10; start_time &#61; string&#10; end_time &#61; string&#10; recurrence &#61; string&#10; &#125;&#41;&#41;&#10; maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10; name &#61; string&#10; start_time &#61; string&#10; end_time &#61; string&#10; scope &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; daily_window_start_time &#61; &#34;03:00&#34;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [max_pods_per_node](variables.tf#L312) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
| [min_master_version](variables.tf#L318) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
| [monitoring_config](variables.tf#L324) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10; enable_system_metrics &#61; optional&#40;bool, true&#41;&#10; enable_api_server_metrics &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_metrics &#61; optional&#40;bool, false&#41;&#10; enable_daemonset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_deployment_metrics &#61; optional&#40;bool, false&#41;&#10; enable_hpa_metrics &#61; optional&#40;bool, false&#41;&#10; enable_pod_metrics &#61; optional&#40;bool, false&#41;&#10; enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_storage_metrics &#61; optional&#40;bool, false&#41;&#10; enable_cadvisor_metrics &#61; optional&#40;bool, false&#41;&#10; enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10; advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10; enable_metrics &#61; bool&#10; enable_relay &#61; bool&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_config](variables.tf#L383) | Node-level configuration. | <code title="object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; k8s_labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; workload_metadata_config_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_locations](variables.tf#L404) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [release_channel](variables.tf#L416) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
| [location](variables.tf#L264) | Cluster zone or region. | <code>string</code> | ✓ | |
| [name](variables.tf#L379) | Cluster name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L412) | Cluster project id. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L423) | VPC-level configuration. | <code title="object&#40;&#123;&#10; disable_default_snat &#61; optional&#40;bool&#41;&#10; network &#61; string&#10; subnetwork &#61; string&#10; secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;&#41;&#10; secondary_range_names &#61; optional&#40;object&#40;&#123;&#10; pods &#61; optional&#40;string&#41;&#10; services &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; additional_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10; stack_type &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10; dns_access &#61; optional&#40;bool, true&#41;&#10; ip_access &#61; optional&#40;object&#40;&#123;&#10; authorized_ranges &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; disable_public_endpoint &#61; optional&#40;bool, true&#41;&#10; gcp_public_cidrs_access_enabled &#61; optional&#40;bool, true&#41;&#10; private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10; endpoint_subnetwork &#61; optional&#40;string&#41;&#10; global_access &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10; enable_backup_agent &#61; optional&#40;bool, false&#41;&#10; backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10; region &#61; string&#10; applications &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10; encryption_key &#61; optional&#40;string&#41;&#10; include_secrets &#61; optional&#40;bool, true&#41;&#10; include_volume_data &#61; optional&#40;bool, true&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; namespaces &#61; optional&#40;list&#40;string&#41;&#41;&#10; schedule &#61; optional&#40;string&#41;&#10; retention_policy_days &#61; optional&#40;number&#41;&#10; retention_policy_lock &#61; optional&#40;bool, false&#41;&#10; retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [cluster_autoscaling](variables.tf#L65) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10; auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; disk_size &#61; optional&#40;number&#41;&#10; disk_type &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10; image_type &#61; optional&#40;string&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; management &#61; optional&#40;object&#40;&#123;&#10; auto_repair &#61; optional&#40;bool, true&#41;&#10; auto_upgrade &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;&#41;&#10; shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10; integrity_monitoring &#61; optional&#40;bool, true&#41;&#10; secure_boot &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; upgrade_settings &#61; optional&#40;object&#40;&#123;&#10; blue_green &#61; optional&#40;object&#40;&#123;&#10; node_pool_soak_duration &#61; optional&#40;string&#41;&#10; standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10; batch_percentage &#61; optional&#40;number&#41;&#10; batch_node_count &#61; optional&#40;number&#41;&#10; batch_soak_duration &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; surge &#61; optional&#40;object&#40;&#123;&#10; max &#61; optional&#40;number&#41;&#10; unavailable &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; cpu_limits &#61; optional&#40;object&#40;&#123;&#10; min &#61; optional&#40;number, 0&#41;&#10; max &#61; number&#10; &#125;&#41;&#41;&#10; mem_limits &#61; optional&#40;object&#40;&#123;&#10; min &#61; optional&#40;number, 0&#41;&#10; max &#61; number&#10; &#125;&#41;&#41;&#10; accelerator_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10; resource_type &#61; string&#10; min &#61; optional&#40;number, 0&#41;&#10; max &#61; number&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [default_nodepool](variables.tf#L144) | Enable default nodepool. | <code title="object&#40;&#123;&#10; remove_pool &#61; optional&#40;bool, true&#41;&#10; initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [deletion_protection](variables.tf#L162) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
| [description](variables.tf#L169) | Cluster description. | <code>string</code> | | <code>null</code> |
| [enable_addons](variables.tf#L175) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10; cloudrun &#61; optional&#40;bool, false&#41;&#10; config_connector &#61; optional&#40;bool, false&#41;&#10; dns_cache &#61; optional&#40;bool, true&#41;&#10; gce_persistent_disk_csi_driver &#61; optional&#40;bool, true&#41;&#10; gcp_filestore_csi_driver &#61; optional&#40;bool, true&#41;&#10; gcs_fuse_csi_driver &#61; optional&#40;bool, true&#41;&#10; horizontal_pod_autoscaling &#61; optional&#40;bool, true&#41;&#10; http_load_balancing &#61; optional&#40;bool, true&#41;&#10; istio &#61; optional&#40;object&#40;&#123;&#10; enable_tls &#61; bool&#10; &#125;&#41;&#41;&#10; kalm &#61; optional&#40;bool, false&#41;&#10; network_policy &#61; optional&#40;bool, false&#41;&#10; stateful_ha &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [enable_features](variables.tf#L197) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10; beta_apis &#61; optional&#40;list&#40;string&#41;&#41;&#10; binary_authorization &#61; optional&#40;bool, false&#41;&#10; cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10; cost_management &#61; optional&#40;bool, true&#41;&#10; dns &#61; optional&#40;object&#40;&#123;&#10; provider &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; domain &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; database_encryption &#61; optional&#40;object&#40;&#123;&#10; state &#61; string&#10; key_name &#61; string&#10; &#125;&#41;&#41;&#10; dataplane_v2 &#61; optional&#40;bool, true&#41;&#10; fqdn_network_policy &#61; optional&#40;bool, true&#41;&#10; gateway_api &#61; optional&#40;bool, false&#41;&#10; groups_for_rbac &#61; optional&#40;string&#41;&#10; image_streaming &#61; optional&#40;bool, false&#41;&#10; intranode_visibility &#61; optional&#40;bool, false&#41;&#10; l4_ilb_subsetting &#61; optional&#40;bool, false&#41;&#10; mesh_certificates &#61; optional&#40;bool&#41;&#10; pod_security_policy &#61; optional&#40;bool, false&#41;&#10; secret_manager_config &#61; optional&#40;bool&#41;&#10; security_posture_config &#61; optional&#40;object&#40;&#123;&#10; mode &#61; string&#10; vulnerability_mode &#61; string&#10; &#125;&#41;&#41;&#10; resource_usage_export &#61; optional&#40;object&#40;&#123;&#10; dataset &#61; string&#10; enable_network_egress_metering &#61; optional&#40;bool&#41;&#10; enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; service_external_ips &#61; optional&#40;bool, true&#41;&#10; shielded_nodes &#61; optional&#40;bool, false&#41;&#10; tpu &#61; optional&#40;bool, false&#41;&#10; upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10; topic_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10; workload_identity &#61; optional&#40;bool, true&#41;&#10; enterprise_cluster &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [issue_client_certificate](variables.tf#L251) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
| [labels](variables.tf#L257) | Cluster resource labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [logging_config](variables.tf#L269) | Logging configuration. | <code title="object&#40;&#123;&#10; enable_system_logs &#61; optional&#40;bool, true&#41;&#10; enable_workloads_logs &#61; optional&#40;bool, false&#41;&#10; enable_api_server_logs &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_logs &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [maintenance_config](variables.tf#L290) | Maintenance window configuration. | <code title="object&#40;&#123;&#10; daily_window_start_time &#61; optional&#40;string&#41;&#10; recurring_window &#61; optional&#40;object&#40;&#123;&#10; start_time &#61; string&#10; end_time &#61; string&#10; recurrence &#61; string&#10; &#125;&#41;&#41;&#10; maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10; name &#61; string&#10; start_time &#61; string&#10; end_time &#61; string&#10; scope &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; daily_window_start_time &#61; &#34;03:00&#34;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [max_pods_per_node](variables.tf#L313) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
| [min_master_version](variables.tf#L319) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
| [monitoring_config](variables.tf#L325) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10; enable_system_metrics &#61; optional&#40;bool, true&#41;&#10; enable_api_server_metrics &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_metrics &#61; optional&#40;bool, false&#41;&#10; enable_daemonset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_deployment_metrics &#61; optional&#40;bool, false&#41;&#10; enable_hpa_metrics &#61; optional&#40;bool, false&#41;&#10; enable_pod_metrics &#61; optional&#40;bool, false&#41;&#10; enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_storage_metrics &#61; optional&#40;bool, false&#41;&#10; enable_cadvisor_metrics &#61; optional&#40;bool, false&#41;&#10; enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10; advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10; enable_metrics &#61; bool&#10; enable_relay &#61; bool&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_config](variables.tf#L384) | Node-level configuration. | <code title="object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; k8s_labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; workload_metadata_config_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [node_locations](variables.tf#L405) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [release_channel](variables.tf#L417) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
## Outputs

9
modules/gke-cluster-standard/main.tf
View File

@@ -392,10 +392,15 @@ resource "google_container_cluster" "cluster" {
}
}
dynamic "master_authorized_networks_config" {
for_each = try(var.access_config.ip_access.authorized_ranges, null) != null ? [""] : []
for_each = (
try(var.access_config.ip_access.authorized_ranges, null) != null ||
try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null) != null
) ? [""] : []
content {
gcp_public_cidrs_access_enabled = try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null)
dynamic "cidr_blocks" {
for_each = var.access_config.ip_access.authorized_ranges
for_each = try(var.access_config.ip_access.authorized_ranges, {})
iterator = range
content {
cidr_block = range.value

5
modules/gke-cluster-standard/variables.tf
View File

@@ -19,8 +19,9 @@ variable "access_config" {
type = object({
dns_access = optional(bool, true)
ip_access = optional(object({
authorized_ranges = optional(map(string), {})
disable_public_endpoint = optional(bool, true)
authorized_ranges = optional(map(string), {})
disable_public_endpoint = optional(bool, true)
gcp_public_cidrs_access_enabled = optional(bool, true)
private_endpoint_config = optional(object({
endpoint_subnetwork = optional(string)
global_access = optional(bool, true)