diff --git a/modules/dataproc/README.md b/modules/dataproc/README.md index 071127d36..15bc157b6 100644 --- a/modules/dataproc/README.md +++ b/modules/dataproc/README.md @@ -242,7 +242,7 @@ module "processing-dp-cluster" { } } } -# tftest modules=4 resources=6 fixtures=fixtures/gke-cluster-standard.tf e2e +# tftest modules=5 resources=9 fixtures=fixtures/gke-cluster-standard.tf e2e ``` ## IAM diff --git a/modules/net-lb-app-ext-regional/README.md b/modules/net-lb-app-ext-regional/README.md index ed47fd8d5..7bb81c623 100644 --- a/modules/net-lb-app-ext-regional/README.md +++ b/modules/net-lb-app-ext-regional/README.md @@ -431,6 +431,11 @@ module "ralb-0" { default = { backends = [{ backend = "hybrid-neg" + # Balancing mode must be RATE for Hybrid NEG + balancing_mode = "RATE" + max_rate = { + per_endpoint = 100 + } }] } } diff --git a/tests/fixtures/gke-cluster-standard.tf b/tests/fixtures/gke-cluster-standard.tf index a1bfd3c61..9de8a05a8 100644 --- a/tests/fixtures/gke-cluster-standard.tf +++ b/tests/fixtures/gke-cluster-standard.tf @@ -33,8 +33,16 @@ module "gke-cluster-standard" { enable_features = { dataplane_v2 = true fqdn_network_policy = true + shielded_nodes = true workload_identity = true } + node_config = { + service_account = module.gke-service-accounts.email + kubelet_readonly_port_enabled = false + } + node_pool_auto_config = { + network_tags = ["foo"] # to avoid perma-diff + } } module "gke-nodepool" { @@ -49,4 +57,24 @@ module "gke-nodepool" { min_node_count = 1 } } + service_account = { email = module.gke-service-accounts.email } + node_config = { + shielded_instance_config = { + enable_integrity_monitoring = true + enable_secure_boot = true + } + } +} + +module "gke-service-accounts" { + source = "./fabric/modules/iam-service-account" + project_id = var.project_id + name = "gke-sa" + # non-authoritative roles granted *to* the service accounts on other resources + iam_project_roles = { + "${var.project_id}" = [ + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + ] + } }