Support additional dns_access attributes in GKE cluster modules (#3781)
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
0be09646b0
commit
f794d764e9
@@ -247,9 +247,6 @@ module "cluster-1" {
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1"
|
||||
access_config = {
|
||||
dns_access = true
|
||||
}
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
@@ -294,26 +291,26 @@ module "cluster-1" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [location](variables.tf#L180) | Autopilot clusters are always regional. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L259) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L292) | Cluster project ID. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L308) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object({ dns_access = optional(bool, true) ip_access = optional(object({ authorized_ranges = optional(map(string)) disable_public_endpoint = optional(bool) gcp_public_cidrs_access_enabled = optional(bool) private_endpoint_authorized_ranges_enforcement = optional(bool) private_endpoint_config = optional(object({ endpoint_subnetwork = optional(string) global_access = optional(bool, true) })) })) private_nodes = optional(bool, true) master_ipv4_cidr_block = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [backup_configs](variables.tf#L45) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) permissive_mode = optional(bool) region = string schedule = string retention_policy_days = optional(string) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(string) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L67) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L74) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L80) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [enable_features](variables.tf#L94) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) gateway_api = optional(bool, false) groups_for_rbac = optional(string) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_sync_config = optional(object({ enabled = bool rotation_config = optional(object({ enabled = optional(bool) rotation_interval = optional(string) })) })) secret_manager_config = optional(bool) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) allow_net_admin = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) kms_key_name = optional(string) })) vertical_pod_autoscaling = optional(bool, false) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L162) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L168) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L174) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L185) | Logging configuration. | <code title="object({ enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L196) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusions = [] }">{…}</code> |
|
||||
| [min_master_version](variables.tf#L219) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L225) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L264) | Configuration for nodes and nodepools. | <code title="object({ boot_disk_kms_key = optional(string) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L285) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [release_channel](variables.tf#L297) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> | | <code>"REGULAR"</code> |
|
||||
| [location](variables.tf#L184) | Autopilot clusters are always regional. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L263) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L296) | Cluster project ID. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L312) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object({ dns_access = optional(object({ allow_external_traffic = optional(bool, true) enable_k8s_tokens = optional(bool) enable_k8s_certs = optional(bool) }), {}) ip_access = optional(object({ authorized_ranges = optional(map(string)) disable_public_endpoint = optional(bool) gcp_public_cidrs_access_enabled = optional(bool) private_endpoint_authorized_ranges_enforcement = optional(bool) private_endpoint_config = optional(object({ endpoint_subnetwork = optional(string) global_access = optional(bool, true) })) })) private_nodes = optional(bool, true) master_ipv4_cidr_block = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [backup_configs](variables.tf#L49) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) permissive_mode = optional(bool) region = string schedule = string retention_policy_days = optional(string) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(string) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L71) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L78) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L84) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [enable_features](variables.tf#L98) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) gateway_api = optional(bool, false) groups_for_rbac = optional(string) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_sync_config = optional(object({ enabled = bool rotation_config = optional(object({ enabled = optional(bool) rotation_interval = optional(string) })) })) secret_manager_config = optional(bool) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) allow_net_admin = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) kms_key_name = optional(string) })) vertical_pod_autoscaling = optional(bool, false) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L166) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L172) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L178) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L189) | Logging configuration. | <code title="object({ enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L200) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusions = [] }">{…}</code> |
|
||||
| [min_master_version](variables.tf#L223) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L229) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L268) | Configuration for nodes and nodepools. | <code title="object({ boot_disk_kms_key = optional(string) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L289) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [release_channel](variables.tf#L301) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> | | <code>"REGULAR"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -84,7 +84,9 @@ resource "google_container_cluster" "cluster" {
|
||||
}
|
||||
control_plane_endpoints_config {
|
||||
dns_endpoint_config {
|
||||
allow_external_traffic = var.access_config.dns_access == true
|
||||
allow_external_traffic = var.access_config.dns_access.allow_external_traffic == true
|
||||
enable_k8s_tokens_via_dns = var.access_config.dns_access.enable_k8s_tokens
|
||||
enable_k8s_certs_via_dns = var.access_config.dns_access.enable_k8s_certs
|
||||
}
|
||||
ip_endpoints_config {
|
||||
enabled = var.access_config.ip_access != null
|
||||
|
||||
@@ -17,7 +17,11 @@
|
||||
variable "access_config" {
|
||||
description = "Control plane endpoint and nodes access configurations."
|
||||
type = object({
|
||||
dns_access = optional(bool, true)
|
||||
dns_access = optional(object({
|
||||
allow_external_traffic = optional(bool, true)
|
||||
enable_k8s_tokens = optional(bool)
|
||||
enable_k8s_certs = optional(bool)
|
||||
}), {})
|
||||
ip_access = optional(object({
|
||||
authorized_ranges = optional(map(string))
|
||||
disable_public_endpoint = optional(bool)
|
||||
|
||||
@@ -43,7 +43,10 @@ module "cluster-1" {
|
||||
location = "europe-west1-b"
|
||||
# access_config can be omitted if master authorized ranges are not needed
|
||||
access_config = {
|
||||
# dns_access = true
|
||||
# defaults to true
|
||||
# dns_access = {
|
||||
# allow_external_traffic = true
|
||||
# }
|
||||
ip_access = {
|
||||
authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
@@ -78,7 +81,9 @@ module "cluster-1" {
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
access_config = {
|
||||
dns_access = false
|
||||
dns_access = {
|
||||
allow_external_traffic = false
|
||||
}
|
||||
ip_access = {
|
||||
authorized_ranges = {
|
||||
"corporate proxy" = "8.8.8.8/32"
|
||||
@@ -115,7 +120,9 @@ module "cluster-1" {
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
access_config = {
|
||||
dns_access = false
|
||||
dns_access = {
|
||||
allow_external_traffic = false
|
||||
}
|
||||
ip_access = {
|
||||
authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
@@ -489,9 +496,6 @@ module "cluster-1" {
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1"
|
||||
access_config = {
|
||||
dns_access = true
|
||||
}
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
@@ -511,30 +515,30 @@ module "cluster-1" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [location](variables.tf#L300) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L415) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L467) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L478) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object({ dns_access = optional(bool, true) ip_access = optional(object({ authorized_ranges = optional(map(string)) disable_public_endpoint = optional(bool) gcp_public_cidrs_access_enabled = optional(bool) private_endpoint_authorized_ranges_enforcement = optional(bool) private_endpoint_config = optional(object({ endpoint_subnetwork = optional(string) global_access = optional(bool, true) })) })) master_ipv4_cidr_block = optional(string) private_nodes = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [backup_configs](variables.tf#L45) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ region = string applications = optional(map(list(string))) encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) permissive_mode = optional(bool) schedule = optional(string) retention_policy_days = optional(number) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(number) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [cluster_autoscaling](variables.tf#L68) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = optional(bool, true) autoscaling_profile = optional(string, "BALANCED") auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) disk_size = optional(number) disk_type = optional(string, "pd-standard") image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) management = optional(object({ auto_repair = optional(bool, true) auto_upgrade = optional(bool, true) })) shielded_instance_config = optional(object({ integrity_monitoring = optional(bool, true) secure_boot = optional(bool, false) })) upgrade_settings = optional(object({ blue_green = optional(object({ node_pool_soak_duration = optional(string) standard_rollout_policy = optional(object({ batch_percentage = optional(number) batch_node_count = optional(number) batch_soak_duration = optional(string) })) })) surge = optional(object({ max = optional(number) unavailable = optional(number) })) })) })) auto_provisioning_locations = optional(list(string)) cpu_limits = optional(object({ min = optional(number, 0) max = number })) mem_limits = optional(object({ min = optional(number, 0) max = number })) accelerator_resources = optional(list(object({ resource_type = string min = optional(number, 0) max = number }))) })">object({…})</code> | | <code>null</code> |
|
||||
| [default_nodepool](variables.tf#L148) | Enable default nodepool. | <code title="object({ remove_pool = optional(bool, true) initial_node_count = optional(number, 1) })">object({…})</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L166) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L173) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L179) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, true) gce_persistent_disk_csi_driver = optional(bool, true) gcp_filestore_csi_driver = optional(bool, true) gcs_fuse_csi_driver = optional(bool, true) horizontal_pod_autoscaling = optional(bool, true) http_load_balancing = optional(bool, true) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) stateful_ha = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [enable_features](variables.tf#L201) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cilium_clusterwide_network_policy = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, true) fqdn_network_policy = optional(bool, true) gateway_api = optional(bool, false) groups_for_rbac = optional(string) image_streaming = optional(bool, false) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_manager_config = optional(bool) secret_sync_config = optional(object({ enabled = bool rotation_config = optional(object({ enabled = optional(bool) rotation_interval = optional(string) })) })) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) kms_key_name = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L281) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L287) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L293) | Cluster resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_config](variables.tf#L305) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L326) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusions = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L349) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L355) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L361) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) advanced_datapath_observability = optional(object({ enable_metrics = bool enable_relay = bool })) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L420) | Node-level configuration. | <code title="object({ boot_disk_kms_key = optional(string) k8s_labels = optional(map(string)) labels = optional(map(string)) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L443) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [node_pool_auto_config](variables.tf#L450) | Node pool configs that apply to auto-provisioned node pools in autopilot clusters and node auto-provisioning-enabled clusters. | <code title="object({ cgroup_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) network_tags = optional(list(string), []) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [release_channel](variables.tf#L472) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
| [location](variables.tf#L304) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L419) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L471) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L482) | VPC-level configuration. | <code title="object({ disable_default_snat = optional(bool) network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string) services = optional(string) })) additional_ranges = optional(list(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object({ dns_access = optional(object({ allow_external_traffic = optional(bool, true) enable_k8s_tokens = optional(bool) enable_k8s_certs = optional(bool) }), {}) ip_access = optional(object({ authorized_ranges = optional(map(string)) disable_public_endpoint = optional(bool) gcp_public_cidrs_access_enabled = optional(bool) private_endpoint_authorized_ranges_enforcement = optional(bool) private_endpoint_config = optional(object({ endpoint_subnetwork = optional(string) global_access = optional(bool, true) })) })) master_ipv4_cidr_block = optional(string) private_nodes = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [backup_configs](variables.tf#L49) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ region = string applications = optional(map(list(string))) encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) permissive_mode = optional(bool) schedule = optional(string) retention_policy_days = optional(number) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(number) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [cluster_autoscaling](variables.tf#L72) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = optional(bool, true) autoscaling_profile = optional(string, "BALANCED") auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) disk_size = optional(number) disk_type = optional(string, "pd-standard") image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) management = optional(object({ auto_repair = optional(bool, true) auto_upgrade = optional(bool, true) })) shielded_instance_config = optional(object({ integrity_monitoring = optional(bool, true) secure_boot = optional(bool, false) })) upgrade_settings = optional(object({ blue_green = optional(object({ node_pool_soak_duration = optional(string) standard_rollout_policy = optional(object({ batch_percentage = optional(number) batch_node_count = optional(number) batch_soak_duration = optional(string) })) })) surge = optional(object({ max = optional(number) unavailable = optional(number) })) })) })) auto_provisioning_locations = optional(list(string)) cpu_limits = optional(object({ min = optional(number, 0) max = number })) mem_limits = optional(object({ min = optional(number, 0) max = number })) accelerator_resources = optional(list(object({ resource_type = string min = optional(number, 0) max = number }))) })">object({…})</code> | | <code>null</code> |
|
||||
| [default_nodepool](variables.tf#L152) | Enable default nodepool. | <code title="object({ remove_pool = optional(bool, true) initial_node_count = optional(number, 1) })">object({…})</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L170) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L177) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L183) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, true) gce_persistent_disk_csi_driver = optional(bool, true) gcp_filestore_csi_driver = optional(bool, true) gcs_fuse_csi_driver = optional(bool, true) horizontal_pod_autoscaling = optional(bool, true) http_load_balancing = optional(bool, true) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) stateful_ha = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [enable_features](variables.tf#L205) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ beta_apis = optional(list(string)) binary_authorization = optional(bool, false) cilium_clusterwide_network_policy = optional(bool, false) cost_management = optional(bool, true) dns = optional(object({ additive_vpc_scope_dns_domain = optional(string) provider = optional(string) scope = optional(string) domain = optional(string) })) multi_networking = optional(bool, false) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, true) fqdn_network_policy = optional(bool, true) gateway_api = optional(bool, false) groups_for_rbac = optional(string) image_streaming = optional(bool, false) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) rbac_binding_config = optional(object({ enable_insecure_binding_system_unauthenticated = optional(bool) enable_insecure_binding_system_authenticated = optional(bool) })) secret_manager_config = optional(bool) secret_sync_config = optional(object({ enabled = bool rotation_config = optional(object({ enabled = optional(bool) rotation_interval = optional(string) })) })) security_posture_config = optional(object({ mode = string vulnerability_mode = string })) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) service_external_ips = optional(bool, true) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ enabled = optional(bool, true) event_types = optional(list(string), []) topic_id = optional(string) kms_key_name = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) enterprise_cluster = optional(bool) })">object({…})</code> | | <code>{}</code> |
|
||||
| [fleet_project](variables.tf#L285) | The name of the fleet host project where this cluster will be registered. | <code>string</code> | | <code>null</code> |
|
||||
| [issue_client_certificate](variables.tf#L291) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L297) | Cluster resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_config](variables.tf#L309) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L330) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusions = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L353) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L359) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L365) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_cadvisor_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) advanced_datapath_observability = optional(object({ enable_metrics = bool enable_relay = bool })) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L424) | Node-level configuration. | <code title="object({ boot_disk_kms_key = optional(string) k8s_labels = optional(map(string)) labels = optional(map(string)) service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L447) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [node_pool_auto_config](variables.tf#L454) | Node pool configs that apply to auto-provisioned node pools in autopilot clusters and node auto-provisioning-enabled clusters. | <code title="object({ cgroup_mode = optional(string) kubelet_readonly_port_enabled = optional(bool) network_tags = optional(list(string), []) resource_manager_tags = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [release_channel](variables.tf#L476) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -273,7 +273,9 @@ resource "google_container_cluster" "cluster" {
|
||||
}
|
||||
control_plane_endpoints_config {
|
||||
dns_endpoint_config {
|
||||
allow_external_traffic = var.access_config.dns_access == true
|
||||
allow_external_traffic = var.access_config.dns_access.allow_external_traffic == true
|
||||
enable_k8s_tokens_via_dns = var.access_config.dns_access.enable_k8s_tokens
|
||||
enable_k8s_certs_via_dns = var.access_config.dns_access.enable_k8s_certs
|
||||
}
|
||||
ip_endpoints_config {
|
||||
enabled = var.access_config.ip_access != null
|
||||
|
||||
@@ -17,7 +17,11 @@
|
||||
variable "access_config" {
|
||||
description = "Control plane endpoint and nodes access configurations."
|
||||
type = object({
|
||||
dns_access = optional(bool, true)
|
||||
dns_access = optional(object({
|
||||
allow_external_traffic = optional(bool, true)
|
||||
enable_k8s_tokens = optional(bool)
|
||||
enable_k8s_certs = optional(bool)
|
||||
}), {})
|
||||
ip_access = optional(object({
|
||||
authorized_ranges = optional(map(string))
|
||||
disable_public_endpoint = optional(bool)
|
||||
|
||||
Reference in New Issue
Block a user