kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf9ccb7547e0b69541690d6b95a6bc604a4f21b7
hunfabric/modules/gke-cluster-autopilot/variables.tf
Rob Rankin da85eda9b7 Add Cilium Clusterwide Network Policy and FQDN Network Policy for Autopilot Clusters (#3778) 
* Add Cilium Clusterwide Network Policy and FQDN Network Policy

* Update README

---------

Co-authored-by: Julio Castillo <jccb@google.com>
2026-03-04 11:59:37 +01:00

333 lines
11 KiB
HCL
Raw Blame History

/**
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "access_config" {
description = "Control plane endpoint and nodes access configurations."
type = object({
dns_access = optional(object({
allow_external_traffic = optional(bool, true)
enable_k8s_tokens = optional(bool)
enable_k8s_certs = optional(bool)
}), {})
ip_access = optional(object({
authorized_ranges = optional(map(string))
disable_public_endpoint = optional(bool)
gcp_public_cidrs_access_enabled = optional(bool)
private_endpoint_authorized_ranges_enforcement = optional(bool)
private_endpoint_config = optional(object({
endpoint_subnetwork = optional(string)
global_access = optional(bool, true)
}))
}))
private_nodes = optional(bool, true)
master_ipv4_cidr_block = optional(string)
})
nullable = false
default = {}
validation {
condition = (
try(var.access_config.ip_access.disable_public_endpoint, null) != true ||
var.access_config.private_nodes == true
)
error_message = "Private endpoint can only be enabled with private nodes."
}
}
variable "backup_configs" {
description = "Configuration for Backup for GKE."
type = object({
enable_backup_agent = optional(bool, false)
backup_plans = optional(map(object({
encryption_key = optional(string)
include_secrets = optional(bool, true)
include_volume_data = optional(bool, true)
labels = optional(map(string))
namespaces = optional(list(string))
permissive_mode = optional(bool)
region = string
schedule = string
retention_policy_days = optional(string)
retention_policy_lock = optional(bool, false)
retention_policy_delete_lock_days = optional(string)
})), {})
})
default = {}
nullable = false
}
variable "deletion_protection" {
description = "Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail."
type = bool
default = true
nullable = false
}
variable "description" {
description = "Cluster description."
type = string
default = null
}
variable "enable_addons" {
description = "Addons enabled in the cluster (true means enabled)."
type = object({
cloudrun = optional(bool, false)
config_connector = optional(bool, false)
istio = optional(object({
enable_tls = bool
}))
kalm = optional(bool, false)
})
default = {}
nullable = false
}
variable "enable_features" {
description = "Enable cluster-level features. Certain features allow configuration."
type = object({
beta_apis = optional(list(string))
binary_authorization = optional(bool, false)
cilium_clusterwide_network_policy = optional(bool, false)
cost_management = optional(bool, true)
dns = optional(object({
additive_vpc_scope_dns_domain = optional(string)
provider = optional(string)
scope = optional(string)
domain = optional(string)
}))
multi_networking = optional(bool, false)
database_encryption = optional(object({
state = string
key_name = string
}))
fqdn_network_policy = optional(bool, false)
gateway_api = optional(bool, false)
groups_for_rbac = optional(string)
l4_ilb_subsetting = optional(bool, false)
mesh_certificates = optional(bool)
pod_security_policy = optional(bool, false)
rbac_binding_config = optional(object({
enable_insecure_binding_system_unauthenticated = optional(bool)
enable_insecure_binding_system_authenticated = optional(bool)
}))
secret_sync_config = optional(object({
enabled = bool
rotation_config = optional(object({
enabled = optional(bool)
rotation_interval = optional(string)
}))
}))
secret_manager_config = optional(bool)
security_posture_config = optional(object({
mode = string
vulnerability_mode = string
}))
allow_net_admin = optional(bool, false)
resource_usage_export = optional(object({
dataset = string
enable_network_egress_metering = optional(bool)
enable_resource_consumption_metering = optional(bool)
}))
service_external_ips = optional(bool, true)
tpu = optional(bool, false)
upgrade_notifications = optional(object({
enabled = optional(bool, true)
event_types = optional(list(string), [])
topic_id = optional(string)
kms_key_name = optional(string)
}))
vertical_pod_autoscaling = optional(bool, false)
enterprise_cluster = optional(bool)
})
default = {}
validation {
condition = alltrue([
for e in try(var.enable_features.upgrade_notifications.event_types, []) :
contains([
"UPGRADE_AVAILABLE_EVENT", "UPGRADE_EVENT",
"SECURITY_BULLETIN_EVENT", "UPGRADE_INFO_EVENT"
], e)
])
error_message = "Invalid upgrade notification event type."
}
}
variable "fleet_project" {
description = "The name of the fleet host project where this cluster will be registered."
type = string
default = null
}
variable "issue_client_certificate" {
description = "Enable issuing client certificate."
type = bool
default = false
}
variable "labels" {
description = "Cluster resource labels."
type = map(string)
default = null
}
variable "location" {
description = "Autopilot clusters are always regional."
type = string
}
variable "logging_config" {
description = "Logging configuration."
type = object({
enable_api_server_logs = optional(bool, false)
enable_scheduler_logs = optional(bool, false)
enable_controller_manager_logs = optional(bool, false)
})
default = {}
nullable = false
}
variable "maintenance_config" {
description = "Maintenance window configuration."
type = object({
daily_window_start_time = optional(string)
recurring_window = optional(object({
start_time = string
end_time = string
recurrence = string
}))
maintenance_exclusions = optional(list(object({
name = string
start_time = string
end_time = string
scope = optional(string)
})))
})
default = {
daily_window_start_time = "03:00"
recurring_window = null
maintenance_exclusions = []
}
}
variable "min_master_version" {
description = "Minimum version of the master, defaults to the version of the most recent official release."
type = string
default = null
}
variable "monitoring_config" {
description = "Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default."
type = object({
# Control plane metrics
enable_api_server_metrics = optional(bool, false)
enable_controller_manager_metrics = optional(bool, false)
enable_scheduler_metrics = optional(bool, false)
# Kube state metrics. Requires managed Prometheus. Requires provider version >= v4.82.0
enable_daemonset_metrics = optional(bool, false)
enable_deployment_metrics = optional(bool, false)
enable_hpa_metrics = optional(bool, false)
enable_pod_metrics = optional(bool, false)
enable_statefulset_metrics = optional(bool, false)
enable_storage_metrics = optional(bool, false)
enable_cadvisor_metrics = optional(bool, false)
# Google Cloud Managed Service for Prometheus. Autopilot clusters version >= 1.25 must have this on.
enable_managed_prometheus = optional(bool, true)
})
default = {}
nullable = false
validation {
condition = anytrue([
var.monitoring_config.enable_daemonset_metrics,
var.monitoring_config.enable_deployment_metrics,
var.monitoring_config.enable_hpa_metrics,
var.monitoring_config.enable_pod_metrics,
var.monitoring_config.enable_statefulset_metrics,
var.monitoring_config.enable_storage_metrics,
var.monitoring_config.enable_cadvisor_metrics,
]) ? var.monitoring_config.enable_managed_prometheus : true
error_message = "Kube state metrics collection requires Google Cloud Managed Service for Prometheus to be enabled."
}
}
variable "name" {
description = "Cluster name."
type = string
}
variable "node_config" {
description = "Configuration for nodes and nodepools."
type = object({
boot_disk_kms_key = optional(string)
service_account = optional(string)
tags = optional(list(string))
workload_metadata_config_mode = optional(string)
kubelet_readonly_port_enabled = optional(bool)
resource_manager_tags = optional(map(string), {})
})
default = {}
nullable = false
validation {
condition = contains(
["GCE_METADATA", "GKE_METADATA", "null"],
coalesce(var.node_config.workload_metadata_config_mode, "null")
)
error_message = "node_config.workload_metadata_config_mode must be GCE_METADATA or GKE_METADATA."
}
}
variable "node_locations" {
description = "Zones in which the cluster's nodes are located."
type = list(string)
default = []
nullable = false
}
variable "project_id" {
description = "Cluster project ID."
type = string
}
variable "release_channel" {
description = "Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\"."
type = string
default = "REGULAR"
nullable = false
validation {
condition = contains(["RAPID", "REGULAR", "STABLE"], var.release_channel)
error_message = "Must be one of: RAPID, REGULAR, STABLE."
}
}
variable "vpc_config" {
description = "VPC-level configuration."
type = object({
disable_default_snat = optional(bool)
network = string
subnetwork = string
secondary_range_blocks = optional(object({
pods = string
services = string
}))
secondary_range_names = optional(object({
pods = optional(string)
services = optional(string)
}))
additional_ranges = optional(list(string))
stack_type = optional(string)
})
nullable = false
}
Reference in New Issue View Git Blame Copy Permalink