feat: add auto_monitoring_config in GKE managed_prometheus (#2420)

tatchiuleung · apeabody · web-flow · commit 04c88e647f67 · 2025-11-21T14:57:33.000-08:00
Co-authored-by: Andrew Peabody &lt;andrewpeabody@google.com&gt;
diff --git a/README.md b/README.md
@@ -225,6 +225,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -132,6 +132,12 @@ resource "google_container_cluster" "primary" {
     {% if autopilot_cluster != true %}
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -1029,6 +1029,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/cluster.tf b/cluster.tf
@@ -109,6 +109,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/metadata.yaml b/metadata.yaml
@@ -728,6 +728,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -269,6 +269,7 @@ Then perform the following commands on the root folder:
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no |
 | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -115,6 +115,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml
@@ -721,6 +721,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -973,6 +973,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -247,6 +247,7 @@ Then perform the following commands on the root folder:
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no |
 | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -115,6 +115,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml
@@ -721,6 +721,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -973,6 +973,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
@@ -258,6 +258,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -115,6 +115,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml
@@ -699,6 +699,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
@@ -937,6 +937,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -236,6 +236,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -115,6 +115,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml
@@ -699,6 +699,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -937,6 +937,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
@@ -258,6 +258,7 @@ Then perform the following commands on the root folder:
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no |
 | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -109,6 +109,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml
@@ -710,6 +710,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
@@ -955,6 +955,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
diff --git a/variables.tf b/variables.tf
