terraform-google-modules
diff --git a/‎README.md
+4 b/‎README.md
+4
diff --git a/‎autogen/main/backup.tf.tmpl
+36 b/‎autogen/main/backup.tf.tmpl
+36
diff --git a/‎autogen/main/variables.tf.tmpl
+38 b/‎autogen/main/variables.tf.tmpl
+38
diff --git a/‎backup.tf
+37 b/‎backup.tf
+37
diff --git a/‎modules/beta-autopilot-private-cluster/README.md
+4 b/‎modules/beta-autopilot-private-cluster/README.md
+4
diff --git a/‎modules/beta-autopilot-private-cluster/backup.tf
+37 b/‎modules/beta-autopilot-private-cluster/backup.tf
+37
diff --git a/‎modules/beta-autopilot-private-cluster/variables.tf
+38 b/‎modules/beta-autopilot-private-cluster/variables.tf
+38
diff --git a/‎modules/beta-autopilot-public-cluster/README.md
+4 b/‎modules/beta-autopilot-public-cluster/README.md
+4
diff --git a/‎modules/beta-autopilot-public-cluster/backup.tf
+37 b/‎modules/beta-autopilot-public-cluster/backup.tf
+37
diff --git a/‎modules/beta-autopilot-public-cluster/variables.tf
+38 b/‎modules/beta-autopilot-public-cluster/variables.tf
+38
@@ -144,6 +144,10 @@ Then perform the following commands on the root folder:
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
 | additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
+| backup\_config | Defines the backup configuration settings, including volume data and secrets backup options. | <pre>object({<br>    include_volume_data = optional(bool)<br>    include_secrets     = optional(bool)<br>  })</pre> | <pre>{<br>  "include_secrets": true,<br>  "include_volume_data": true<br>}</pre> | no |
+| backup\_cron\_schedule | Defines the GKE backup schedule. Mutually exclusive with backup\_rpo\_target\_in\_minutes; backup\_cron\_schedule takes precedence if both are set. Configure at least one to enable backup. | `string` | `null` | no |
+| backup\_retain\_days | The number of days to retain backups. Must be between 1 and 35. Defaults to 7. | `number` | `7` | no |
+| backup\_rpo\_target\_in\_minutes | Configuration for Recovery Point Objective (RPO), specifying the target RPO in minutes. Must be between 60 and 86400. Mutually exclusive with backup\_cron\_schedule; backup\_cron\_schedule takes precedence if both are set. Configure at least one to enable backup. | `number` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
 | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = number<br>    max_cpu_cores               = number<br>    min_memory_gb               = number<br>    max_memory_gb               = number<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no |
 
@@ -0,0 +1,36 @@
+resource "google_gke_backup_backup_plan" "backup" {
+  count = (var.backup_cron_schedule != null || var.backup_rpo_target_in_minutes != null) && var.gke_backup_agent_config ? 1 : 0
+
+  name    = "${google_container_cluster.primary.name}-backup-plan"
+  cluster = google_container_cluster.primary.id
+
+  # Location (fallback to region or derived from zones)
+  location = try(var.region, substr(var.zones[0], 0, length(var.zones[0]) - 2))
+
+  backup_config {
+    include_volume_data = try(var.backup_config.include_volume_data, true)
+    include_secrets     = try(var.backup_config.include_secrets, true)
+    all_namespaces      = true
+  }
+
+  dynamic "backup_schedule" {
+    for_each = var.backup_cron_schedule != null ? [var.backup_cron_schedule] : []
+    content {
+      cron_schedule = backup_schedule.value
+    }
+  }
+
+  dynamic "backup_schedule" {
+    # If both backup_schedule and rpo_config are specified, backup_schedule have the precedence
+    for_each = var.backup_rpo_target_in_minutes != null && var.backup_cron_schedule ==null ? [var.backup_rpo_target_in_minutes] : []
+    content {
+      rpo_config {
+        target_rpo_minutes = backup_schedule.value
+      }
+    }
+  }
+
+  retention_policy {
+    backup_retain_days = var.backup_retain_days
+  }
+}
@@ -822,6 +822,44 @@ variable "gke_backup_agent_config" {
   default     = false
 }
 
+variable "backup_cron_schedule" {
+  description = "Defines the GKE backup schedule. Mutually exclusive with backup_rpo_target_in_minutes; backup_cron_schedule takes precedence if both are set. Configure at least one to enable backup."
+  type        = string
+  default     = null
+}
+
+variable "backup_rpo_target_in_minutes" {
+  description = "Configuration for Recovery Point Objective (RPO), specifying the target RPO in minutes. Must be between 60 and 86400. Mutually exclusive with backup_cron_schedule; backup_cron_schedule takes precedence if both are set. Configure at least one to enable backup."
+  type = number
+  default = null
+  validation {
+    condition     = var.backup_rpo_target_in_minutes == null || try(var.backup_rpo_target_in_minutes >= 60 && var.backup_rpo_target_in_minutes <= 86400, false)
+    error_message = "backup_rpo_target_in_minutes must be between 60 and 86400."
+  }
+}
+
+variable "backup_config" {
+  description = "Defines the backup configuration settings, including volume data and secrets backup options."
+  type = object({
+    include_volume_data = optional(bool)
+    include_secrets     = optional(bool)
+  })
+  default = {
+    include_volume_data = true
+    include_secrets     = true
+  }
+}
+
+variable "backup_retain_days" {
+  description = "The number of days to retain backups. Must be between 1 and 35. Defaults to 7."
+  type        = number
+  default     = 7
+  validation {
+    condition     = var.backup_retain_days >= 1 && var.backup_retain_days <= 35
+    error_message = "backup_retain_days must be between 1 and 35."
+  }
+}
+
 variable "stateful_ha" {
   type        = bool
   description = "Whether the Stateful HA Addon is enabled for this cluster."
 
@@ -0,0 +1,37 @@
+resource "google_gke_backup_backup_plan" "backup" {
+  count = (var.backup_cron_schedule != null || var.backup_rpo_target_in_minutes != null) && var.gke_backup_agent_config ? 1 : 0
+
+  # Plan name and cluster identification
+  name    = "${google_container_cluster.primary.name}-backup-plan"
+  cluster = google_container_cluster.primary.id
+
+  # Location (fallback to region or derived from zones)
+  location = try(var.region, substr(var.zones[0], 0, length(var.zones[0]) - 2))
+
+  backup_config {
+    include_volume_data = try(var.backup_config.include_volume_data, true)
+    include_secrets     = try(var.backup_config.include_secrets, true)
+    all_namespaces      = true
+  }
+
+  dynamic "backup_schedule" {
+    for_each = var.backup_cron_schedule != null ? [var.backup_cron_schedule] : []
+    content {
+      cron_schedule = backup_schedule.value
+    }
+  }
+
+  dynamic "backup_schedule" {
+    # If both backup_schedule and rpo_config are specified, backup_schedule have the precedence
+    for_each = var.backup_rpo_target_in_minutes != null && var.backup_cron_schedule == null ? [var.backup_rpo_target_in_minutes] : []
+    content {
+      rpo_config {
+        target_rpo_minutes = backup_schedule.value
+      }
+    }
+  }
+
+  retention_policy {
+    backup_retain_days = var.backup_retain_days
+  }
+}
@@ -77,6 +77,10 @@ Then perform the following commands on the root folder:
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
 | allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
+| backup\_config | Defines the backup configuration settings, including volume data and secrets backup options. | <pre>object({<br>    include_volume_data = optional(bool)<br>    include_secrets     = optional(bool)<br>  })</pre> | <pre>{<br>  "include_secrets": true,<br>  "include_volume_data": true<br>}</pre> | no |
+| backup\_cron\_schedule | Defines the GKE backup schedule. Mutually exclusive with backup\_rpo\_target\_in\_minutes; backup\_cron\_schedule takes precedence if both are set. Configure at least one to enable backup. | `string` | `null` | no |
+| backup\_retain\_days | The number of days to retain backups. Must be between 1 and 35. Defaults to 7. | `number` | `7` | no |
+| backup\_rpo\_target\_in\_minutes | Configuration for Recovery Point Objective (RPO), specifying the target RPO in minutes. Must be between 60 and 86400. Mutually exclusive with backup\_cron\_schedule; backup\_cron\_schedule takes precedence if both are set. Configure at least one to enable backup. | `number` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
 
@@ -0,0 +1,37 @@
+resource "google_gke_backup_backup_plan" "backup" {
+  count = (var.backup_cron_schedule != null || var.backup_rpo_target_in_minutes != null) && var.gke_backup_agent_config ? 1 : 0
+
+  # Plan name and cluster identification
+  name    = "${google_container_cluster.primary.name}-backup-plan"
+  cluster = google_container_cluster.primary.id
+
+  # Location (fallback to region or derived from zones)
+  location = try(var.region, substr(var.zones[0], 0, length(var.zones[0]) - 2))
+
+  backup_config {
+    include_volume_data = try(var.backup_config.include_volume_data, true)
+    include_secrets     = try(var.backup_config.include_secrets, true)
+    all_namespaces      = true
+  }
+
+  dynamic "backup_schedule" {
+    for_each = var.backup_cron_schedule != null ? [var.backup_cron_schedule] : []
+    content {
+      cron_schedule = backup_schedule.value
+    }
+  }
+
+  dynamic "backup_schedule" {
+    # If both backup_schedule and rpo_config are specified, backup_schedule have the precedence
+    for_each = var.backup_rpo_target_in_minutes != null && var.backup_cron_schedule == null ? [var.backup_rpo_target_in_minutes] : []
+    content {
+      rpo_config {
+        target_rpo_minutes = backup_schedule.value
+      }
+    }
+  }
+
+  retention_policy {
+    backup_retain_days = var.backup_retain_days
+  }
+}
@@ -495,6 +495,44 @@ variable "gke_backup_agent_config" {
   default     = false
 }
 
+variable "backup_cron_schedule" {
+  description = "Defines the GKE backup schedule. Mutually exclusive with backup_rpo_target_in_minutes; backup_cron_schedule takes precedence if both are set. Configure at least one to enable backup."
+  type        = string
+  default     = null
+}
+
+variable "backup_rpo_target_in_minutes" {
+  description = "Configuration for Recovery Point Objective (RPO), specifying the target RPO in minutes. Must be between 60 and 86400. Mutually exclusive with backup_cron_schedule; backup_cron_schedule takes precedence if both are set. Configure at least one to enable backup."
+  type        = number
+  default     = null
+  validation {
+    condition     = var.backup_rpo_target_in_minutes == null || try(var.backup_rpo_target_in_minutes >= 60 && var.backup_rpo_target_in_minutes <= 86400, false)
+    error_message = "backup_rpo_target_in_minutes must be between 60 and 86400."
+  }
+}
+
+variable "backup_config" {
+  description = "Defines the backup configuration settings, including volume data and secrets backup options."
+  type = object({
+    include_volume_data = optional(bool)
+    include_secrets     = optional(bool)
+  })
+  default = {
+    include_volume_data = true
+    include_secrets     = true
+  }
+}
+
+variable "backup_retain_days" {
+  description = "The number of days to retain backups. Must be between 1 and 35. Defaults to 7."
+  type        = number
+  default     = 7
+  validation {
+    condition     = var.backup_retain_days >= 1 && var.backup_retain_days <= 35
+    error_message = "backup_retain_days must be between 1 and 35."
+  }
+}
+
 variable "stateful_ha" {
   type        = bool
   description = "Whether the Stateful HA Addon is enabled for this cluster."
 
@@ -72,6 +72,10 @@ Then perform the following commands on the root folder:
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
 | allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
+| backup\_config | Defines the backup configuration settings, including volume data and secrets backup options. | <pre>object({<br>    include_volume_data = optional(bool)<br>    include_secrets     = optional(bool)<br>  })</pre> | <pre>{<br>  "include_secrets": true,<br>  "include_volume_data": true<br>}</pre> | no |
+| backup\_cron\_schedule | Defines the GKE backup schedule. Mutually exclusive with backup\_rpo\_target\_in\_minutes; backup\_cron\_schedule takes precedence if both are set. Configure at least one to enable backup. | `string` | `null` | no |
+| backup\_retain\_days | The number of days to retain backups. Must be between 1 and 35. Defaults to 7. | `number` | `7` | no |
+| backup\_rpo\_target\_in\_minutes | Configuration for Recovery Point Objective (RPO), specifying the target RPO in minutes. Must be between 60 and 86400. Mutually exclusive with backup\_cron\_schedule; backup\_cron\_schedule takes precedence if both are set. Configure at least one to enable backup. | `number` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
 
@@ -0,0 +1,37 @@
+resource "google_gke_backup_backup_plan" "backup" {
+  count = (var.backup_cron_schedule != null || var.backup_rpo_target_in_minutes != null) && var.gke_backup_agent_config ? 1 : 0
+
+  # Plan name and cluster identification
+  name    = "${google_container_cluster.primary.name}-backup-plan"
+  cluster = google_container_cluster.primary.id
+
+  # Location (fallback to region or derived from zones)
+  location = try(var.region, substr(var.zones[0], 0, length(var.zones[0]) - 2))
+
+  backup_config {
+    include_volume_data = try(var.backup_config.include_volume_data, true)
+    include_secrets     = try(var.backup_config.include_secrets, true)
+    all_namespaces      = true
+  }
+
+  dynamic "backup_schedule" {
+    for_each = var.backup_cron_schedule != null ? [var.backup_cron_schedule] : []
+    content {
+      cron_schedule = backup_schedule.value
+    }
+  }
+
+  dynamic "backup_schedule" {
+    # If both backup_schedule and rpo_config are specified, backup_schedule have the precedence
+    for_each = var.backup_rpo_target_in_minutes != null && var.backup_cron_schedule == null ? [var.backup_rpo_target_in_minutes] : []
+    content {
+      rpo_config {
+        target_rpo_minutes = backup_schedule.value
+      }
+    }
+  }
+
+  retention_policy {
+    backup_retain_days = var.backup_retain_days
+  }
+}
@@ -459,6 +459,44 @@ variable "gke_backup_agent_config" {
   default     = false
 }
 
+variable "backup_cron_schedule" {
+  description = "Defines the GKE backup schedule. Mutually exclusive with backup_rpo_target_in_minutes; backup_cron_schedule takes precedence if both are set. Configure at least one to enable backup."
+  type        = string
+  default     = null
+}
+
+variable "backup_rpo_target_in_minutes" {
+  description = "Configuration for Recovery Point Objective (RPO), specifying the target RPO in minutes. Must be between 60 and 86400. Mutually exclusive with backup_cron_schedule; backup_cron_schedule takes precedence if both are set. Configure at least one to enable backup."
+  type        = number
+  default     = null
+  validation {
+    condition     = var.backup_rpo_target_in_minutes == null || try(var.backup_rpo_target_in_minutes >= 60 && var.backup_rpo_target_in_minutes <= 86400, false)
+    error_message = "backup_rpo_target_in_minutes must be between 60 and 86400."
+  }
+}
+
+variable "backup_config" {
+  description = "Defines the backup configuration settings, including volume data and secrets backup options."
+  type = object({
+    include_volume_data = optional(bool)
+    include_secrets     = optional(bool)
+  })
+  default = {
+    include_volume_data = true
+    include_secrets     = true
+  }
+}
+
+variable "backup_retain_days" {
+  description = "The number of days to retain backups. Must be between 1 and 35. Defaults to 7."
+  type        = number
+  default     = 7
+  validation {
+    condition     = var.backup_retain_days >= 1 && var.backup_retain_days <= 35
+    error_message = "backup_retain_days must be between 1 and 35."
+  }
+}
+
 variable "stateful_ha" {
   type        = bool
   description = "Whether the Stateful HA Addon is enabled for this cluster."