diff --git a/Makefile b/Makefile index 10aa380ad..6d011200c 100644 --- a/Makefile +++ b/Makefile @@ -70,6 +70,7 @@ docker_test_integration: docker_test_lint: $(DOCKER_BIN) run --rm -it \ -e ENABLE_PARALLEL=1 \ + -e ENABLE_BPMETADATA=1 \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /usr/local/bin/test_lint.sh @@ -78,9 +79,10 @@ docker_test_lint: .PHONY: docker_generate_docs docker_generate_docs: $(DOCKER_BIN) run --rm -it \ + -e ENABLE_BPMETADATA=1 \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display' # Generate files from autogen .PHONY: docker_generate_modules diff --git a/metadata.display.yaml b/metadata.display.yaml new file mode 100644 index 000000000..02cc255a9 --- /dev/null +++ b/metadata.display.yaml @@ -0,0 +1,392 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + zones: + name: zones + title: Zones diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 000000000..6e93a9367 --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,770 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + subBlueprints: + - name: auth + location: modules/auth + - name: beta-autopilot-private-cluster + location: modules/beta-autopilot-private-cluster + - name: beta-autopilot-public-cluster + location: modules/beta-autopilot-public-cluster + - name: beta-private-cluster + location: modules/beta-private-cluster + - name: beta-private-cluster-update-variant + location: modules/beta-private-cluster-update-variant + - name: beta-public-cluster + location: modules/beta-public-cluster + - name: beta-public-cluster-update-variant + location: modules/beta-public-cluster-update-variant + - name: binary-authorization + location: modules/binary-authorization + - name: fleet-app-operator-permissions + location: modules/fleet-app-operator-permissions + - name: fleet-membership + location: modules/fleet-membership + - name: hub-legacy + location: modules/hub-legacy + - name: private-cluster + location: modules/private-cluster + - name: private-cluster-update-variant + location: modules/private-cluster-update-variant + - name: safer-cluster + location: modules/safer-cluster + - name: safer-cluster-update-variant + location: modules/safer-cluster-update-variant + - name: services + location: modules/services + - name: workload-identity + location: modules/workload-identity + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/auth/metadata.display.yaml b/modules/auth/metadata.display.yaml new file mode 100644 index 000000000..adc88421c --- /dev/null +++ b/modules/auth/metadata.display.yaml @@ -0,0 +1,42 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-auth-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Auth Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/auth + ui: + input: + variables: + cluster_name: + name: cluster_name + title: Cluster Name + location: + name: location + title: Location + project_id: + name: project_id + title: Project Id + use_private_endpoint: + name: use_private_endpoint + title: Use Private Endpoint diff --git a/modules/auth/metadata.yaml b/modules/auth/metadata.yaml new file mode 100644 index 000000000..64a11b916 --- /dev/null +++ b/modules/auth/metadata.yaml @@ -0,0 +1,147 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-auth + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Auth Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/auth + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The GCP project of the GKE cluster. + varType: string + required: true + - name: location + description: The location (region or zone) of the GKE cluster. + varType: string + required: true + - name: cluster_name + description: The name of the GKE cluster. + varType: string + required: true + - name: use_private_endpoint + description: Connect on the private GKE cluster endpoint + varType: bool + defaultValue: false + outputs: + - name: cluster_ca_certificate + description: The cluster_ca_certificate value for use with the kubernetes provider. + - name: host + description: The host value for use with the kubernetes provider. + - name: kubeconfig_raw + description: A kubeconfig file configured to access the GKE cluster. + - name: token + description: The token value for use with the kubernetes provider. diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml new file mode 100644 index 000000000..9f1a1e333 --- /dev/null +++ b/modules/beta-autopilot-private-cluster/metadata.display.yaml @@ -0,0 +1,297 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-autopilot-private-cluster-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-autopilot-private-cluster + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + allow_net_admin: + name: allow_net_admin + title: Allow Net Admin + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + deletion_protection: + name: deletion_protection + title: Deletion Protection + deploy_using_private_endpoint: + name: deploy_using_private_endpoint + title: Deploy Using Private Endpoint + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_private_nodes: + name: enable_private_nodes + title: Enable Private Nodes + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + fleet_project_grant_service_agent: + name: fleet_project_grant_service_agent + title: Fleet Project Grant Service Agent + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_global_access_enabled: + name: master_global_access_enabled + title: Master Global Access Enabled + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + name: + name: name + title: Name + network: + name: network + title: Network + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + private_endpoint_subnetwork: + name: private_endpoint_subnetwork + title: Private Endpoint Subnetwork + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml new file mode 100644 index 000000000..e5948981e --- /dev/null +++ b/modules/beta-autopilot-private-cluster/metadata.yaml @@ -0,0 +1,550 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-autopilot-private-cluster + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-autopilot-private-cluster + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: true + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. + varType: bool + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: deploy_using_private_endpoint + description: A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. + varType: bool + defaultValue: false + - name: enable_private_endpoint + description: Whether the master's internal IP address is used as the cluster endpoint + varType: bool + defaultValue: false + - name: enable_private_nodes + description: Whether nodes have internal IP addresses only + varType: bool + defaultValue: true + - name: master_ipv4_cidr_block + description: (Optional) The IP range in CIDR notation to use for the hosted master network. + varType: string + - name: private_endpoint_subnetwork + description: The subnetwork to use for the hosted master network. + varType: string + - name: master_global_access_enabled + description: Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. + varType: bool + defaultValue: true + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: true + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: DISABLED + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: allow_net_admin + description: (Optional) Enable NET_ADMIN for the cluster. + varType: bool + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: fleet_project_grant_service_agent + description: (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. + varType: bool + defaultValue: false + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cloudrun_enabled + description: Whether CloudRun enabled + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: istio_enabled + description: Whether Istio is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: pod_security_policy_enabled + description: Whether pod security policy is enabled + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml new file mode 100644 index 000000000..94ba7280c --- /dev/null +++ b/modules/beta-autopilot-public-cluster/metadata.display.yaml @@ -0,0 +1,279 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-autopilot-public-cluster-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-autopilot-public-cluster + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + allow_net_admin: + name: allow_net_admin + title: Allow Net Admin + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + deletion_protection: + name: deletion_protection + title: Deletion Protection + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + fleet_project_grant_service_agent: + name: fleet_project_grant_service_agent + title: Fleet Project Grant Service Agent + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + name: + name: name + title: Name + network: + name: network + title: Network + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml new file mode 100644 index 000000000..d39df486d --- /dev/null +++ b/modules/beta-autopilot-public-cluster/metadata.yaml @@ -0,0 +1,524 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-autopilot-public-cluster + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-autopilot-public-cluster + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: true + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. + varType: bool + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: true + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: DISABLED + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: allow_net_admin + description: (Optional) Enable NET_ADMIN for the cluster. + varType: bool + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: fleet_project_grant_service_agent + description: (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. + varType: bool + defaultValue: false + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cloudrun_enabled + description: Whether CloudRun enabled + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: istio_enabled + description: Whether Istio is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_version + description: Current master kubernetes version + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: pod_security_policy_enabled + description: Whether pod security policy is enabled + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml new file mode 100644 index 000000000..f159212ac --- /dev/null +++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml @@ -0,0 +1,444 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-private-cluster-update-variant-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-private-cluster-update-variant + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cloudrun: + name: cloudrun + title: Cloudrun + cloudrun_load_balancer_type: + name: cloudrun_load_balancer_type + title: Cloudrun Load Balancer Type + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + cluster_telemetry_type: + name: cluster_telemetry_type + title: Cluster Telemetry Type + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + deploy_using_private_endpoint: + name: deploy_using_private_endpoint + title: Deploy Using Private Endpoint + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_pod_security_policy: + name: enable_pod_security_policy + title: Enable Pod Security Policy + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_private_nodes: + name: enable_private_nodes + title: Enable Private Nodes + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + fleet_project_grant_service_agent: + name: fleet_project_grant_service_agent + title: Fleet Project Grant Service Agent + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + istio: + name: istio + title: Istio + istio_auth: + name: istio_auth + title: Istio Auth + kalm_config: + name: kalm_config + title: Kalm Config + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_global_access_enabled: + name: master_global_access_enabled + title: Master Global Access Enabled + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + private_endpoint_subnetwork: + name: private_endpoint_subnetwork + title: Private Endpoint Subnetwork + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + sandbox_enabled: + name: sandbox_enabled + title: Sandbox Enabled + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml new file mode 100644 index 000000000..dca76472f --- /dev/null +++ b/modules/beta-private-cluster-update-variant/metadata.yaml @@ -0,0 +1,811 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-private-cluster-update-variant + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-private-cluster-update-variant + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: cluster_telemetry_type + description: Available options include ENABLED, DISABLED, and SYSTEM_ONLY + varType: string + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: deploy_using_private_endpoint + description: A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. + varType: bool + defaultValue: false + - name: enable_private_endpoint + description: Whether the master's internal IP address is used as the cluster endpoint + varType: bool + defaultValue: false + - name: enable_private_nodes + description: Whether nodes have internal IP addresses only + varType: bool + defaultValue: true + - name: master_ipv4_cidr_block + description: (Optional) The IP range in CIDR notation to use for the hosted master network. + varType: string + - name: private_endpoint_subnetwork + description: The subnetwork to use for the hosted master network. + varType: string + - name: master_global_access_enabled + description: Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. + varType: bool + defaultValue: true + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: DISABLED + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: istio + description: (Beta) Enable Istio addon + varType: bool + defaultValue: false + - name: istio_auth + description: (Beta) The authentication type between services in Istio. + varType: string + defaultValue: AUTH_MUTUAL_TLS + - name: kalm_config + description: (Beta) Whether KALM is enabled for this cluster. + varType: bool + defaultValue: false + - name: cloudrun + description: (Beta) Enable CloudRun addon + varType: bool + defaultValue: false + - name: cloudrun_load_balancer_type + description: (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. + varType: string + defaultValue: "" + - name: enable_pod_security_policy + description: enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. + varType: bool + defaultValue: false + - name: sandbox_enabled + description: (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: fleet_project_grant_service_agent + description: (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. + varType: bool + defaultValue: false + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cloudrun_enabled + description: Whether CloudRun enabled + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: istio_enabled + description: Whether Istio is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: pod_security_policy_enabled + description: Whether pod security policy is enabled + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml new file mode 100644 index 000000000..8ba329f23 --- /dev/null +++ b/modules/beta-private-cluster/metadata.display.yaml @@ -0,0 +1,444 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-private-cluster-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-private-cluster + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cloudrun: + name: cloudrun + title: Cloudrun + cloudrun_load_balancer_type: + name: cloudrun_load_balancer_type + title: Cloudrun Load Balancer Type + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + cluster_telemetry_type: + name: cluster_telemetry_type + title: Cluster Telemetry Type + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + deploy_using_private_endpoint: + name: deploy_using_private_endpoint + title: Deploy Using Private Endpoint + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_pod_security_policy: + name: enable_pod_security_policy + title: Enable Pod Security Policy + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_private_nodes: + name: enable_private_nodes + title: Enable Private Nodes + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + fleet_project_grant_service_agent: + name: fleet_project_grant_service_agent + title: Fleet Project Grant Service Agent + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + istio: + name: istio + title: Istio + istio_auth: + name: istio_auth + title: Istio Auth + kalm_config: + name: kalm_config + title: Kalm Config + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_global_access_enabled: + name: master_global_access_enabled + title: Master Global Access Enabled + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + private_endpoint_subnetwork: + name: private_endpoint_subnetwork + title: Private Endpoint Subnetwork + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + sandbox_enabled: + name: sandbox_enabled + title: Sandbox Enabled + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml new file mode 100644 index 000000000..cad602d14 --- /dev/null +++ b/modules/beta-private-cluster/metadata.yaml @@ -0,0 +1,811 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-private-cluster + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-private-cluster + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: cluster_telemetry_type + description: Available options include ENABLED, DISABLED, and SYSTEM_ONLY + varType: string + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: deploy_using_private_endpoint + description: A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. + varType: bool + defaultValue: false + - name: enable_private_endpoint + description: Whether the master's internal IP address is used as the cluster endpoint + varType: bool + defaultValue: false + - name: enable_private_nodes + description: Whether nodes have internal IP addresses only + varType: bool + defaultValue: true + - name: master_ipv4_cidr_block + description: (Optional) The IP range in CIDR notation to use for the hosted master network. + varType: string + - name: private_endpoint_subnetwork + description: The subnetwork to use for the hosted master network. + varType: string + - name: master_global_access_enabled + description: Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. + varType: bool + defaultValue: true + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: DISABLED + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: istio + description: (Beta) Enable Istio addon + varType: bool + defaultValue: false + - name: istio_auth + description: (Beta) The authentication type between services in Istio. + varType: string + defaultValue: AUTH_MUTUAL_TLS + - name: kalm_config + description: (Beta) Whether KALM is enabled for this cluster. + varType: bool + defaultValue: false + - name: cloudrun + description: (Beta) Enable CloudRun addon + varType: bool + defaultValue: false + - name: cloudrun_load_balancer_type + description: (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. + varType: string + defaultValue: "" + - name: enable_pod_security_policy + description: enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. + varType: bool + defaultValue: false + - name: sandbox_enabled + description: (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: fleet_project_grant_service_agent + description: (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. + varType: bool + defaultValue: false + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cloudrun_enabled + description: Whether CloudRun enabled + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: istio_enabled + description: Whether Istio is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: pod_security_policy_enabled + description: Whether pod security policy is enabled + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml new file mode 100644 index 000000000..500796462 --- /dev/null +++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml @@ -0,0 +1,426 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-public-cluster-update-variant-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-public-cluster-update-variant + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cloudrun: + name: cloudrun + title: Cloudrun + cloudrun_load_balancer_type: + name: cloudrun_load_balancer_type + title: Cloudrun Load Balancer Type + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + cluster_telemetry_type: + name: cluster_telemetry_type + title: Cluster Telemetry Type + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_pod_security_policy: + name: enable_pod_security_policy + title: Enable Pod Security Policy + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + fleet_project_grant_service_agent: + name: fleet_project_grant_service_agent + title: Fleet Project Grant Service Agent + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + istio: + name: istio + title: Istio + istio_auth: + name: istio_auth + title: Istio Auth + kalm_config: + name: kalm_config + title: Kalm Config + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + sandbox_enabled: + name: sandbox_enabled + title: Sandbox Enabled + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml new file mode 100644 index 000000000..2a8062735 --- /dev/null +++ b/modules/beta-public-cluster-update-variant/metadata.yaml @@ -0,0 +1,785 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-public-cluster-update-variant + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-public-cluster-update-variant + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: cluster_telemetry_type + description: Available options include ENABLED, DISABLED, and SYSTEM_ONLY + varType: string + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: DISABLED + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: istio + description: (Beta) Enable Istio addon + varType: bool + defaultValue: false + - name: istio_auth + description: (Beta) The authentication type between services in Istio. + varType: string + defaultValue: AUTH_MUTUAL_TLS + - name: kalm_config + description: (Beta) Whether KALM is enabled for this cluster. + varType: bool + defaultValue: false + - name: cloudrun + description: (Beta) Enable CloudRun addon + varType: bool + defaultValue: false + - name: cloudrun_load_balancer_type + description: (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. + varType: string + defaultValue: "" + - name: enable_pod_security_policy + description: enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. + varType: bool + defaultValue: false + - name: sandbox_enabled + description: (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: fleet_project_grant_service_agent + description: (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. + varType: bool + defaultValue: false + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cloudrun_enabled + description: Whether CloudRun enabled + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: istio_enabled + description: Whether Istio is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: pod_security_policy_enabled + description: Whether pod security policy is enabled + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml new file mode 100644 index 000000000..f5412628a --- /dev/null +++ b/modules/beta-public-cluster/metadata.display.yaml @@ -0,0 +1,426 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-public-cluster-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-public-cluster + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cloudrun: + name: cloudrun + title: Cloudrun + cloudrun_load_balancer_type: + name: cloudrun_load_balancer_type + title: Cloudrun Load Balancer Type + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + cluster_telemetry_type: + name: cluster_telemetry_type + title: Cluster Telemetry Type + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_pod_security_policy: + name: enable_pod_security_policy + title: Enable Pod Security Policy + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + fleet_project_grant_service_agent: + name: fleet_project_grant_service_agent + title: Fleet Project Grant Service Agent + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + istio: + name: istio + title: Istio + istio_auth: + name: istio_auth + title: Istio Auth + kalm_config: + name: kalm_config + title: Kalm Config + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + sandbox_enabled: + name: sandbox_enabled + title: Sandbox Enabled + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml new file mode 100644 index 000000000..7e39102ab --- /dev/null +++ b/modules/beta-public-cluster/metadata.yaml @@ -0,0 +1,785 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-beta-public-cluster + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/beta-public-cluster + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: cluster_telemetry_type + description: Available options include ENABLED, DISABLED, and SYSTEM_ONLY + varType: string + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. + varType: string + defaultValue: DISABLED + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: istio + description: (Beta) Enable Istio addon + varType: bool + defaultValue: false + - name: istio_auth + description: (Beta) The authentication type between services in Istio. + varType: string + defaultValue: AUTH_MUTUAL_TLS + - name: kalm_config + description: (Beta) Whether KALM is enabled for this cluster. + varType: bool + defaultValue: false + - name: cloudrun + description: (Beta) Enable CloudRun addon + varType: bool + defaultValue: false + - name: cloudrun_load_balancer_type + description: (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. + varType: string + defaultValue: "" + - name: enable_pod_security_policy + description: enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. + varType: bool + defaultValue: false + - name: sandbox_enabled + description: (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: fleet_project_grant_service_agent + description: (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. + varType: bool + defaultValue: false + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cloudrun_enabled + description: Whether CloudRun enabled + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: istio_enabled + description: Whether Istio is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: pod_security_policy_enabled + description: Whether pod security policy is enabled + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/binary-authorization/metadata.display.yaml b/modules/binary-authorization/metadata.display.yaml new file mode 100644 index 000000000..246d6bc90 --- /dev/null +++ b/modules/binary-authorization/metadata.display.yaml @@ -0,0 +1,48 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-binary-authorization-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Binary Authorization Infrastructure + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/binary-authorization + ui: + input: + variables: + attestor-name: + name: attestor-name + title: Attestor-Name + crypto-algorithm: + name: crypto-algorithm + title: Crypto-Algorithm + disable_dependent_services: + name: disable_dependent_services + title: Disable Dependent Services + disable_services_on_destroy: + name: disable_services_on_destroy + title: Disable Services On Destroy + keyring-id: + name: keyring-id + title: Keyring-Id + project_id: + name: project_id + title: Project Id diff --git a/modules/binary-authorization/metadata.yaml b/modules/binary-authorization/metadata.yaml new file mode 100644 index 000000000..488f5b910 --- /dev/null +++ b/modules/binary-authorization/metadata.yaml @@ -0,0 +1,151 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-binary-authorization + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Binary Authorization Infrastructure + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/binary-authorization + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: Project ID to apply services into + varType: string + required: true + - name: attestor-name + description: Name of the attestor + varType: string + required: true + - name: keyring-id + description: Keyring ID to attach attestor keys + varType: string + required: true + - name: crypto-algorithm + description: Algorithm used for the async signing keys + varType: string + defaultValue: RSA_SIGN_PKCS1_4096_SHA512 + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy + varType: bool + defaultValue: false + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services + varType: bool + defaultValue: false + outputs: + - name: attestor + description: Name of the built attestor + - name: key + description: Name of the Key created for the attestor diff --git a/modules/fleet-app-operator-permissions/metadata.display.yaml b/modules/fleet-app-operator-permissions/metadata.display.yaml new file mode 100644 index 000000000..854efd839 --- /dev/null +++ b/modules/fleet-app-operator-permissions/metadata.display.yaml @@ -0,0 +1,45 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-fleet-app-operator-permissions-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terrafrom Module for Fleet App Operator Permissions + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/fleet-app-operator-permissions + ui: + input: + variables: + fleet_project_id: + name: fleet_project_id + title: Fleet Project Id + groups: + name: groups + title: Groups + role: + name: role + title: Role + scope_id: + name: scope_id + title: Scope Id + users: + name: users + title: Users diff --git a/modules/fleet-app-operator-permissions/metadata.yaml b/modules/fleet-app-operator-permissions/metadata.yaml new file mode 100644 index 000000000..b49a089f3 --- /dev/null +++ b/modules/fleet-app-operator-permissions/metadata.yaml @@ -0,0 +1,147 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-fleet-app-operator-permissions + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terrafrom Module for Fleet App Operator Permissions + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/fleet-app-operator-permissions + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">= 1.3.0" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: fleet_project_id + description: The project to which the Fleet belongs. + varType: string + required: true + - name: scope_id + description: The scope for which IAM and RBAC role bindings are created. + varType: string + required: true + - name: users + description: The list of app operator user principals, e.g., `person@google.com`, `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person`, `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com`. + varType: list(string) + defaultValue: [] + - name: groups + description: The list of app operator group principals, e.g., `people@google.com`, `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people`. + varType: list(string) + defaultValue: [] + - name: role + description: The principals role for the Fleet Scope (`VIEW`/`EDIT`/`ADMIN`). + varType: string + required: true + outputs: + - name: fleet_project_id + description: The project to which the Fleet belongs. + - name: wait + description: An output to use when you want to depend on Scope RBAC Role Binding creation finishing. diff --git a/modules/fleet-membership/metadata.display.yaml b/modules/fleet-membership/metadata.display.yaml new file mode 100644 index 000000000..6511012ef --- /dev/null +++ b/modules/fleet-membership/metadata.display.yaml @@ -0,0 +1,51 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-fleet-membership-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Hub Submodule + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/fleet-membership + ui: + input: + variables: + cluster_name: + name: cluster_name + title: Cluster Name + enable_fleet_registration: + name: enable_fleet_registration + title: Enable Fleet Registration + hub_project_id: + name: hub_project_id + title: Hub Project Id + location: + name: location + title: Location + membership_location: + name: membership_location + title: Membership Location + membership_name: + name: membership_name + title: Membership Name + project_id: + name: project_id + title: Project Id diff --git a/modules/fleet-membership/metadata.yaml b/modules/fleet-membership/metadata.yaml new file mode 100644 index 000000000..ccd7f99ac --- /dev/null +++ b/modules/fleet-membership/metadata.yaml @@ -0,0 +1,159 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-fleet-membership + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Hub Submodule + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/fleet-membership + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: cluster_name + description: The GKE cluster name + varType: string + required: true + - name: project_id + description: The project in which the GKE cluster belongs. + varType: string + required: true + - name: hub_project_id + description: The project in which the GKE Hub belongs. Defaults to GKE cluster project_id. + varType: string + defaultValue: "" + - name: location + description: The location (zone or region) this cluster has been created in. + varType: string + required: true + - name: enable_fleet_registration + description: Enables GKE Hub Registration when set to true + varType: bool + defaultValue: true + - name: membership_name + description: Membership name that uniquely represents the cluster being registered. Defaults to `$project_id-$location-$cluster_name`. + varType: string + defaultValue: "" + - name: membership_location + description: Membership location for the cluster. Defaults to global. + varType: string + defaultValue: global + outputs: + - name: cluster_membership_id + description: The ID of the hub membership + - name: location + description: The location of the hub membership. + - name: project_id + description: The project of the hub membership. + - name: wait + description: An output to use when you want to depend on registration finishing diff --git a/modules/hub-legacy/metadata.display.yaml b/modules/hub-legacy/metadata.display.yaml new file mode 100644 index 000000000..e277de1cf --- /dev/null +++ b/modules/hub-legacy/metadata.display.yaml @@ -0,0 +1,72 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-hub-legacy-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Hub Submodule + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/hub-legacy + ui: + input: + variables: + cluster_endpoint: + name: cluster_endpoint + title: Cluster Endpoint + cluster_name: + name: cluster_name + title: Cluster Name + gcloud_sdk_version: + name: gcloud_sdk_version + title: Gcloud Sdk Version + gke_hub_membership_name: + name: gke_hub_membership_name + title: Gke Hub Membership Name + gke_hub_sa_name: + name: gke_hub_sa_name + title: Gke Hub Sa Name + hub_project_id: + name: hub_project_id + title: Hub Project Id + labels: + name: labels + title: Labels + location: + name: location + title: Location + module_depends_on: + name: module_depends_on + title: Module Depends On + project_id: + name: project_id + title: Project Id + sa_private_key: + name: sa_private_key + title: Sa Private Key + use_existing_sa: + name: use_existing_sa + title: Use Existing Sa + use_kubeconfig: + name: use_kubeconfig + title: Use Kubeconfig + use_tf_google_credentials_env_var: + name: use_tf_google_credentials_env_var + title: Use Tf Google Credentials Env Var diff --git a/modules/hub-legacy/metadata.yaml b/modules/hub-legacy/metadata.yaml new file mode 100644 index 000000000..97ed44135 --- /dev/null +++ b/modules/hub-legacy/metadata.yaml @@ -0,0 +1,180 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-hub-legacy + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Hub Submodule + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/hub-legacy + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: cluster_name + description: The unique name to identify the cluster in ASM. + varType: string + required: true + - name: cluster_endpoint + description: The GKE cluster endpoint. + varType: string + required: true + - name: project_id + description: The project in which the resource belongs. + varType: string + required: true + - name: hub_project_id + description: The project in which the GKE Hub belongs. + varType: string + defaultValue: "" + - name: location + description: The location (zone or region) this cluster has been created in. + varType: string + required: true + - name: use_tf_google_credentials_env_var + description: Optional GOOGLE_CREDENTIALS environment variable to be activated. + varType: bool + defaultValue: false + - name: gcloud_sdk_version + description: The gcloud sdk version to use. Minimum required version is 293.0.0 + varType: string + defaultValue: 296.0.1 + - name: gke_hub_sa_name + description: Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. + varType: string + defaultValue: gke-hub-sa + - name: gke_hub_membership_name + description: Membership name that uniquely represents the cluster being registered on the Hub + varType: string + defaultValue: gke-hub-membership + - name: use_existing_sa + description: Uses an existing service account to register membership. Requires sa_private_key + varType: bool + defaultValue: false + - name: sa_private_key + description: Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`. + varType: string + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] + - name: use_kubeconfig + description: Use existing kubeconfig to register membership. Set this to true for non GKE clusters. Assumes kubectl context is set to cluster to register. + varType: bool + defaultValue: false + - name: labels + description: Comma separated labels in the format name=value to apply to cluster in the GCP Console. + varType: string + defaultValue: "" + outputs: + - name: wait + description: An output to use when you want to depend on registration finishing diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml new file mode 100644 index 000000000..226734a87 --- /dev/null +++ b/modules/private-cluster-update-variant/metadata.display.yaml @@ -0,0 +1,411 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-private-cluster-update-variant-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/private-cluster-update-variant + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + deploy_using_private_endpoint: + name: deploy_using_private_endpoint + title: Deploy Using Private Endpoint + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_private_nodes: + name: enable_private_nodes + title: Enable Private Nodes + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_global_access_enabled: + name: master_global_access_enabled + title: Master Global Access Enabled + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + private_endpoint_subnetwork: + name: private_endpoint_subnetwork + title: Private Endpoint Subnetwork + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + zones: + name: zones + title: Zones diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml new file mode 100644 index 000000000..df2baa23e --- /dev/null +++ b/modules/private-cluster-update-variant/metadata.yaml @@ -0,0 +1,762 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-private-cluster-update-variant + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/private-cluster-update-variant + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: deploy_using_private_endpoint + description: A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. + varType: bool + defaultValue: false + - name: enable_private_endpoint + description: Whether the master's internal IP address is used as the cluster endpoint + varType: bool + defaultValue: false + - name: enable_private_nodes + description: Whether nodes have internal IP addresses only + varType: bool + defaultValue: true + - name: master_ipv4_cidr_block + description: (Optional) The IP range in CIDR notation to use for the hosted master network. + varType: string + - name: private_endpoint_subnetwork + description: The subnetwork to use for the hosted master network. + varType: string + - name: master_global_access_enabled + description: Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. + varType: bool + defaultValue: true + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml new file mode 100644 index 000000000..9f9873a35 --- /dev/null +++ b/modules/private-cluster/metadata.display.yaml @@ -0,0 +1,411 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-private-cluster-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/private-cluster + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + add_master_webhook_firewall_rules: + name: add_master_webhook_firewall_rules + title: Add Master Webhook Firewall Rules + add_shadow_firewall_rules: + name: add_shadow_firewall_rules + title: Add Shadow Firewall Rules + additional_ip_range_pods: + name: additional_ip_range_pods + title: Additional Ip Range Pods + additive_vpc_scope_dns_domain: + name: additive_vpc_scope_dns_domain + title: Additive Vpc Scope Dns Domain + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + boot_disk_kms_key: + name: boot_disk_kms_key + title: Boot Disk Kms Key + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_ipv4_cidr: + name: cluster_ipv4_cidr + title: Cluster Ipv4 Cidr + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + config_connector: + name: config_connector + title: Config Connector + configure_ip_masq: + name: configure_ip_masq + title: Configure Ip Masq + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + deploy_using_private_endpoint: + name: deploy_using_private_endpoint + title: Deploy Using Private Endpoint + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + disable_legacy_metadata_endpoints: + name: disable_legacy_metadata_endpoints + title: Disable Legacy Metadata Endpoints + dns_cache: + name: dns_cache + title: Dns Cache + enable_binary_authorization: + name: enable_binary_authorization + title: Enable Binary Authorization + enable_cilium_clusterwide_network_policy: + name: enable_cilium_clusterwide_network_policy + title: Enable Cilium Clusterwide Network Policy + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_default_node_pools_metadata: + name: enable_default_node_pools_metadata + title: Enable Default Node Pools Metadata + enable_fqdn_network_policy: + name: enable_fqdn_network_policy + title: Enable Fqdn Network Policy + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_identity_service: + name: enable_identity_service + title: Enable Identity Service + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_kubernetes_alpha: + name: enable_kubernetes_alpha + title: Enable Kubernetes Alpha + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_network_egress_export: + name: enable_network_egress_export + title: Enable Network Egress Export + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_private_nodes: + name: enable_private_nodes + title: Enable Private Nodes + enable_resource_consumption_export: + name: enable_resource_consumption_export + title: Enable Resource Consumption Export + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_tpu: + name: enable_tpu + title: Enable Tpu + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + enterprise_config: + name: enterprise_config + title: Enterprise Config + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + fleet_project: + name: fleet_project + title: Fleet Project + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gcp_public_cidrs_access_enabled: + name: gcp_public_cidrs_access_enabled + title: Gcp Public Cidrs Access Enabled + gcs_fuse_csi_driver: + name: gcs_fuse_csi_driver + title: Gcs Fuse Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + identity_namespace: + name: identity_namespace + title: Identity Namespace + initial_node_count: + name: initial_node_count + title: Initial Node Count + insecure_kubelet_readonly_port_enabled: + name: insecure_kubelet_readonly_port_enabled + title: Insecure Kubelet Readonly Port Enabled + ip_masq_link_local: + name: ip_masq_link_local + title: Ip Masq Link Local + ip_masq_resync_interval: + name: ip_masq_resync_interval + title: Ip Masq Resync Interval + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + issue_client_certificate: + name: issue_client_certificate + title: Issue Client Certificate + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_enabled_components: + name: logging_enabled_components + title: Logging Enabled Components + logging_service: + name: logging_service + title: Logging Service + logging_variant: + name: logging_variant + title: Logging Variant + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_global_access_enabled: + name: master_global_access_enabled + title: Master Global Access Enabled + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enable_observability_metrics: + name: monitoring_enable_observability_metrics + title: Monitoring Enable Observability Metrics + monitoring_enable_observability_relay: + name: monitoring_enable_observability_relay + title: Monitoring Enable Observability Relay + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_metric_writer_role: + name: monitoring_metric_writer_role + title: Monitoring Metric Writer Role + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_policy: + name: network_policy + title: Network Policy + network_policy_provider: + name: network_policy_provider + title: Network Policy Provider + network_project_id: + name: network_project_id + title: Network Project Id + network_tags: + name: network_tags + title: Network Tags + node_metadata: + name: node_metadata + title: Node Metadata + node_pools: + name: node_pools + title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + non_masquerade_cidrs: + name: non_masquerade_cidrs + title: Non Masquerade Cidrs + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + notification_filter_event_type: + name: notification_filter_event_type + title: Notification Filter Event Type + private_endpoint_subnetwork: + name: private_endpoint_subnetwork + title: Private Endpoint Subnetwork + project_id: + name: project_id + title: Project Id + ray_operator_config: + name: ray_operator_config + title: Ray Operator Config + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + remove_default_node_pool: + name: remove_default_node_pool + title: Remove Default Node Pool + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + service_account: + name: service_account + title: Service Account + service_account_name: + name: service_account_name + title: Service Account Name + service_external_ips: + name: service_external_ips + title: Service External Ips + shadow_firewall_rules_log_config: + name: shadow_firewall_rules_log_config + title: Shadow Firewall Rules Log Config + shadow_firewall_rules_priority: + name: shadow_firewall_rules_priority + title: Shadow Firewall Rules Priority + stack_type: + name: stack_type + title: Stack Type + stateful_ha: + name: stateful_ha + title: Stateful Ha + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + zones: + name: zones + title: Zones diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml new file mode 100644 index 000000000..212afc6d6 --- /dev/null +++ b/modules/private-cluster/metadata.yaml @@ -0,0 +1,762 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-private-cluster + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Terraform Kubernetes Engine Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/private-cluster + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in (required) + varType: string + required: true + - name: name + description: The name of the cluster (required) + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in (optional if zonal cluster / required if regional) + varType: string + - name: zones + description: The zones to host the cluster in (optional if regional cluster / required if zonal) + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in (required) + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in (required) + varType: string + required: true + - name: kubernetes_version + description: The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. + varType: string + defaultValue: latest + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: gcp_public_cidrs_access_enabled + description: Allow access through Google Cloud public IP addresses + varType: bool + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon + varType: bool + defaultValue: true + - name: service_external_ips + description: Whether external ips specified by a service will be allowed in this cluster + varType: bool + defaultValue: false + - name: insecure_kubelet_readonly_port_enabled + description: "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + varType: bool + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. + varType: string + defaultValue: DATAPATH_PROVIDER_UNSPECIFIED + - name: maintenance_start_time + description: Time window specified for daily or recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: additional_ip_range_pods + description: List of _names_ of the additional secondary subnet ip ranges to use for pods + varType: list(string) + defaultValue: [] + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: stack_type + description: The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. + varType: string + defaultValue: IPV4 + - name: node_pools + description: List of maps containing node pools + varType: list(map(any)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing Windows node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_linux_node_configs_sysctls + description: Map of maps containing linux node config sysctls by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. + varType: string + defaultValue: "" + - name: enable_network_egress_export + description: Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: bool + defaultValue: false + - name: enable_resource_consumption_export + description: Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. + varType: bool + defaultValue: true + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + disk_size: 100 + disk_type: pd-standard + enable_integrity_monitoring: true + enable_secure_boot: false + enabled: false + gpu_resources: [] + image_type: COS_CONTAINERD + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: network_tags + description: (Optional) - List of network tags applied to auto-provisioned node pools. + varType: list(string) + defaultValue: [] + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: non_masquerade_cidrs + description: List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. + varType: list(string) + defaultValue: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - name: ip_masq_resync_interval + description: The interval at which the agent attempts to sync its ConfigMap file from the disk. + varType: string + defaultValue: 60s + - name: ip_masq_link_local + description: Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). + varType: bool + defaultValue: false + - name: configure_ip_masq + description: Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. + varType: bool + defaultValue: false + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: create_service_account + description: Defines if service account specified to run nodes should be created. + varType: bool + defaultValue: true + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. + varType: bool + defaultValue: false + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. + varType: list(string) + defaultValue: [] + - name: service_account + description: The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable. + varType: string + defaultValue: "" + - name: service_account_name + description: The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable. + varType: string + defaultValue: "" + - name: boot_disk_kms_key + description: "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + varType: string + - name: issue_client_certificate + description: "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: cluster_ipv4_cidr + description: The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. + varType: string + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: deploy_using_private_endpoint + description: A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. + varType: bool + defaultValue: false + - name: enable_private_endpoint + description: Whether the master's internal IP address is used as the cluster endpoint + varType: bool + defaultValue: false + - name: enable_private_nodes + description: Whether nodes have internal IP addresses only + varType: bool + defaultValue: true + - name: master_ipv4_cidr_block + description: (Optional) The IP range in CIDR notation to use for the hosted master network. + varType: string + - name: private_endpoint_subnetwork + description: The subnetwork to use for the hosted master network. + varType: string + - name: master_global_access_enabled + description: Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. + varType: bool + defaultValue: true + - name: dns_cache + description: The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: identity_namespace + description: The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) + varType: string + defaultValue: enabled + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: add_master_webhook_firewall_rules + description: Create master_webhook firewall rules for ports defined in `firewall_inbound_ports` + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: add_shadow_firewall_rules + description: Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). + varType: bool + defaultValue: false + - name: shadow_firewall_rules_priority + description: The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. + varType: number + defaultValue: 999 + - name: shadow_firewall_rules_log_config + description: The log_config for shadow firewall rules. You can set this variable to `null` to disable logging. + varType: |- + object({ + metadata = string + }) + defaultValue: + metadata: INCLUDE_ALL_METADATA + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false + - name: enable_fqdn_network_policy + description: Enable FQDN Network Policies on the cluster + varType: bool + - name: enable_cilium_clusterwide_network_policy + description: Enable Cilium Cluster Wide Network Policies on the cluster + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. + varType: string + defaultValue: VULNERABILITY_DISABLED + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: enable_default_node_pools_metadata + description: Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` + varType: bool + defaultValue: true + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: notification_filter_event_type + description: Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT. + varType: list(string) + defaultValue: [] + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_tpu + description: "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + varType: bool + defaultValue: false + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: network_policy + description: Enable network policy addon + varType: bool + defaultValue: false + - name: network_policy_provider + description: The network policy provider. + varType: string + defaultValue: CALICO + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: remove_default_node_pool + description: Remove default node pool while setting up the cluster + varType: bool + defaultValue: false + - name: disable_legacy_metadata_endpoints + description: Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. + varType: bool + defaultValue: true + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster + varType: bool + defaultValue: true + - name: enable_binary_authorization + description: Enable BinAuthZ Admission controller + varType: bool + defaultValue: false + - name: node_metadata + description: Specifies how node metadata is exposed to the workload running on the node + varType: string + defaultValue: GKE_METADATA + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: additive_vpc_scope_dns_domain + description: This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well. + varType: string + defaultValue: "" + - name: gce_pd_csi_driver + description: Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: gcs_fuse_csi_driver + description: Whether GCE FUSE CSI driver is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: stateful_ha + description: Whether the Stateful HA Addon is enabled for this cluster. + varType: bool + defaultValue: false + - name: ray_operator_config + description: The Ray Operator Addon configuration for this cluster. + varType: |- + object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + defaultValue: + enabled: false + logging_enabled: false + monitoring_enabled: false + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: logging_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, KCP_CONNECTION, KCP_SSHD, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: monitoring_enable_managed_prometheus + description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + - name: monitoring_enable_observability_metrics + description: Whether or not the advanced datapath metrics are enabled. + varType: bool + defaultValue: false + - name: monitoring_enable_observability_relay + description: Whether or not the advanced datapath relay is enabled. + varType: bool + defaultValue: false + - name: enable_kubernetes_alpha + description: Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. + varType: bool + defaultValue: false + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: enable_identity_service + description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. + varType: bool + defaultValue: false + - name: fleet_project + description: (Optional) Register the cluster with the fleet in this project. + varType: string + - name: logging_variant + description: (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. + varType: string + - name: monitoring_metric_writer_role + description: The monitoring metrics writer role to assign to the GKE node service account + varType: string + defaultValue: roles/monitoring.metricWriter + - name: enterprise_config + description: (Optional) Enable or disable GKE enterprise. Valid values are DEFAULT and ENTERPRISE. + varType: string + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cluster_id + description: Cluster ID + - name: dns_cache_enabled + description: Whether DNS Cache enabled + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: fleet_membership + description: Fleet membership (if registered) + - name: gateway_api_channel + description: The gateway api channel of this cluster. + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: identity_namespace + description: Workload Identity pool + - name: identity_service_enabled + description: Whether Identity Service is enabled + - name: instance_group_urls + description: List of GKE generated instance groups + - name: intranode_visibility_enabled + description: Whether intra-node visibility is enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: mesh_certificates_config + description: Mesh certificates configuration + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: region + description: Cluster region + - name: release_channel + description: The release channel of this cluster + - name: secret_manager_addon_enabled + description: Whether Secret Manager add-on is enabled + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: tpu_ipv4_cidr_block + description: The IP range in CIDR notation used for the TPUs + - name: type + description: Cluster type (regional / zonal) + - name: vertical_pod_autoscaling_enabled + description: Whether vertical pod autoscaling enabled + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/safer-cluster-update-variant/metadata.display.yaml b/modules/safer-cluster-update-variant/metadata.display.yaml new file mode 100644 index 000000000..b845c7e90 --- /dev/null +++ b/modules/safer-cluster-update-variant/metadata.display.yaml @@ -0,0 +1,273 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-safer-cluster-update-variant-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: "Safer Cluster: How to setup a GKE Kubernetes cluster with reduced exposure" + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/safer-cluster-update-variant + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + cloudrun: + name: cloudrun + title: Cloudrun + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + compute_engine_service_account: + name: compute_engine_service_account + title: Compute Engine Service Account + config_connector: + name: config_connector + title: Config Connector + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + dns_cache: + name: dns_cache + title: Dns Cache + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_pod_security_policy: + name: enable_pod_security_policy + title: Enable Pod Security Policy + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + initial_node_count: + name: initial_node_count + title: Initial Node Count + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + istio: + name: istio + title: Istio + istio_auth: + name: istio_auth + title: Istio Auth + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_service: + name: logging_service + title: Logging Service + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_project_id: + name: network_project_id + title: Network Project Id + node_pools: + name: node_pools + title: Node Pools + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + project_id: + name: project_id + title: Project Id + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + sandbox_enabled: + name: sandbox_enabled + title: Sandbox Enabled + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/safer-cluster-update-variant/metadata.yaml b/modules/safer-cluster-update-variant/metadata.yaml new file mode 100644 index 000000000..aea823908 --- /dev/null +++ b/modules/safer-cluster-update-variant/metadata.yaml @@ -0,0 +1,528 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-safer-cluster-update-variant + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: "Safer Cluster: How to setup a GKE Kubernetes cluster with reduced exposure" + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/safer-cluster-update-variant + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in + varType: string + required: true + - name: name + description: The name of the cluster + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in + varType: string + required: true + - name: zones + description: The zones to host the cluster in + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in + varType: string + required: true + - name: kubernetes_version + description: "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. " + varType: string + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. + varType: bool + defaultValue: true + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation. + varType: string + defaultValue: ADVANCED_DATAPATH + - name: maintenance_start_time + description: Time window specified for daily maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: node_pools + description: List of maps containing node pools + varType: list(map(string)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + enabled: false + gpu_resources: [] + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: monitoring_enable_managed_prometheus + description: (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + defaultValue: false + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer role. + varType: bool + defaultValue: true + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. + varType: list(string) + defaultValue: [] + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation to use for the hosted master network + varType: string + defaultValue: 10.0.0.0/28 + - name: istio + description: (Beta) Enable Istio addon + varType: bool + defaultValue: false + - name: istio_auth + description: (Beta) The authentication type between services in Istio. + varType: string + defaultValue: AUTH_MUTUAL_TLS + - name: dns_cache + description: (Beta) The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: cloudrun + description: (Beta) Enable CloudRun addon + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: string + defaultValue: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: sandbox_enabled + description: (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: compute_engine_service_account + description: Use the given service account for nodes rather than creating a new dedicated service account. If set then also set var.create_service_account to false to avoid 'value depends on resource attributes that cannot be determined until apply' errors. + varType: string + defaultValue: "" + - name: create_service_account + description: Defines if service account specified to run nodes should be created. Explicitly set to false if var.compute_engine_service_account is set to avoid 'value depends on resource attributes that cannot be determined until apply' errors. + varType: bool + defaultValue: true + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster. + varType: bool + defaultValue: true + - name: enable_private_endpoint + description: When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true + varType: bool + defaultValue: true + - name: enable_pod_security_policy + description: enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. + varType: bool + defaultValue: false + - name: gce_pd_csi_driver + description: (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: (Beta) Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE` + varType: string + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Vulnerability mode. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Workload config audit mode. + varType: string + defaultValue: DISABLED + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cluster_id + description: Cluster ID + - name: enable_mesh_certificates + description: Mesh certificate configuration value + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: region + description: Cluster region + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: type + description: Cluster type (regional / zonal) + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/safer-cluster/metadata.display.yaml b/modules/safer-cluster/metadata.display.yaml new file mode 100644 index 000000000..f0cb8d8ae --- /dev/null +++ b/modules/safer-cluster/metadata.display.yaml @@ -0,0 +1,273 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-safer-cluster-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: "Safer Cluster: How to setup a GKE Kubernetes cluster with reduced exposure" + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/safer-cluster + ui: + input: + variables: + add_cluster_firewall_rules: + name: add_cluster_firewall_rules + title: Add Cluster Firewall Rules + authenticator_security_group: + name: authenticator_security_group + title: Authenticator Security Group + cloudrun: + name: cloudrun + title: Cloudrun + cluster_autoscaling: + name: cluster_autoscaling + title: Cluster Autoscaling + cluster_dns_domain: + name: cluster_dns_domain + title: Cluster Dns Domain + cluster_dns_provider: + name: cluster_dns_provider + title: Cluster Dns Provider + cluster_dns_scope: + name: cluster_dns_scope + title: Cluster Dns Scope + cluster_resource_labels: + name: cluster_resource_labels + title: Cluster Resource Labels + compute_engine_service_account: + name: compute_engine_service_account + title: Compute Engine Service Account + config_connector: + name: config_connector + title: Config Connector + create_service_account: + name: create_service_account + title: Create Service Account + database_encryption: + name: database_encryption + title: Database Encryption + datapath_provider: + name: datapath_provider + title: Datapath Provider + default_max_pods_per_node: + name: default_max_pods_per_node + title: Default Max Pods Per Node + deletion_protection: + name: deletion_protection + title: Deletion Protection + description: + name: description + title: Description + disable_default_snat: + name: disable_default_snat + title: Disable Default Snat + dns_cache: + name: dns_cache + title: Dns Cache + enable_confidential_nodes: + name: enable_confidential_nodes + title: Enable Confidential Nodes + enable_cost_allocation: + name: enable_cost_allocation + title: Enable Cost Allocation + enable_gcfs: + name: enable_gcfs + title: Enable Gcfs + enable_intranode_visibility: + name: enable_intranode_visibility + title: Enable Intranode Visibility + enable_l4_ilb_subsetting: + name: enable_l4_ilb_subsetting + title: Enable L4 Ilb Subsetting + enable_mesh_certificates: + name: enable_mesh_certificates + title: Enable Mesh Certificates + enable_pod_security_policy: + name: enable_pod_security_policy + title: Enable Pod Security Policy + enable_private_endpoint: + name: enable_private_endpoint + title: Enable Private Endpoint + enable_shielded_nodes: + name: enable_shielded_nodes + title: Enable Shielded Nodes + enable_vertical_pod_autoscaling: + name: enable_vertical_pod_autoscaling + title: Enable Vertical Pod Autoscaling + filestore_csi_driver: + name: filestore_csi_driver + title: Filestore Csi Driver + firewall_inbound_ports: + name: firewall_inbound_ports + title: Firewall Inbound Ports + firewall_priority: + name: firewall_priority + title: Firewall Priority + gateway_api_channel: + name: gateway_api_channel + title: Gateway Api Channel + gce_pd_csi_driver: + name: gce_pd_csi_driver + title: Gce Pd Csi Driver + gke_backup_agent_config: + name: gke_backup_agent_config + title: Gke Backup Agent Config + grant_registry_access: + name: grant_registry_access + title: Grant Registry Access + horizontal_pod_autoscaling: + name: horizontal_pod_autoscaling + title: Horizontal Pod Autoscaling + http_load_balancing: + name: http_load_balancing + title: Http Load Balancing + initial_node_count: + name: initial_node_count + title: Initial Node Count + ip_range_pods: + name: ip_range_pods + title: Ip Range Pods + ip_range_services: + name: ip_range_services + title: Ip Range Services + istio: + name: istio + title: Istio + istio_auth: + name: istio_auth + title: Istio Auth + kubernetes_version: + name: kubernetes_version + title: Kubernetes Version + logging_service: + name: logging_service + title: Logging Service + maintenance_end_time: + name: maintenance_end_time + title: Maintenance End Time + maintenance_exclusions: + name: maintenance_exclusions + title: Maintenance Exclusions + maintenance_recurrence: + name: maintenance_recurrence + title: Maintenance Recurrence + maintenance_start_time: + name: maintenance_start_time + title: Maintenance Start Time + master_authorized_networks: + name: master_authorized_networks + title: Master Authorized Networks + master_ipv4_cidr_block: + name: master_ipv4_cidr_block + title: Master Ipv4 Cidr Block + monitoring_enable_managed_prometheus: + name: monitoring_enable_managed_prometheus + title: Monitoring Enable Managed Prometheus + monitoring_enabled_components: + name: monitoring_enabled_components + title: Monitoring Enabled Components + monitoring_service: + name: monitoring_service + title: Monitoring Service + name: + name: name + title: Name + network: + name: network + title: Network + network_project_id: + name: network_project_id + title: Network Project Id + node_pools: + name: node_pools + title: Node Pools + node_pools_labels: + name: node_pools_labels + title: Node Pools Labels + node_pools_metadata: + name: node_pools_metadata + title: Node Pools Metadata + node_pools_oauth_scopes: + name: node_pools_oauth_scopes + title: Node Pools Oauth Scopes + node_pools_resource_labels: + name: node_pools_resource_labels + title: Node Pools Resource Labels + node_pools_tags: + name: node_pools_tags + title: Node Pools Tags + node_pools_taints: + name: node_pools_taints + title: Node Pools Taints + notification_config_topic: + name: notification_config_topic + title: Notification Config Topic + project_id: + name: project_id + title: Project Id + region: + name: region + title: Region + regional: + name: regional + title: Regional + registry_project_ids: + name: registry_project_ids + title: Registry Project Ids + release_channel: + name: release_channel + title: Release Channel + resource_usage_export_dataset_id: + name: resource_usage_export_dataset_id + title: Resource Usage Export Dataset Id + sandbox_enabled: + name: sandbox_enabled + title: Sandbox Enabled + security_posture_mode: + name: security_posture_mode + title: Security Posture Mode + security_posture_vulnerability_mode: + name: security_posture_vulnerability_mode + title: Security Posture Vulnerability Mode + stub_domains: + name: stub_domains + title: Stub Domains + subnetwork: + name: subnetwork + title: Subnetwork + timeouts: + name: timeouts + title: Timeouts + upstream_nameservers: + name: upstream_nameservers + title: Upstream Nameservers + windows_node_pools: + name: windows_node_pools + title: Windows Node Pools + workload_config_audit_mode: + name: workload_config_audit_mode + title: Workload Config Audit Mode + workload_vulnerability_mode: + name: workload_vulnerability_mode + title: Workload Vulnerability Mode + zones: + name: zones + title: Zones diff --git a/modules/safer-cluster/metadata.yaml b/modules/safer-cluster/metadata.yaml new file mode 100644 index 000000000..a87dbd9d8 --- /dev/null +++ b/modules/safer-cluster/metadata.yaml @@ -0,0 +1,528 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-safer-cluster + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: "Safer Cluster: How to setup a GKE Kubernetes cluster with reduced exposure" + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/safer-cluster + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">=1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: project_id + description: The project ID to host the cluster in + varType: string + required: true + - name: name + description: The name of the cluster + varType: string + required: true + - name: description + description: The description of the cluster + varType: string + defaultValue: "" + - name: regional + description: "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + varType: bool + defaultValue: true + - name: region + description: The region to host the cluster in + varType: string + required: true + - name: zones + description: The zones to host the cluster in + varType: list(string) + defaultValue: [] + - name: network + description: The VPC network to host the cluster in + varType: string + required: true + - name: network_project_id + description: The project ID of the shared VPC's host (for shared vpc support) + varType: string + defaultValue: "" + - name: subnetwork + description: The subnetwork to host the cluster in + varType: string + required: true + - name: kubernetes_version + description: "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. " + varType: string + - name: release_channel + description: The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. + varType: string + defaultValue: REGULAR + - name: gateway_api_channel + description: The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. + varType: string + - name: master_authorized_networks + description: List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). + varType: list(object({ cidr_block = string, display_name = string })) + defaultValue: [] + - name: horizontal_pod_autoscaling + description: Enable horizontal pod autoscaling addon + varType: bool + defaultValue: true + - name: http_load_balancing + description: Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. + varType: bool + defaultValue: true + - name: datapath_provider + description: The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation. + varType: string + defaultValue: ADVANCED_DATAPATH + - name: maintenance_start_time + description: Time window specified for daily maintenance operations in RFC3339 format + varType: string + defaultValue: "05:00" + - name: maintenance_exclusions + description: List of maintenance exclusions. A cluster can have up to three + varType: list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) + defaultValue: [] + - name: maintenance_end_time + description: Time window specified for recurring maintenance operations in RFC3339 format + varType: string + defaultValue: "" + - name: maintenance_recurrence + description: Frequency of the recurring maintenance window in RFC5545 format. + varType: string + defaultValue: "" + - name: ip_range_pods + description: The _name_ of the secondary subnet ip range to use for pods + varType: string + required: true + - name: ip_range_services + description: The _name_ of the secondary subnet range to use for services + varType: string + required: true + - name: initial_node_count + description: The number of nodes to create in this cluster's default node pool. + varType: number + defaultValue: 0 + - name: node_pools + description: List of maps containing node pools + varType: list(map(string)) + defaultValue: + - name: default-node-pool + - name: windows_node_pools + description: List of maps containing node pools + varType: list(map(string)) + defaultValue: [] + - name: node_pools_labels + description: Map of maps containing node labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_resource_labels + description: Map of maps containing resource labels by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_metadata + description: Map of maps containing node metadata by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} + - name: node_pools_taints + description: Map of lists containing node taints by node-pool name + varType: map(list(object({ key = string, value = string, effect = string }))) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_tags + description: Map of lists containing node network tags by node-pool name + varType: map(list(string)) + defaultValue: + all: [] + default-node-pool: [] + - name: node_pools_oauth_scopes + description: Map of lists containing node oauth scopes by node-pool name + varType: map(list(string)) + defaultValue: + all: + - https://www.googleapis.com/auth/cloud-platform + default-node-pool: [] + - name: cluster_autoscaling + description: Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) + varType: |- + object({ + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + }) + defaultValue: + auto_repair: true + auto_upgrade: true + autoscaling_profile: BALANCED + enabled: false + gpu_resources: [] + max_cpu_cores: 0 + max_memory_gb: 0 + min_cpu_cores: 0 + min_memory_gb: 0 + - name: stub_domains + description: Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server + varType: map(list(string)) + defaultValue: {} + - name: upstream_nameservers + description: If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf + varType: list(string) + defaultValue: [] + - name: logging_service + description: The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none + varType: string + defaultValue: logging.googleapis.com/kubernetes + - name: monitoring_service + description: The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none + varType: string + defaultValue: monitoring.googleapis.com/kubernetes + - name: monitoring_enable_managed_prometheus + description: (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. + varType: bool + defaultValue: false + - name: monitoring_enabled_components + description: "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + varType: list(string) + defaultValue: [] + - name: grant_registry_access + description: Grants created cluster-specific service account storage.objectViewer role. + varType: bool + defaultValue: true + - name: registry_project_ids + description: Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` role is assigned on these projects. + varType: list(string) + defaultValue: [] + - name: cluster_resource_labels + description: The GCE resource labels (a map of key/value pairs) to be applied to the cluster + varType: map(string) + defaultValue: {} + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation to use for the hosted master network + varType: string + defaultValue: 10.0.0.0/28 + - name: istio + description: (Beta) Enable Istio addon + varType: bool + defaultValue: false + - name: istio_auth + description: (Beta) The authentication type between services in Istio. + varType: string + defaultValue: AUTH_MUTUAL_TLS + - name: dns_cache + description: (Beta) The status of the NodeLocal DNSCache addon. + varType: bool + defaultValue: false + - name: cluster_dns_provider + description: Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS. + varType: string + defaultValue: PROVIDER_UNSPECIFIED + - name: cluster_dns_scope + description: "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " + varType: string + defaultValue: DNS_SCOPE_UNSPECIFIED + - name: cluster_dns_domain + description: The suffix used for all cluster service records. + varType: string + defaultValue: "" + - name: default_max_pods_per_node + description: The maximum number of pods to schedule per node + varType: number + defaultValue: 110 + - name: database_encryption + description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + varType: list(object({ state = string, key_name = string })) + defaultValue: + - key_name: "" + state: DECRYPTED + - name: cloudrun + description: (Beta) Enable CloudRun addon + varType: bool + defaultValue: false + - name: resource_usage_export_dataset_id + description: The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. + varType: string + defaultValue: "" + - name: enable_cost_allocation + description: Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery + varType: bool + defaultValue: false + - name: sandbox_enabled + description: (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). + varType: bool + defaultValue: false + - name: enable_intranode_visibility + description: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network + varType: bool + defaultValue: false + - name: enable_l4_ilb_subsetting + description: Enable L4 ILB Subsetting on the cluster + varType: bool + defaultValue: false + - name: enable_vertical_pod_autoscaling + description: Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it + varType: bool + defaultValue: false + - name: authenticator_security_group + description: The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com + varType: string + - name: compute_engine_service_account + description: Use the given service account for nodes rather than creating a new dedicated service account. If set then also set var.create_service_account to false to avoid 'value depends on resource attributes that cannot be determined until apply' errors. + varType: string + defaultValue: "" + - name: create_service_account + description: Defines if service account specified to run nodes should be created. Explicitly set to false if var.compute_engine_service_account is set to avoid 'value depends on resource attributes that cannot be determined until apply' errors. + varType: bool + defaultValue: true + - name: enable_shielded_nodes + description: Enable Shielded Nodes features on all nodes in this cluster. + varType: bool + defaultValue: true + - name: enable_private_endpoint + description: When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true + varType: bool + defaultValue: true + - name: enable_pod_security_policy + description: enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. + varType: bool + defaultValue: false + - name: gce_pd_csi_driver + description: (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. + varType: bool + defaultValue: true + - name: filestore_csi_driver + description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes + varType: bool + defaultValue: false + - name: add_cluster_firewall_rules + description: Create additional firewall rules + varType: bool + defaultValue: false + - name: firewall_priority + description: Priority rule for firewall rules + varType: number + defaultValue: 1000 + - name: firewall_inbound_ports + description: List of TCP ports for admission/webhook controllers + varType: list(string) + defaultValue: + - "8443" + - "9443" + - "15017" + - name: config_connector + description: Whether ConfigConnector is enabled for this cluster. + varType: bool + defaultValue: false + - name: gke_backup_agent_config + description: (Beta) Whether Backup for GKE agent is enabled for this cluster. + varType: bool + defaultValue: false + - name: security_posture_mode + description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. + varType: string + defaultValue: DISABLED + - name: security_posture_vulnerability_mode + description: Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE` + varType: string + - name: disable_default_snat + description: Whether to disable the default SNAT to support the private use of public IP addresses + varType: bool + defaultValue: false + - name: notification_config_topic + description: The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. + varType: string + defaultValue: "" + - name: timeouts + description: Timeout for cluster operations. + varType: map(string) + defaultValue: {} + - name: enable_gcfs + description: Enable image streaming on cluster level. + varType: bool + defaultValue: false + - name: enable_mesh_certificates + description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. + varType: bool + defaultValue: false + - name: workload_vulnerability_mode + description: (beta) Vulnerability mode. + varType: string + defaultValue: "" + - name: workload_config_audit_mode + description: (beta) Workload config audit mode. + varType: string + defaultValue: DISABLED + - name: deletion_protection + description: Whether or not to allow Terraform to destroy the cluster. + varType: bool + defaultValue: true + - name: enable_confidential_nodes + description: An optional flag to enable confidential node config. + varType: bool + defaultValue: false + outputs: + - name: ca_certificate + description: Cluster ca certificate (base64 encoded) + - name: cluster_id + description: Cluster ID + - name: enable_mesh_certificates + description: Mesh certificate configuration value + - name: endpoint + description: Cluster endpoint + - name: endpoint_dns + description: Cluster endpoint DNS + - name: horizontal_pod_autoscaling_enabled + description: Whether horizontal pod autoscaling enabled + - name: http_load_balancing_enabled + description: Whether http load balancing enabled + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster) + - name: logging_service + description: Logging service used + - name: master_authorized_networks_config + description: Networks from which access to master is permitted + - name: master_ipv4_cidr_block + description: The IP range in CIDR notation used for the hosted master network + - name: master_version + description: Current master kubernetes version + - name: min_master_version + description: Minimum master kubernetes version + - name: monitoring_service + description: Monitoring service used + - name: name + description: Cluster name + - name: network_policy_enabled + description: Whether network policy enabled + - name: node_pools_names + description: List of node pools names + - name: node_pools_versions + description: Node pool versions by node pool name + - name: peering_name + description: The name of the peering between this cluster and the Google owned VPC. + - name: region + description: Cluster region + - name: service_account + description: The service account to default running nodes as if not overridden in `node_pools`. + - name: type + description: Cluster type (regional / zonal) + - name: zones + description: List of zones in which the cluster resides diff --git a/modules/workload-identity/metadata.display.yaml b/modules/workload-identity/metadata.display.yaml new file mode 100644 index 000000000..70845bcb6 --- /dev/null +++ b/modules/workload-identity/metadata.display.yaml @@ -0,0 +1,93 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-workload-identity-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: terraform-google-workload-identity + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/workload-identity + ui: + input: + variables: + additional_projects: + name: additional_projects + title: Additional Projects + annotate_k8s_sa: + name: annotate_k8s_sa + title: Annotate K8s Sa + automount_service_account_token: + name: automount_service_account_token + title: Automount Service Account Token + cluster_name: + name: cluster_name + title: Cluster Name + gcp_sa_create_ignore_already_exists: + name: gcp_sa_create_ignore_already_exists + title: Gcp Sa Create Ignore Already Exists + gcp_sa_description: + name: gcp_sa_description + title: Gcp Sa Description + gcp_sa_display_name: + name: gcp_sa_display_name + title: Gcp Sa Display Name + gcp_sa_name: + name: gcp_sa_name + title: Gcp Sa Name + image_pull_secrets: + name: image_pull_secrets + title: Image Pull Secrets + impersonate_service_account: + name: impersonate_service_account + title: Impersonate Service Account + k8s_sa_name: + name: k8s_sa_name + title: K8s Sa Name + k8s_sa_project_id: + name: k8s_sa_project_id + title: K8s Sa Project Id + location: + name: location + title: Location + module_depends_on: + name: module_depends_on + title: Module Depends On + name: + name: name + title: Name + namespace: + name: namespace + title: Namespace + project_id: + name: project_id + title: Project Id + roles: + name: roles + title: Roles + use_existing_context: + name: use_existing_context + title: Use Existing Context + use_existing_gcp_sa: + name: use_existing_gcp_sa + title: Use Existing Gcp Sa + use_existing_k8s_sa: + name: use_existing_k8s_sa + title: Use Existing K8s Sa diff --git a/modules/workload-identity/metadata.yaml b/modules/workload-identity/metadata.yaml new file mode 100644 index 000000000..45a4f40a4 --- /dev/null +++ b/modules/workload-identity/metadata.yaml @@ -0,0 +1,213 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kubernetes-engine-workload-identity + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: terraform-google-workload-identity + source: + repo: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git + sourceType: git + dir: /modules/workload-identity + version: 36.0.2 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: autopilot_private_firewalls + location: examples/autopilot_private_firewalls + - name: confidential_safer_cluster + location: examples/confidential_safer_cluster + - name: deploy_service + location: examples/deploy_service + - name: disable_client_cert + location: examples/disable_client_cert + - name: island_cluster_anywhere_in_gcp_design + location: examples/island_cluster_anywhere_in_gcp_design + - name: island_cluster_with_vm_router + location: examples/island_cluster_with_vm_router + - name: node_pool + location: examples/node_pool + - name: node_pool_update_variant + location: examples/node_pool_update_variant + - name: node_pool_update_variant_beta + location: examples/node_pool_update_variant_beta + - name: node_pool_update_variant_public_beta + location: examples/node_pool_update_variant_public_beta + - name: private_zonal_with_networking + location: examples/private_zonal_with_networking + - name: regional_private_node_pool_oauth_scopes + location: examples/regional_private_node_pool_oauth_scopes + - name: safer_cluster + location: examples/safer_cluster + - name: safer_cluster_iap_bastion + location: examples/safer_cluster_iap_bastion + - name: shared_vpc + location: examples/shared_vpc + - name: simple_autopilot_private + location: examples/simple_autopilot_private + - name: simple_autopilot_private_cmek + location: examples/simple_autopilot_private_cmek + - name: simple_autopilot_private_non_default_sa + location: examples/simple_autopilot_private_non_default_sa + - name: simple_autopilot_public + location: examples/simple_autopilot_public + - name: simple_fleet_app_operator_permissions + location: examples/simple_fleet_app_operator_permissions + - name: simple_regional + location: examples/simple_regional + - name: simple_regional_beta + location: examples/simple_regional_beta + - name: simple_regional_cluster_autoscaling + location: examples/simple_regional_cluster_autoscaling + - name: simple_regional_private + location: examples/simple_regional_private + - name: simple_regional_private_beta + location: examples/simple_regional_private_beta + - name: simple_regional_private_with_cluster_version + location: examples/simple_regional_private_with_cluster_version + - name: simple_regional_with_gateway_api + location: examples/simple_regional_with_gateway_api + - name: simple_regional_with_ipv6 + location: examples/simple_regional_with_ipv6 + - name: simple_regional_with_kubeconfig + location: examples/simple_regional_with_kubeconfig + - name: simple_regional_with_networking + location: examples/simple_regional_with_networking + - name: simple_windows_node_pool + location: examples/simple_windows_node_pool + - name: simple_zonal_private + location: examples/simple_zonal_private + - name: simple_zonal_with_hub + location: examples/simple_zonal_with_hub + - name: simple_zonal_with_hub_kubeconfig + location: examples/simple_zonal_with_hub_kubeconfig + - name: stub_domains + location: examples/stub_domains + - name: stub_domains_private + location: examples/stub_domains_private + - name: stub_domains_upstream_nameservers + location: examples/stub_domains_upstream_nameservers + - name: terraform + location: examples/acm-terraform-blog-part1/terraform + - name: terraform + location: examples/acm-terraform-blog-part2/terraform + - name: terraform + location: examples/acm-terraform-blog-part3/terraform + - name: upstream_nameservers + location: examples/upstream_nameservers + - name: workload_identity + location: examples/workload_identity + - name: workload_metadata_config + location: examples/workload_metadata_config + interfaces: + variables: + - name: name + description: Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. + varType: string + required: true + - name: project_id + description: GCP project ID + varType: string + required: true + - name: gcp_sa_name + description: Name for the Google service account; overrides `var.name`. + varType: string + - name: use_existing_gcp_sa + description: Use an existing Google service account instead of creating one + varType: bool + defaultValue: false + - name: cluster_name + description: Cluster name. Required if using existing KSA. + varType: string + defaultValue: "" + - name: location + description: Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. + varType: string + defaultValue: "" + - name: k8s_sa_name + description: Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. + varType: string + - name: k8s_sa_project_id + description: GCP project ID of the k8s service account; overrides `var.project_id`. + varType: string + - name: namespace + description: Namespace for the Kubernetes service account + varType: string + defaultValue: default + - name: use_existing_k8s_sa + description: Use an existing kubernetes service account instead of creating one + varType: bool + defaultValue: false + - name: annotate_k8s_sa + description: Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. + varType: bool + defaultValue: true + - name: automount_service_account_token + description: Enable automatic mounting of the service account token + varType: bool + defaultValue: false + - name: image_pull_secrets + description: A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account + varType: list(string) + defaultValue: [] + - name: roles + description: A list of roles to be added to the created service account + varType: list(string) + defaultValue: [] + - name: impersonate_service_account + description: An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. + varType: string + defaultValue: "" + - name: use_existing_context + description: An optional flag to use local kubectl config context. + varType: bool + defaultValue: false + - name: module_depends_on + description: List of modules or resources to depend on before annotating KSA. If multiple, all items must be the same type. + varType: list(any) + defaultValue: [] + - name: additional_projects + description: A list of roles to be added to the created service account for additional projects + varType: map(list(string)) + defaultValue: {} + - name: gcp_sa_display_name + description: The Google service account display name; if null, a default string will be used + varType: string + - name: gcp_sa_description + description: The Service Google service account desciption; if null, will be left out + varType: string + - name: gcp_sa_create_ignore_already_exists + description: If set to true, skip service account creation if a service account with the same email already exists. + varType: bool + outputs: + - name: gcp_service_account + description: GCP service account. + - name: gcp_service_account_email + description: Email address of GCP service account. + - name: gcp_service_account_fqn + description: FQN of GCP service account. + - name: gcp_service_account_name + description: Name of GCP service account. + - name: k8s_service_account_name + description: Name of k8s service account. + - name: k8s_service_account_namespace + description: Namespace of k8s service account.