From 7d50b793781f0cd2aed32e03a3a1cbc2125b21b4 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 25 Sep 2025 22:46:07 -0400 Subject: [PATCH 1/8] fix ranges variable Signed-off-by: drfaust92 --- autogen/main/cluster.tf.tmpl | 4 ++-- cluster.tf | 4 ++-- modules/beta-autopilot-private-cluster/cluster.tf | 4 ++-- modules/beta-autopilot-public-cluster/cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- 10 files changed, 20 insertions(+), 20 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 0dd5a4aec2..384f1d8dab 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -557,8 +557,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/cluster.tf b/cluster.tf index e9f0765be3..e1221b0868 100644 --- a/cluster.tf +++ b/cluster.tf @@ -424,8 +424,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 582d0c42d8..f33f8886ed 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -325,8 +325,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 4b58fa1122..545e33c5f0 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -325,8 +325,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 010851c0cc..d5e373147f 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4a7c30bbbf..6b8d98ba24 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 1a8912df2d..2b44363ae3 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index b95f83f356..3b7bc84c8d 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 8700f849e0..6896da7bd6 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -424,8 +424,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index d48a2f9836..f6cf1d272e 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -424,8 +424,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names + subnetwork = var.additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type From 2853d0ad232b0aaa695eda6760bafd9170e1a102 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Sat, 27 Sep 2025 21:59:31 -0400 Subject: [PATCH 2/8] CR comments Signed-off-by: drfaust92 --- autogen/main/cluster.tf.tmpl | 4 ++-- cluster.tf | 4 ++-- modules/beta-autopilot-private-cluster/cluster.tf | 4 ++-- modules/beta-autopilot-public-cluster/cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- 10 files changed, 20 insertions(+), 20 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 384f1d8dab..ea4ae487cd 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -557,8 +557,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/cluster.tf b/cluster.tf index e1221b0868..47e9451f5d 100644 --- a/cluster.tf +++ b/cluster.tf @@ -424,8 +424,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index f33f8886ed..848e2f9b7c 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -325,8 +325,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 545e33c5f0..74ffc75025 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -325,8 +325,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d5e373147f..5df5f3e0e0 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 6b8d98ba24..b5006e6365 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 2b44363ae3..0d3a3b285d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3b7bc84c8d..3e60118cc7 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -461,8 +461,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 6896da7bd6..47b5769c14 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -424,8 +424,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index f6cf1d272e..6692870264 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -424,8 +424,8 @@ resource "google_container_cluster" "primary" { dynamic "additional_ip_ranges_config" { for_each = var.additional_ip_ranges_config content { - subnetwork = var.additional_ip_ranges_config.value.subnetwork - pod_ipv4_range_names = var.additional_ip_ranges_config.value.pod_ipv4_range_names + subnetwork = additional_ip_ranges_config.value.subnetwork + pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names } } stack_type = var.stack_type From 177378f4ca520e6dfa2683d0a6df903a3559a23a Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 2 Oct 2025 20:54:41 -0400 Subject: [PATCH 3/8] add tests Signed-off-by: drfaust92 --- examples/node_pool/main.tf | 7 +++++++ examples/node_pool/test_outputs.tf | 5 +++++ examples/node_pool/variables.tf | 4 ++++ test/fixtures/node_pool/outputs.tf | 5 +++++ test/integration/node_pool/testdata/TestNodePool.json | 8 +++++++- 5 files changed, 28 insertions(+), 1 deletion(-) diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 37a19e87da..0b8428e78d 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -61,6 +61,13 @@ module "gke" { logging_variant = "MAX_THROUGHPUT" dns_allow_external_traffic = true + additional_ip_ranges_config = [ + { + subnetwork = var.subnetwork + pod_ipv4_range_names = [var.additional_ip_pod_range] + } + ] + resource_manager_tags = { "${var.project_id}/${google_tags_tag_key.key.short_name}" = google_tags_tag_value.value.short_name } diff --git a/examples/node_pool/test_outputs.tf b/examples/node_pool/test_outputs.tf index e64c40e477..182d412acd 100644 --- a/examples/node_pool/test_outputs.tf +++ b/examples/node_pool/test_outputs.tf @@ -52,6 +52,11 @@ output "ip_range_services" { value = var.ip_range_services } +output "additional_ip_range_pods" { + description = "The secondary IP range used for pods in the additional range" + value = var.additional_ip_pod_range +} + output "zones" { description = "List of zones in which the cluster resides" value = module.gke.zones diff --git a/examples/node_pool/variables.tf b/examples/node_pool/variables.tf index 4f3128ce7c..f496b4d9bd 100644 --- a/examples/node_pool/variables.tf +++ b/examples/node_pool/variables.tf @@ -48,6 +48,10 @@ variable "ip_range_services" { description = "The secondary ip range to use for services" } +variable "additional_ip_pod_range" { + description = "The secondary ip range to use for pods in the additional range" +} + variable "compute_engine_service_account" { description = "Service account to associate to the nodes in the cluster" } diff --git a/test/fixtures/node_pool/outputs.tf b/test/fixtures/node_pool/outputs.tf index eae00cd565..0259cb3b88 100644 --- a/test/fixtures/node_pool/outputs.tf +++ b/test/fixtures/node_pool/outputs.tf @@ -49,6 +49,11 @@ output "ip_range_services" { value = google_compute_subnetwork.main.secondary_ip_range[1].range_name } +output "additional_ip_range_pods" { + description = "The secondary IP range used for pods in the additional range" + value = google_compute_subnetwork.main.secondary_ip_range[2].range_name +} + output "zones" { description = "List of zones in which the cluster resides" value = module.example.zones diff --git a/test/integration/node_pool/testdata/TestNodePool.json b/test/integration/node_pool/testdata/TestNodePool.json index 3c4014a0c1..51d4ff6b0f 100644 --- a/test/integration/node_pool/testdata/TestNodePool.json +++ b/test/integration/node_pool/testdata/TestNodePool.json @@ -90,7 +90,13 @@ "servicesIpv4CidrBlock": "192.168.64.0/18", "servicesSecondaryRangeName": "cft-gke-test-services-RANDOM_STRING", "stackType": "IPV4", - "useIpAliases": true + "useIpAliases": true, + "additionalIpRangesConfigs": [ + { + "subnetwork": "projects/PROJECT_ID/regions/europe-west4/subnetworks/cft-gke-test-RANDOM_STRING", + "podIpv4RangeNames": ["test"] + } + ] }, "labelFingerprint": "78cdf2f6", "legacyAbac": {}, From faed61b984cf2b69329b7e40169c69dccf3c346c Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 2 Oct 2025 21:00:59 -0400 Subject: [PATCH 4/8] add tests Signed-off-by: drfaust92 --- examples/node_pool/README.md | 2 ++ test/fixtures/node_pool/example.tf | 1 + 2 files changed, 3 insertions(+) diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md index b032cd2fa5..2eb555daae 100644 --- a/examples/node_pool/README.md +++ b/examples/node_pool/README.md @@ -7,6 +7,7 @@ This example illustrates how to create a cluster with multiple custom node-pool | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| additional\_ip\_pod\_range | The secondary ip range to use for pods in the additional range | `any` | n/a | yes | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources = list(object({
      resource_type = string
      minimum       = number
      maximum       = number
    }))
    auto_repair  = bool
    auto_upgrade = bool
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes | @@ -22,6 +23,7 @@ This example illustrates how to create a cluster with multiple custom node-pool | Name | Description | |------|-------------| +| additional\_ip\_range\_pods | The secondary IP range used for pods in the additional range | | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | diff --git a/test/fixtures/node_pool/example.tf b/test/fixtures/node_pool/example.tf index 673298e488..0639934b8a 100644 --- a/test/fixtures/node_pool/example.tf +++ b/test/fixtures/node_pool/example.tf @@ -29,6 +29,7 @@ module "example" { subnetwork = google_compute_subnetwork.main.name ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + additional_ip_pod_range = google_compute_subnetwork.main.secondary_ip_range[2].range_name compute_engine_service_account = local.compute_engine_service_account cluster_autoscaling = { From b5d6784a7a0411fb674e934137539f8b67fb1726 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Wed, 8 Oct 2025 14:08:59 -0400 Subject: [PATCH 5/8] add tests Signed-off-by: drfaust92 --- examples/node_pool/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 0b8428e78d..3b509789da 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -63,7 +63,7 @@ module "gke" { additional_ip_ranges_config = [ { - subnetwork = var.subnetwork + subnetwork = "projects/${var.project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" pod_ipv4_range_names = [var.additional_ip_pod_range] } ] From 6b7692a96ec0258c7a799bbbaa34ab646038ad62 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Wed, 8 Oct 2025 17:20:24 -0400 Subject: [PATCH 6/8] align tests Signed-off-by: drfaust92 --- examples/node_pool/main.tf | 2 +- examples/node_pool/variables.tf | 4 ++++ test/fixtures/node_pool/example.tf | 21 ++++++++++--------- test/fixtures/node_pool/network.tf | 12 +++++++++++ .../node_pool/testdata/TestNodePool.json | 4 ++-- 5 files changed, 30 insertions(+), 13 deletions(-) diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 3b509789da..595bafc6ae 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -63,7 +63,7 @@ module "gke" { additional_ip_ranges_config = [ { - subnetwork = "projects/${var.project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" + subnetwork = "projects/${var.project_id}/regions/${var.region}/subnetworks/${var.additional_ip_pod_range_subnetwork}" pod_ipv4_range_names = [var.additional_ip_pod_range] } ] diff --git a/examples/node_pool/variables.tf b/examples/node_pool/variables.tf index f496b4d9bd..24d7b6aa41 100644 --- a/examples/node_pool/variables.tf +++ b/examples/node_pool/variables.tf @@ -48,6 +48,10 @@ variable "ip_range_services" { description = "The secondary ip range to use for services" } +variable "additional_ip_pod_range_subnetwork" { + description = "The subnetwork to host the additional pod range in" +} + variable "additional_ip_pod_range" { description = "The secondary ip range to use for pods in the additional range" } diff --git a/test/fixtures/node_pool/example.tf b/test/fixtures/node_pool/example.tf index 0639934b8a..2ebc0f1ef4 100644 --- a/test/fixtures/node_pool/example.tf +++ b/test/fixtures/node_pool/example.tf @@ -21,16 +21,17 @@ locals { module "example" { source = "../../../examples/node_pool" - project_id = var.project_ids[0] - cluster_name_suffix = "-${random_string.suffix.result}" - region = "europe-west4" - zones = ["europe-west4-b"] - network = google_compute_network.main.name - subnetwork = google_compute_subnetwork.main.name - ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name - ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name - additional_ip_pod_range = google_compute_subnetwork.main.secondary_ip_range[2].range_name - compute_engine_service_account = local.compute_engine_service_account + project_id = var.project_ids[0] + cluster_name_suffix = "-${random_string.suffix.result}" + region = "europe-west4" + zones = ["europe-west4-b"] + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + additional_ip_pod_range_subnetwork = google_compute_subnetwork.secondary.name + additional_ip_pod_range = google_compute_subnetwork.secondary.secondary_ip_range[0].range_name + compute_engine_service_account = local.compute_engine_service_account cluster_autoscaling = { enabled = true diff --git a/test/fixtures/node_pool/network.tf b/test/fixtures/node_pool/network.tf index 13e6e76076..dd585f05d1 100644 --- a/test/fixtures/node_pool/network.tf +++ b/test/fixtures/node_pool/network.tf @@ -50,3 +50,15 @@ resource "google_compute_subnetwork" "main" { ip_cidr_range = "172.16.0.0/18" } } + +resource "google_compute_subnetwork" "secondary" { + name = "cft-gke-test-2-${random_string.suffix.result}" + ip_cidr_range = "10.1.0.0/17" + region = "europe-west4" + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "test2" + ip_cidr_range = "172.18.0.0/18" + } +} diff --git a/test/integration/node_pool/testdata/TestNodePool.json b/test/integration/node_pool/testdata/TestNodePool.json index 51d4ff6b0f..d55ac2dfd8 100644 --- a/test/integration/node_pool/testdata/TestNodePool.json +++ b/test/integration/node_pool/testdata/TestNodePool.json @@ -93,8 +93,8 @@ "useIpAliases": true, "additionalIpRangesConfigs": [ { - "subnetwork": "projects/PROJECT_ID/regions/europe-west4/subnetworks/cft-gke-test-RANDOM_STRING", - "podIpv4RangeNames": ["test"] + "subnetwork": "projects/PROJECT_ID/regions/europe-west4/subnetworks/cft-gke-test-2-RANDOM_STRING", + "podIpv4RangeNames": ["test2"] } ] }, From 98b64fa2fba9fbb74982822e96640796cb1f9061 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 9 Oct 2025 10:21:45 -0400 Subject: [PATCH 7/8] add tests Signed-off-by: drfaust92 --- examples/node_pool/README.md | 1 + .../README.md | 204 ------------------ 2 files changed, 1 insertion(+), 204 deletions(-) diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md index 2eb555daae..6bcd09c49c 100644 --- a/examples/node_pool/README.md +++ b/examples/node_pool/README.md @@ -8,6 +8,7 @@ This example illustrates how to create a cluster with multiple custom node-pool | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | additional\_ip\_pod\_range | The secondary ip range to use for pods in the additional range | `any` | n/a | yes | +| additional\_ip\_pod\_range\_subnetwork | The subnetwork to host the additional pod range in | `any` | n/a | yes | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources = list(object({
      resource_type = string
      minimum       = number
      maximum       = number
    }))
    auto_repair  = bool
    auto_upgrade = bool
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes | diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 353a3cd865..e99cddeaa3 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -167,210 +167,6 @@ Then perform the following commands on the root folder: - `terraform destroy` to destroy the built infrastructure -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | -| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | -| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | -| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | -| additional\_ip\_ranges\_config | the configuration for individual additional subnetworks attached to the cluster | `list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))` | `[]` | no | -| additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | -| anonymous\_authentication\_config\_mode | Allows users to restrict or enable anonymous access to the cluster. Valid values are `ENABLED` and `LIMITED`. | `string` | `null` | no | -| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | -| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | -| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = optional(number)
    max_cpu_cores               = optional(number)
    min_memory_gb               = optional(number)
    max_memory_gb               = optional(number)
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | -| cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | -| cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | -| cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | -| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | -| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | -| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | -| config\_connector | Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | -| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | -| create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | -| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | -| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | -| default\_compute\_class\_enabled | Enable Spot VMs as the default compute class for Node Auto-Provisioning | `bool` | `null` | no | -| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | -| deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | -| description | The description of the cluster | `string` | `""` | no | -| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | -| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | -| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no | -| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | -| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | -| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | -| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | -| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | -| enable\_identity\_service | (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. NOTE: Starting on July 1, 2025, new Google Cloud organizations that you create won't support Identity Service for GKE. | `bool` | `false` | no | -| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | -| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | -| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | -| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | -| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | -| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | -| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | -| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | -| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | -| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | -| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | -| enterprise\_config | (Optional) Enable or disable GKE enterprise. Valid values are STANDARD and ENTERPRISE. | `string` | `null` | no | -| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | -| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | -| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | -| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | -| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | -| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | -| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | -| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | -| gke\_auto\_upgrade\_config\_patch\_mode | The selected auto-upgrade patch type. Accepted values are: `ACCELERATED`: Upgrades to the latest available patch version in a given minor and release channel. | `string` | `null` | no | -| gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | -| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | -| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | -| hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | -| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | -| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | -| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | -| ip\_endpoints\_enabled | (Optional) Controls whether to allow direct IP access. Defaults to `true`. | `bool` | `null` | no | -| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | -| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | -| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | -| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | -| logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | -| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | -| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | -| maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | -| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | -| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | -| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | -| monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | -| monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR, DCGM, and JOBSET. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. JOBSET is only supported in GKE 1.32.1-gke.1357001 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | -| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | -| name | The name of the cluster (required) | `string` | n/a | yes | -| network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `false` | no | -| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | -| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | -| node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | -| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | -| node\_pools\_hugepage\_size\_1g | Map of strings containing hugepage size 1g config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | -| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | -| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | -| node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | -| node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | -| node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | -| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | -| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | -| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | -| parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no | -| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | -| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | -| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | -| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | 
object({
    enable_insecure_binding_system_unauthenticated = optional(bool, null)
    enable_insecure_binding_system_authenticated   = optional(bool, null)
  })
| 
{
  "enable_insecure_binding_system_authenticated": null,
  "enable_insecure_binding_system_unauthenticated": null
}
| no | -| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | -| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | -| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | -| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | -| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | -| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no | -| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | -| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | -| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | -| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | -| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | -| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | -| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | -| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | -| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | -| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | -| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | -| total\_egress\_bandwidth\_tier | Specifies the total network bandwidth tier for NodePools in the cluster. Valid values are `TIER_UNSPECIFIED` and `TIER_1`. Defaults to `TIER_UNSPECIFIED`. | `string` | `null` | no | -| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | -| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| ca\_certificate | Cluster ca certificate (base64 encoded) | -| cloudrun\_enabled | Whether CloudRun enabled | -| cluster\_id | Cluster ID | -| dns\_cache\_enabled | Whether DNS Cache enabled | -| endpoint | Cluster endpoint | -| endpoint\_dns | Cluster endpoint DNS | -| fleet\_membership | Fleet membership (if registered) | -| gateway\_api\_channel | The gateway api channel of this cluster. | -| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | -| http\_load\_balancing\_enabled | Whether http load balancing enabled | -| identity\_namespace | Workload Identity pool | -| identity\_service\_enabled | Whether Identity Service is enabled | -| instance\_group\_urls | List of GKE generated instance groups | -| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | -| istio\_enabled | Whether Istio is enabled | -| location | Cluster location (region if regional cluster, zone if zonal cluster) | -| logging\_service | Logging service used | -| master\_authorized\_networks\_config | Networks from which access to master is permitted | -| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | -| master\_version | Current master kubernetes version | -| mesh\_certificates\_config | Mesh certificates configuration | -| min\_master\_version | Minimum master kubernetes version | -| monitoring\_service | Monitoring service used | -| name | Cluster name | -| network\_policy\_enabled | Whether network policy enabled | -| node\_pools\_names | List of node pools names | -| node\_pools\_versions | Node pool versions by node pool name | -| peering\_name | The name of the peering between this cluster and the Google owned VPC. | -| pod\_security\_policy\_enabled | Whether pod security policy is enabled | -| region | Cluster region | -| release\_channel | The release channel of this cluster | -| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | -| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | -| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | -| type | Cluster type (regional / zonal) | -| vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | -| zones | List of zones in which the cluster resides | - ## node_pools variable From e5035ebe39c2de0b7d71aa16b8bfc1ae12a05df4 Mon Sep 17 00:00:00 2001 From: drfaust92 Date: Thu, 9 Oct 2025 12:41:43 -0400 Subject: [PATCH 8/8] add tests Signed-off-by: drfaust92 --- .../README.md | 204 ++++++++++++++++++ 1 file changed, 204 insertions(+) diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index e99cddeaa3..353a3cd865 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -167,6 +167,210 @@ Then perform the following commands on the root folder: - `terraform destroy` to destroy the built infrastructure +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no | +| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | +| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| additional\_ip\_ranges\_config | the configuration for individual additional subnetworks attached to the cluster | `list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))` | `[]` | no | +| additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | +| anonymous\_authentication\_config\_mode | Allows users to restrict or enable anonymous access to the cluster. Valid values are `ENABLED` and `LIMITED`. | `string` | `null` | no | +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | +| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | +| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = optional(number)
    max_cpu_cores               = optional(number)
    min_memory_gb               = optional(number)
    max_memory_gb               = optional(number)
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | +| cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | +| cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | +| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | +| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | +| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | +| config\_connector | Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | +| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | +| create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | +| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | +| default\_compute\_class\_enabled | Enable Spot VMs as the default compute class for Node Auto-Provisioning | `bool` | `null` | no | +| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | +| deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| description | The description of the cluster | `string` | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | +| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no | +| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | +| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no | +| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | +| enable\_identity\_service | (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. NOTE: Starting on July 1, 2025, new Google Cloud organizations that you create won't support Identity Service for GKE. | `bool` | `false` | no | +| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | +| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | +| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | +| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | +| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | +| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | +| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | +| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | +| enterprise\_config | (Optional) Enable or disable GKE enterprise. Valid values are STANDARD and ENTERPRISE. | `string` | `null` | no | +| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | +| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | +| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | +| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | +| gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no | +| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | +| gke\_auto\_upgrade\_config\_patch\_mode | The selected auto-upgrade patch type. Accepted values are: `ACCELERATED`: Upgrades to the latest available patch version in a given minor and release channel. | `string` | `null` | no | +| gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | +| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | +| hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | +| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | +| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | +| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | +| ip\_endpoints\_enabled | (Optional) Controls whether to allow direct IP access. Defaults to `true`. | `bool` | `null` | no | +| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | +| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | +| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | +| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | +| istio | (Beta) Enable Istio addon | `bool` | `false` | no | +| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | +| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | +| logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | +| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | +| maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | +| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | +| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | +| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | +| master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | +| monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no | +| monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR, DCGM, and JOBSET. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. JOBSET is only supported in GKE 1.32.1-gke.1357001 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | +| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | +| name | The name of the cluster (required) | `string` | n/a | yes | +| network | The VPC network to host the cluster in (required) | `string` | n/a | yes | +| network\_policy | Enable network policy addon | `bool` | `false` | no | +| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | +| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no | +| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | +| node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | +| node\_pools\_hugepage\_size\_1g | Map of strings containing hugepage size 1g config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | +| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | +| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | +| node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | +| node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | +| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | +| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no | +| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | +| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | +| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | 
object({
    enable_insecure_binding_system_unauthenticated = optional(bool, null)
    enable_insecure_binding_system_authenticated   = optional(bool, null)
  })
| 
{
  "enable_insecure_binding_system_authenticated": null,
  "enable_insecure_binding_system_unauthenticated": null
}
| no | +| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | +| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | +| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | +| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | +| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no | +| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | +| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | +| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | +| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | +| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | +| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | +| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | +| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | +| total\_egress\_bandwidth\_tier | Specifies the total network bandwidth tier for NodePools in the cluster. Valid values are `TIER_UNSPECIFIED` and `TIER_1`. Defaults to `TIER_UNSPECIFIED`. | `string` | `null` | no | +| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | +| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | Cluster ca certificate (base64 encoded) | +| cloudrun\_enabled | Whether CloudRun enabled | +| cluster\_id | Cluster ID | +| dns\_cache\_enabled | Whether DNS Cache enabled | +| endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | +| fleet\_membership | Fleet membership (if registered) | +| gateway\_api\_channel | The gateway api channel of this cluster. | +| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | +| http\_load\_balancing\_enabled | Whether http load balancing enabled | +| identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | +| instance\_group\_urls | List of GKE generated instance groups | +| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | +| istio\_enabled | Whether Istio is enabled | +| location | Cluster location (region if regional cluster, zone if zonal cluster) | +| logging\_service | Logging service used | +| master\_authorized\_networks\_config | Networks from which access to master is permitted | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | +| master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | +| min\_master\_version | Minimum master kubernetes version | +| monitoring\_service | Monitoring service used | +| name | Cluster name | +| network\_policy\_enabled | Whether network policy enabled | +| node\_pools\_names | List of node pools names | +| node\_pools\_versions | Node pool versions by node pool name | +| peering\_name | The name of the peering between this cluster and the Google owned VPC. | +| pod\_security\_policy\_enabled | Whether pod security policy is enabled | +| region | Cluster region | +| release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | +| type | Cluster type (regional / zonal) | +| vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | +| zones | List of zones in which the cluster resides | + ## node_pools variable