From 4f1e9b33db036ca7de687fa4abe1e28c019f8d12 Mon Sep 17 00:00:00 2001 From: 0Delta <0deltast@gmail.com> Date: Thu, 4 Jul 2024 23:49:59 +0900 Subject: [PATCH] change: ip_range_services to optional value (#1949) As of GKE version 1.29 and Autopilot 1.27, the service ip range is given a default of 34.118.224.0/20 per cluster. Versions earlier than the specified version may be omitted, but will be rejected by the validator. --- README.md | 2 +- autogen/main/cluster.tf.tmpl | 14 ++++++++++++-- autogen/main/variables.tf.tmpl | 3 ++- cluster.tf | 5 +++++ modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ .../beta-autopilot-private-cluster/variables.tf | 3 ++- modules/beta-autopilot-public-cluster/README.md | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/variables.tf | 3 ++- .../beta-private-cluster-update-variant/README.md | 2 +- .../beta-private-cluster-update-variant/cluster.tf | 5 +++++ .../variables.tf | 3 ++- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 5 +++++ modules/beta-private-cluster/variables.tf | 3 ++- .../beta-public-cluster-update-variant/README.md | 2 +- .../beta-public-cluster-update-variant/cluster.tf | 5 +++++ .../variables.tf | 3 ++- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 5 +++++ modules/beta-public-cluster/variables.tf | 3 ++- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/cluster.tf | 5 +++++ .../private-cluster-update-variant/variables.tf | 3 ++- modules/private-cluster/README.md | 2 +- modules/private-cluster/cluster.tf | 5 +++++ modules/private-cluster/variables.tf | 3 ++- variables.tf | 3 ++- 29 files changed, 90 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 9633443be2..c482cef714 100644 --- a/README.md +++ b/README.md @@ -189,7 +189,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 633ba69312..414030fbb1 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -450,11 +450,21 @@ resource "google_container_cluster" "primary" { } } - {% if autopilot_cluster != true %} lifecycle { + precondition { + {% if autopilot_cluster %} + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 27 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.27 or upper." + {% else %} + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + {% endif %} + } + + {% if autopilot_cluster != true %} ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] + {% endif %} } - {% endif %} {% if autopilot_cluster != true %} dynamic "dns_config" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 515a8af1fd..2996c594bf 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -147,7 +147,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/cluster.tf b/cluster.tf index 01f808aeea..c45905ec67 100644 --- a/cluster.tf +++ b/cluster.tf @@ -335,6 +335,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 751d7fca52..a6d363f68d 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -111,7 +111,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index bfee2c0445..c04bfc6a53 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -206,6 +206,13 @@ resource "google_container_cluster" "primary" { } } + lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 27 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.27 or upper." + } + + } timeouts { create = lookup(var.timeouts, "create", "45m") diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 6e6f2b157a..810085cc69 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -139,7 +139,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 2adc826408..7a24631898 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -102,7 +102,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 8fb6118780..55b97c885f 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -206,6 +206,13 @@ resource "google_container_cluster" "primary" { } } + lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 27 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.27 or upper." + } + + } timeouts { create = lookup(var.timeouts, "create", "45m") diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 173fc99402..6381ee277f 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -139,7 +139,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 871ae3bcec..07ff0a3f48 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -232,7 +232,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | istio | (Beta) Enable Istio addon | `bool` | `false` | no | | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 359d57c007..a709bef51b 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -383,6 +383,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9733efd774..7b19a9c8a4 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index e9be4250ba..4c955c5fb2 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -210,7 +210,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | istio | (Beta) Enable Istio addon | `bool` | `false` | no | | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3a3f911291..5b683a9d25 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -383,6 +383,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9733efd774..7b19a9c8a4 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7d4c7d512b..4f86307496 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -223,7 +223,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | istio | (Beta) Enable Istio addon | `bool` | `false` | no | | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 3c3f34f0cb..6264aaa497 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -383,6 +383,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index a55430896e..f7fbdb08c8 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 8a4e99701e..daae8bc68d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -201,7 +201,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | istio | (Beta) Enable Istio addon | `bool` | `false` | no | | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index fe6a6c242e..2e7338deee 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -383,6 +383,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index a55430896e..f7fbdb08c8 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index b3ee327805..76edda79c7 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -220,7 +220,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 04837e28e6..7b84733a0e 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -335,6 +335,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index d032c417db..c47cba1991 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 4934cf9c64..ffc2a5e48e 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -198,7 +198,7 @@ Then perform the following commands on the root folder: | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | -| ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | +| ip\_range\_services | The _name_ of the secondary subnet range to use for services. Omit to use default range. | `string` | `null` | no | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 31573d02a9..94d1749d5e 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -335,6 +335,11 @@ resource "google_container_cluster" "primary" { } lifecycle { + precondition { + condition = var.ip_range_services == null && var.kubernetes_version != "latest" ? tonumber(split(".", var.kubernetes_version)[0]) >= 1 && tonumber(split(".", var.kubernetes_version)[1]) >= 29 : true + error_message = "The ip_range_services is require for this gke version. Please set ip_range_services or use kubernetes_version 1.29 or upper." + } + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index d032c417db..c47cba1991 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" { diff --git a/variables.tf b/variables.tf index d36fe30142..44d9479af4 100644 --- a/variables.tf +++ b/variables.tf @@ -145,7 +145,8 @@ variable "additional_ip_range_pods" { variable "ip_range_services" { type = string - description = "The _name_ of the secondary subnet range to use for services" + description = "The _name_ of the secondary subnet range to use for services. Omit to use default range." + default = null } variable "stack_type" {