From 1f85f66544051d8cdb0196ce90af11fcefdc8789 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 5 Dec 2024 11:15:02 -0800 Subject: [PATCH] feat(TPG>=6.11)!: add endpoint_dns (#2180) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 9 +++++++++ autogen/main/outputs.tf.tmpl | 17 +++++++++++++++++ autogen/main/versions.tf.tmpl | 14 +++++++------- autogen/safer-cluster/outputs.tf.tmpl | 5 +++++ examples/safer_cluster_iap_bastion/README.md | 1 + examples/safer_cluster_iap_bastion/bastion.tf | 2 ++ examples/safer_cluster_iap_bastion/outputs.tf | 6 ++++++ examples/simple_regional_beta/main.tf | 6 ------ examples/simple_regional_beta/versions.tf | 3 --- .../beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 9 +++++++++ .../beta-autopilot-private-cluster/outputs.tf | 14 ++++++++++++++ .../beta-autopilot-private-cluster/versions.tf | 6 +++--- modules/beta-autopilot-public-cluster/README.md | 1 + .../beta-autopilot-public-cluster/outputs.tf | 14 ++++++++++++++ .../beta-autopilot-public-cluster/versions.tf | 6 +++--- .../README.md | 1 + .../cluster.tf | 9 +++++++++ .../outputs.tf | 15 +++++++++++++++ .../versions.tf | 6 +++--- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 9 +++++++++ modules/beta-private-cluster/outputs.tf | 15 +++++++++++++++ modules/beta-private-cluster/versions.tf | 6 +++--- .../README.md | 1 + .../outputs.tf | 15 +++++++++++++++ .../versions.tf | 6 +++--- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/outputs.tf | 15 +++++++++++++++ modules/beta-public-cluster/versions.tf | 6 +++--- .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 9 +++++++++ .../private-cluster-update-variant/outputs.tf | 15 +++++++++++++++ .../private-cluster-update-variant/versions.tf | 4 ++-- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 9 +++++++++ modules/private-cluster/outputs.tf | 15 +++++++++++++++ modules/private-cluster/versions.tf | 4 ++-- modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/outputs.tf | 5 +++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/outputs.tf | 5 +++++ outputs.tf | 15 +++++++++++++++ .../safer_cluster_iap_bastion/example.tf | 2 +- versions.tf | 4 ++-- 46 files changed, 271 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 21daa139ae..43b77ca60e 100644 --- a/README.md +++ b/README.md @@ -264,6 +264,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 17021141c2..bd4ad3a9ed 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -630,6 +630,15 @@ resource "google_container_cluster" "primary" { } } } + + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } {% endif %} {% if autopilot_cluster != true %} diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 4d12ec5d94..aacaebddbc 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -76,6 +76,23 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + {% if autopilot_cluster != true %} + google_container_node_pool.pools, + {% endif %} + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 33b95ec566..4271074fe6 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,33 +24,33 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } {% elif beta_cluster and autopilot_cluster %} required_providers { google = { source = "hashicorp/google" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } {% elif autopilot_cluster %} required_providers { google = { source = "hashicorp/google" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } {% else %} required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } {% endif %} kubernetes = { diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl index 5c1f5539e2..b4beaf6917 100644 --- a/autogen/safer-cluster/outputs.tf.tmpl +++ b/autogen/safer-cluster/outputs.tf.tmpl @@ -52,6 +52,11 @@ output "endpoint" { value = module.gke.endpoint } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = module.gke.endpoint_dns +} + output "min_master_version" { description = "Minimum master kubernetes version" value = module.gke.min_master_version diff --git a/examples/safer_cluster_iap_bastion/README.md b/examples/safer_cluster_iap_bastion/README.md index 700bc6e659..77d1658ab8 100644 --- a/examples/safer_cluster_iap_bastion/README.md +++ b/examples/safer_cluster_iap_bastion/README.md @@ -60,6 +60,7 @@ To deploy this example: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_name | Cluster name | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | get\_credentials\_command | gcloud get-credentials command to generate kubeconfig for the private cluster | | keyring | The name of the keyring. | | keyring\_resource | The location of the keyring. | diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index 97f44227fd..513f2e8ad9 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -34,4 +34,6 @@ module "bastion" { startup_script = templatefile("${path.module}/templates/startup-script.tftpl", {}) members = var.bastion_members shielded_vm = "false" + + service_account_roles = ["roles/container.viewer"] } diff --git a/examples/safer_cluster_iap_bastion/outputs.tf b/examples/safer_cluster_iap_bastion/outputs.tf index 8d9f9d2fdd..9dda4bc791 100644 --- a/examples/safer_cluster_iap_bastion/outputs.tf +++ b/examples/safer_cluster_iap_bastion/outputs.tf @@ -35,6 +35,12 @@ output "endpoint" { value = module.gke.endpoint } +output "endpoint_dns" { + sensitive = true + description = "Cluster endpoint DNS" + value = module.gke.endpoint_dns +} + output "master_authorized_networks_config" { description = "Networks from which access to master is permitted" value = module.gke.master_authorized_networks_config diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 49772886ba..04f9f87186 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -20,12 +20,6 @@ locals { data "google_client_config" "default" {} -provider "kubernetes" { - host = "https://${module.gke.endpoint}" - token = data.google_client_config.default.access_token - cluster_ca_certificate = base64decode(module.gke.ca_certificate) -} - module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" version = "~> 34.0" diff --git a/examples/simple_regional_beta/versions.tf b/examples/simple_regional_beta/versions.tf index 6dfcbcb74a..7127fa6385 100644 --- a/examples/simple_regional_beta/versions.tf +++ b/examples/simple_regional_beta/versions.tf @@ -23,8 +23,5 @@ terraform { google-beta = { source = "hashicorp/google-beta" } - kubernetes = { - source = "hashicorp/kubernetes" - } } } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index e1053667dd..a875dfbfd3 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -170,6 +170,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 3b2e1efa4b..bddef25b74 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -326,6 +326,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + dynamic "database_encryption" { for_each = var.database_encryption diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index e7f7b5ad59..aa72f43460 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -70,6 +70,20 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index e7c2c24c03..4a1b48e6e8 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 517d36abba..4022334b45 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 7908fc749d..c1bffbbb15 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -70,6 +70,20 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index b88591526d..e2563e96a5 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.8.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ea728dcf20..fc76c4c903 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -314,6 +314,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d09352915b..df27a1fb6a 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -546,6 +546,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index fbbdcbac61..47b662f8af 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index e6ad954675..25cd3dc93a 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index de4f530383..8fbf18847d 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -292,6 +292,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4b83413c40..c53aada6ec 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -546,6 +546,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index fbbdcbac61..47b662f8af 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index e4000c1395..70bca18355 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index d2371d7aca..15b039f123 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -302,6 +302,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 8553877634..771f529201 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index f6240f6090..62df9c371b 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 6a01e941d8..29bb2dde89 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -280,6 +280,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 8553877634..771f529201 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 6b8c859486..833e76cade 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c3d0a8d0dd..8710b871cf 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -298,6 +298,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a70c2e273d..4675138c1a 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -500,6 +500,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 2f77c0f67f..acb3c9da48 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 50d825967e..0f8dc2f2ac 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 1d44955b7f..1fb8f3c332 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -276,6 +276,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 4491f77b2a..0107dbd8a3 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -500,6 +500,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 2f77c0f67f..acb3c9da48 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index ce566c254c..40a85a8f8f 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 759d11f8b1..ee0e3c39e8 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -290,6 +290,7 @@ For simplicity, we suggest using `roles/container.admin` and | cluster\_id | Cluster ID | | enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/modules/safer-cluster-update-variant/outputs.tf b/modules/safer-cluster-update-variant/outputs.tf index 8928f321ab..96a5af68e4 100644 --- a/modules/safer-cluster-update-variant/outputs.tf +++ b/modules/safer-cluster-update-variant/outputs.tf @@ -52,6 +52,11 @@ output "endpoint" { value = module.gke.endpoint } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = module.gke.endpoint_dns +} + output "min_master_version" { description = "Minimum master kubernetes version" value = module.gke.min_master_version diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 759d11f8b1..ee0e3c39e8 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -290,6 +290,7 @@ For simplicity, we suggest using `roles/container.admin` and | cluster\_id | Cluster ID | | enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | +| endpoint\_dns | Cluster endpoint DNS | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf index 8928f321ab..96a5af68e4 100644 --- a/modules/safer-cluster/outputs.tf +++ b/modules/safer-cluster/outputs.tf @@ -52,6 +52,11 @@ output "endpoint" { value = module.gke.endpoint } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = module.gke.endpoint_dns +} + output "min_master_version" { description = "Minimum master kubernetes version" value = module.gke.min_master_version diff --git a/outputs.tf b/outputs.tf index 1f8b76fc9e..791e9dc6a1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -72,6 +72,21 @@ output "endpoint" { ] } +output "endpoint_dns" { + description = "Cluster endpoint DNS" + value = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint + depends_on = [ + /* Nominally, the endpoint is populated as soon as it is known to Terraform. + * However, the cluster may not be in a usable state yet. Therefore any + * resources dependent on the cluster being up will fail to deploy. With + * this explicit dependency, dependent resources can wait for the cluster + * to be up. + */ + google_container_cluster.primary, + google_container_node_pool.pools, + ] +} + output "min_master_version" { description = "Minimum master kubernetes version" value = local.cluster_min_master_version diff --git a/test/fixtures/safer_cluster_iap_bastion/example.tf b/test/fixtures/safer_cluster_iap_bastion/example.tf index c89179e0e9..b4ea3d7650 100644 --- a/test/fixtures/safer_cluster_iap_bastion/example.tf +++ b/test/fixtures/safer_cluster_iap_bastion/example.tf @@ -15,7 +15,7 @@ */ locals { - test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} --ssh-flag=\"-T\" -q -- curl -sS https://${module.example.endpoint}/version -k" + test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} -q --command='curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"Content-Type: application/json\" -sS https://${module.example.endpoint_dns}/version -k'" } module "example" { diff --git a/versions.tf b/versions.tf index 999d0bf22e..ad3255bd50 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes"