diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index b78bd4e247..e95b5a7867 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -632,6 +632,15 @@ resource "google_container_cluster" "primary" { } } } + + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } {% endif %} {% if autopilot_cluster != true %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index e3ff1813e6..4322abee6d 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -146,7 +146,7 @@ locals { cluster_output_zones = local.cluster_output_regional_zones {% if private_cluster %} - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_endpoint = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block {% else %} diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index d8c743ee23..45125d6bf8 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index 97f44227fd..513f2e8ad9 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -34,4 +34,6 @@ module "bastion" { startup_script = templatefile("${path.module}/templates/startup-script.tftpl", {}) members = var.bastion_members shielded_vm = "false" + + service_account_roles = ["roles/container.viewer"] } diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 3b2e1efa4b..bddef25b74 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -326,6 +326,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + dynamic "database_encryption" { for_each = var.database_encryption diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 3a2a564d3a..911b633c36 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -77,7 +77,7 @@ locals { cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_endpoint = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 1b0df01ed9..93c4053fbb 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -546,6 +546,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index c7759b2d41..081342a19a 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -123,7 +123,7 @@ locals { cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_endpoint = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index e6ad954675..0d500a0795 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index cbce275c59..e9ba26c9f4 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -546,6 +546,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index c7759b2d41..081342a19a 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -123,7 +123,7 @@ locals { cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_endpoint = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index e4000c1395..fbe10f4372 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index f6240f6090..2e5904889c 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 6b8c859486..5378a425f5 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.7.0, < 7" + version = ">= 6.11.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a21ca0945b..e8efe65fb9 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -499,6 +499,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index c52f9ea1ee..28b9645869 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -111,7 +111,7 @@ locals { cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_endpoint = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 928026d5e8..b9a4b08eb8 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -499,6 +499,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "control_plane_endpoints_config" { + for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0] + content { + dns_endpoint_config { + allow_external_traffic = var.deploy_using_private_endpoint + } + } + } + remove_default_node_pool = var.remove_default_node_pool dynamic "database_encryption" { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index c52f9ea1ee..28b9645869 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -111,7 +111,7 @@ locals { cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zones = local.cluster_output_regional_zones - cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint + cluster_endpoint = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null cluster_endpoint_for_nodes = var.master_ipv4_cidr_block diff --git a/test/fixtures/safer_cluster_iap_bastion/example.tf b/test/fixtures/safer_cluster_iap_bastion/example.tf index c89179e0e9..622471efc4 100644 --- a/test/fixtures/safer_cluster_iap_bastion/example.tf +++ b/test/fixtures/safer_cluster_iap_bastion/example.tf @@ -15,7 +15,7 @@ */ locals { - test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} --ssh-flag=\"-T\" -q -- curl -sS https://${module.example.endpoint}/version -k" + test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} -q --command='curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"Content-Type: application/json\" -sS https://${module.example.endpoint}/version -k'" } module "example" {