feat: add fqdn policies

Author: TheKangaroo

autogen/main/cluster.tf.tmpl

@@ -210,6 +210,9 @@ resource "google_container_cluster" "primary" {
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   {% endif %}
   {% endif %}
+{% if beta_cluster %}
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
+{% endif %}
 {% if autopilot_cluster %}
   enable_autopilot = true
 {% endif %}

autogen/main/variables.tf.tmpl

@@ -777,6 +777,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "enable_fqdn_network_policy" {
+  type        = bool
+  description = "Enable FQDN Network Policies on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

autogen/main/versions.tf.tmpl

@@ -24,11 +24,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-autopilot-private-cluster/cluster.tf

@@ -81,7 +81,8 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  enable_autopilot = true
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
+  enable_autopilot           = true
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-autopilot-private-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-autopilot-public-cluster/cluster.tf

@@ -81,7 +81,8 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  enable_autopilot = true
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
+  enable_autopilot           = true
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-autopilot-public-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster-update-variant/README.md

@@ -191,6 +191,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
+| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no |
 | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
+  enable_l4_ilb_subsetting   = var.enable_l4_ilb_subsetting
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-private-cluster-update-variant/variables.tf

@@ -734,6 +734,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "enable_fqdn_network_policy" {
+  type        = bool
+  description = "Enable FQDN Network Policies on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-private-cluster-update-variant/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster/README.md

@@ -169,6 +169,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
+| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no |
 | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |

modules/beta-private-cluster/cluster.tf

@@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
+  enable_l4_ilb_subsetting   = var.enable_l4_ilb_subsetting
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-private-cluster/variables.tf

@@ -734,6 +734,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "enable_fqdn_network_policy" {
+  type        = bool
+  description = "Enable FQDN Network Policies on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-private-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-public-cluster-update-variant/README.md

@@ -184,6 +184,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
+| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no |
 | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |

modules/beta-public-cluster-update-variant/cluster.tf

@@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
+  enable_l4_ilb_subsetting   = var.enable_l4_ilb_subsetting
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-public-cluster-update-variant/variables.tf

@@ -704,6 +704,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "enable_fqdn_network_policy" {
+  type        = bool
+  description = "Enable FQDN Network Policies on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-public-cluster-update-variant/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-public-cluster/README.md

@@ -162,6 +162,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
+| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no |
 | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |

modules/beta-public-cluster/cluster.tf

@@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
+  enable_l4_ilb_subsetting   = var.enable_l4_ilb_subsetting
+  enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-public-cluster/variables.tf

@@ -704,6 +704,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "enable_fqdn_network_policy" {
+  type        = bool
+  description = "Enable FQDN Network Policies on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-public-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1"
+      version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"