Merge pull request #1 from terraform-google-modules/master

sync

Author: bharathkkb

.kitchen.yml

@@ -68,6 +68,23 @@ suites:
       systems:
         - name: simple_regional
           backend: local
+  - name: "simple_regional_with_networking"
+    driver:
+      root_module_directory: test/fixtures/simple_regional_with_networking
+    verifier:
+      systems:
+        - name: simple_regional_with_networking
+          backend: local
+          controls:
+            - gcloud
+        - name: subnet
+          backend: local
+          controls:
+            - subnet
+        - name: network
+          backend: gcp
+          controls:
+            - network
   - name: "simple_regional_private"
     driver:
       root_module_directory: test/fixtures/simple_regional_private

CHANGELOG.md

@@ -8,6 +8,10 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+### Added
+
+* Support for Shielded Nodes beta feature via `enabled_shielded_nodes` variable. [#300]
+
 ## [v5.1.1] - 2019-10-25
 
 ### Fixed

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.5
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.6
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -27,7 +27,7 @@ REGISTRY_URL := gcr.io/cloud-foundation-cicd
 docker_run:
 	docker run --rm -it \
 		-e SERVICE_ACCOUNT_JSON \
-		-v $(CURDIR):/workspace \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/bin/bash
 
@@ -39,7 +39,7 @@ docker_test_prepare:
 		-e TF_VAR_org_id \
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
-		-v $(CURDIR):/workspace \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh prepare_environment
 
@@ -51,7 +51,7 @@ docker_test_cleanup:
 		-e TF_VAR_org_id \
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
-		-v $(CURDIR):/workspace \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh cleanup_environment
 
@@ -60,31 +60,31 @@ docker_test_cleanup:
 docker_test_integration:
 	docker run --rm -it \
 		-e SERVICE_ACCOUNT_JSON \
-		-v $(CURDIR):/workspace \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/test_integration.sh
 
 # Execute lint tests within the docker container
 .PHONY: docker_test_lint
 docker_test_lint:
 	docker run --rm -it \
-		-v $(CURDIR):/workspace \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/test_lint.sh
 
 # Generate documentation
 .PHONY: docker_generate_docs
 docker_generate_docs:
 	docker run --rm -it \
-		-v $(CURDIR):/workspace \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
 
 # Generate files from autogen
 .PHONY: docker_generate
 docker_generate:
 	docker run --rm -it \
-                -v $(CURDIR):/workspace \
+                -v "$(CURDIR)":/workspace \
                 $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
                 /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate'
 

autogen/cluster.tf

@@ -45,6 +45,16 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+{% if beta_cluster %}
+  dynamic "release_channel" {
+    for_each = local.release_channel
+
+    content {
+      channel = release_channel.value.channel
+    }
+  }
+{% endif %}
+
   subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
   min_master_version = local.master_version
 
@@ -55,6 +65,7 @@ resource "google_container_cluster" "primary" {
   enable_binary_authorization = var.enable_binary_authorization
   enable_intranode_visibility = var.enable_intranode_visibility
   default_max_pods_per_node   = var.default_max_pods_per_node
+  enable_shielded_nodes       = var.enable_shielded_nodes
 
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling

autogen/main.tf

@@ -48,6 +48,10 @@ locals {
   node_version_zonal      = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal
   master_version          = var.regional ? local.master_version_regional : local.master_version_zonal
   node_version            = var.regional ? local.node_version_regional : local.node_version_zonal
+{% if beta_cluster %}
+  release_channel         = var.release_channel != null ? [{ channel : var.release_channel }] : []
+{% endif %}
+
 
   custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
   upstream_nameservers_config = length(var.upstream_nameservers) > 0

autogen/outputs.tf

@@ -150,4 +150,8 @@ output "vertical_pod_autoscaling_enabled" {
   value       = local.cluster_vertical_pod_autoscaling_enabled
 }
 
+output "release_channel" {
+  description = "The release channel of this cluster"
+  value       = var.release_channel
+}
 {% endif %}

autogen/scripts/wait-for-cluster.sh

@@ -15,8 +15,9 @@
 
 set -e
 
+# shellcheck disable=SC2034
 if [ -n "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then
-    export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${GOOGLE_APPLICATION_CREDENTIALS}
+    export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE="${GOOGLE_APPLICATION_CREDENTIALS}"
 fi
 
 PROJECT=$1

autogen/variables.tf

@@ -422,4 +422,15 @@ variable "authenticator_security_group" {
   default     = null
 }
 
+variable "release_channel" {
+  type        = string
+  description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`."
+  default     = null
+}
+
+variable "enable_shielded_nodes" {
+  type = bool
+  description = "Enable Shielded Nodes features on all nodes in this cluster"
+  default = false
+}
 {% endif %}

build/int.cloudbuild.yaml

@@ -101,6 +101,26 @@ steps:
     - verify simple-regional-private-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-private-local']
+- id: create simple-regional-with-networking-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create simple-regional-with-networking-local']
+- id: converge simple-regional-with-networking-local
+  waitFor:
+    - create simple-regional-with-networking-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-regional-with-networking-local']
+- id: verify simple-regional-with-networking-local
+  waitFor:
+    - converge simple-regional-with-networking-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-regional-with-networking-local']
+- id: destroy simple-regional-with-networking-local
+  waitFor:
+    - verify simple-regional-with-networking-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-networking-local']
 - id: create simple-zonal-local
   waitFor:
     - prepare
@@ -246,4 +266,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.5'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'

build/lint.cloudbuild.yaml

@@ -24,4 +24,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.5'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'

cluster.tf

@@ -41,6 +41,7 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
   subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
   min_master_version = local.master_version
 

examples/node_pool/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/node_pool_update_variant_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 2.12.0"
+  version     = "~> 2.18.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/simple_regional_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 
@@ -45,4 +45,3 @@ module "gke" {
 
 data "google_client_config" "default" {
 }
-

examples/simple_regional_private_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 2.12.0"
+  version     = "~> 2.18.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
@@ -62,4 +62,3 @@ module "gke" {
 
 data "google_client_config" "default" {
 }
-

examples/simple_regional_with_networking/README.md

@@ -0,0 +1,46 @@
+# Simple Regional Cluster with Networking
+
+This example illustrates how to create a VPC and a simple cluster.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name | The name for the GKE cluster | string | `"gke-on-vpc-cluster"` | no |
+| ip\_range\_pods\_name | The secondary ip range to use for pods | string | `"ip-range-pods"` | no |
+| ip\_range\_services\_name | The secondary ip range to use for pods | string | `"ip-range-scv"` | no |
+| network | The VPC network created to host the cluster in | string | `"gke-network"` | no |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | `"us-central1"` | no |
+| subnetwork | The subnetwork created to host the cluster in | string | `"gke-subnet"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | The cluster ca certificate (base64 encoded) |
+| client\_token | The bearer token for auth |
+| cluster\_name | Cluster name |
+| ip\_range\_pods\_name | The secondary IP range used for pods |
+| ip\_range\_services\_name | The secondary IP range used for services |
+| kubernetes\_endpoint | The cluster endpoint |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| network\_name | The name of the VPC being created |
+| project\_id |  |
+| region |  |
+| service\_account | The default service account used for running nodes. |
+| subnet\_name | The name of the subnet being created |
+| subnet\_secondary\_ranges | The secondary ranges associated with the subnet |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/simple_regional_with_networking/main.tf

@@ -0,0 +1,59 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "gcp-network" {
+  source       = "terraform-google-modules/network/google"
+  version      = "~> 1.4.0"
+  project_id   = var.project_id
+  network_name = var.network
+
+  subnets = [
+    {
+      subnet_name   = var.subnetwork
+      subnet_ip     = "10.0.0.0/17"
+      subnet_region = var.region
+    },
+  ]
+
+  secondary_ranges = {
+    "${var.subnetwork}" = [
+      {
+        range_name    = var.ip_range_pods_name
+        ip_cidr_range = "192.168.0.0/18"
+      },
+      {
+        range_name    = var.ip_range_services_name
+        ip_cidr_range = "192.168.64.0/18"
+      },
+    ]
+  }
+}
+
+module "gke" {
+  source                 = "../../"
+  project_id             = var.project_id
+  name                   = var.cluster_name
+  regional               = true
+  region                 = var.region
+  network                = module.gcp-network.network_name
+  subnetwork             = module.gcp-network.subnets_names[0]
+  ip_range_pods          = var.ip_range_pods_name
+  ip_range_services      = var.ip_range_services_name
+  create_service_account = true
+}
+
+data "google_client_config" "default" {
+}