You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| add\_cluster\_firewall\_rules | Create additional firewall rules |`bool`|`false`| no |
76
-
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports`|`bool`|`false`| no |
77
-
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). |`bool`|`false`| no |
78
-
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods |`list(string)`|`[]`| no |
79
-
| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. |`bool`|`null`| no |
80
-
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected]|`string`|`null`| no |
81
-
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. |`string`|`null`| no |
82
-
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster |`map(string)`|`{}`| no |
83
-
| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. |`bool`|`false`| no |
84
-
| create\_service\_account | Defines if service account specified to run nodes should be created. |`bool`|`true`| no |
85
-
| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. |`list(object({ state = string, key_name = string }))`| <pre>[<br> {<br> "key_name": "",<br> "state": "DECRYPTED"<br> }<br>]</pre> | no |
86
-
| deletion\_protection | Whether or not to allow Terraform to destroy the cluster. |`bool`|`true`| no |
87
-
| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. |`bool`|`false`| no |
88
-
| description | The description of the cluster |`string`|`""`| no |
89
-
| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses |`bool`|`false`| no |
90
-
| dns\_cache | The status of the NodeLocal DNSCache addon. |`bool`|`true`| no |
91
-
| enable\_confidential\_nodes | An optional flag to enable confidential node config. |`bool`|`false`| no |
92
-
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery |`bool`|`false`| no |
93
-
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster |`bool`|`null`| no |
94
-
| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster |`bool`|`false`| no |
95
-
| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. |`bool`|`false`| no |
96
-
| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint |`bool`|`false`| no |
97
-
| enable\_private\_nodes | Whether nodes have internal IP addresses only |`bool`|`false`| no |
98
-
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. |`bool`|`true`| no |
99
-
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! |`bool`|`false`| no |
100
-
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it |`bool`|`true`| no |
101
-
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. |`list(string)`| <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
102
-
| firewall\_priority | Priority rule for firewall rules |`number`|`1000`| no |
103
-
| fleet\_project | (Optional) Register the cluster with the fleet in this project. |`string`|`null`| no |
104
-
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. |`bool`|`false`| no |
105
-
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. |`string`|`null`| no |
106
-
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. |`bool`|`false`| no |
107
-
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon |`bool`|`true`| no |
108
-
| http\_load\_balancing | Enable httpload balancer addon |`bool`|`true`| no |
109
-
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) |`string`|`"enabled"`| no |
110
-
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). |`bool`|`false`| no |
111
-
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. |`string`|`"60s"`| no |
112
-
| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods |`string`| n/a | yes |
113
-
| ip\_range\_services | The _name_ of the secondary subnet range to use for services |`string`| n/a | yes |
114
-
| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! |`bool`|`false`| no |
115
-
| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. |`string`|`"latest"`| no |
116
-
| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format |`string`|`""`| no |
117
-
| maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three |`list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))`|`[]`| no |
118
-
| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. |`string`|`""`| no |
119
-
| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format |`string`|`"05:00"`| no |
120
-
| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). |`list(object({ cidr_block = string, display_name = string }))`|`[]`| no |
121
-
| master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. |`bool`|`true`| no |
122
-
| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. |`string`|`null`| no |
123
-
| name | The name of the cluster (required) |`string`| n/a | yes |
124
-
| network | The VPC network to host the cluster in (required) |`string`| n/a | yes |
125
-
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) |`string`|`""`| no |
126
-
| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. |`list(string)`|`[]`| no |
127
-
| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. |`list(string)`| <pre>[<br> "10.0.0.0/8",<br> "172.16.0.0/12",<br> "192.168.0.0/16"<br>]</pre> | no |
128
-
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. |`string`|`""`| no |
129
-
| project\_id | The project ID to host the cluster in (required) |`string`| n/a | yes |
130
-
| region | The region to host the cluster in (optional if zonal cluster / required if regional) |`string`|`null`| no |
131
-
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) |`bool`|`true`| no |
132
-
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. |`list(string)`|`[]`| no |
133
-
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. |`string`|`"REGULAR"`| no |
134
-
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. |`string`|`""`| no |
135
-
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. |`string`|`"DISABLED"`| no |
136
-
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. |`string`|`"VULNERABILITY_DISABLED"`| no |
137
-
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. |`string`|`""`| no |
138
-
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. |`string`|`""`| no |
139
-
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster |`bool`|`false`| no |
140
-
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | <pre>object({<br> metadata = string<br> })</pre> | <pre>{<br> "metadata": "INCLUDE_ALL_METADATA"<br>}</pre> | no |
141
-
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. |`number`|`999`| no |
142
-
| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. |`string`|`"IPV4"`| no |
143
-
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server |`map(list(string))`|`{}`| no |
144
-
| subnetwork | The subnetwork to host the cluster in (required) |`string`| n/a | yes |
145
-
| timeouts | Timeout for cluster operations. |`map(string)`|`{}`| no |
146
-
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf |`list(string)`|`[]`| no |
0 commit comments