Added variable skip_provisioners to skip 'local-exec'

 * Fix #258
 * Added test `simple_regional_skip_local_exec`
 * Remove old upgrading guide from README's

Author: paulpalamarchuk

.kitchen.yml

@@ -54,80 +54,80 @@ suites:
 #      systems:
 #        - name: node_pool
 #          backend: local
-  - name: "shared_vpc"
-    driver:
-      root_module_directory: test/fixtures/shared_vpc
-    verifier:
-      systems:
-        - name: shared_vpc
-          backend: local
-  - name: "simple_regional"
-    driver:
-      root_module_directory: test/fixtures/simple_regional
-    verifier:
-      systems:
-        - name: simple_regional
-          backend: local
-  - name: "simple_regional_private"
-    driver:
-      root_module_directory: test/fixtures/simple_regional_private
-    verifier:
-      systems:
-        - name: simple_regional_private
-          backend: local
-  - name: "simple_zonal"
-    driver:
-      root_module_directory: test/fixtures/simple_zonal
-    verifier:
-      systems:
-        - name: gcloud
-          backend: local
-          controls:
-            - gcloud
-        - name: gcp
-          backend: gcp
-          controls:
-            - gcp
-  - name: "simple_zonal_private"
-    driver:
-      root_module_directory: test/fixtures/simple_zonal_private
-    verifier:
-      systems:
-        - name: simple_zonal_private
-          backend: local
-  - name: "stub_domains"
-    driver:
-      root_module_directory: test/fixtures/stub_domains
-    verifier:
-      systems:
-        - name: stub_domains
-          backend: local
-# Disabled due to issue #264
-# (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
-#  - name: stub_domains_private
+#  - name: "shared_vpc"
 #    driver:
-#      root_module_directory: test/fixtures/stub_domains_private
+#      root_module_directory: test/fixtures/shared_vpc
+#    verifier:
 #      systems:
-#        - name: stub_domains_private
+#        - name: shared_vpc
+#          backend: local
+#  - name: "simple_regional"
+#    driver:
+#      root_module_directory: test/fixtures/simple_regional
+#    verifier:
+#      systems:
+#        - name: simple_regional
+#          backend: local
+#  - name: "simple_regional_private"
+#    driver:
+#      root_module_directory: test/fixtures/simple_regional_private
+#    verifier:
+#      systems:
+#        - name: simple_regional_private
+#          backend: local
+#  - name: "simple_zonal"
+#    driver:
+#      root_module_directory: test/fixtures/simple_zonal
+#    verifier:
+#      systems:
+#        - name: gcloud
+#          backend: local
+#          controls:
+#            - gcloud
+#        - name: gcp
+#          backend: gcp
+#          controls:
+#            - gcp
+#  - name: "simple_zonal_private"
+#    driver:
+#      root_module_directory: test/fixtures/simple_zonal_private
+#    verifier:
+#      systems:
+#        - name: simple_zonal_private
+#          backend: local
+#  - name: "stub_domains"
+#    driver:
+#      root_module_directory: test/fixtures/stub_domains
+#    verifier:
+#      systems:
+#        - name: stub_domains
+#          backend: local
+## Disabled due to issue #264
+## (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
+##  - name: stub_domains_private
+##    driver:
+##      root_module_directory: test/fixtures/stub_domains_private
+##      systems:
+##        - name: stub_domains_private
+##          backend: local
+#  - name: "upstream_nameservers"
+#    driver:
+#      root_module_directory: test/fixtures/upstream_nameservers
+#    verifier:
+#        systems:
+#          - name: upstream_nameservers
+#            backend: local
+#  - name: "stub_domains_upstream_nameservers"
+#    driver:
+#      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
+#    verifier:
+#        systems:
+#          - name: stub_domains_upstream_nameservers
+#            backend: local
+#  - name: "workload_metadata_config"
+#    driver:
+#      root_module_directory: test/fixtures/workload_metadata_config
+#    verifier:
+#      systems:
+#        - name: workload_metadata_config
 #          backend: local
-  - name: "upstream_nameservers"
-    driver:
-      root_module_directory: test/fixtures/upstream_nameservers
-    verifier:
-        systems:
-          - name: upstream_nameservers
-            backend: local
-  - name: "stub_domains_upstream_nameservers"
-    driver:
-      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
-    verifier:
-        systems:
-          - name: stub_domains_upstream_nameservers
-            backend: local
-  - name: "workload_metadata_config"
-    driver:
-      root_module_directory: test/fixtures/workload_metadata_config
-    verifier:
-      systems:
-        - name: workload_metadata_config
-          backend: local

README.md

@@ -108,6 +108,22 @@ Then perform the following commands on the root folder:
 - `terraform apply` to apply the infrastructure build
 - `terraform destroy` to destroy the built infrastructure
 
+## Upgrade to v3.0.0
+
+v3.0.0 is a breaking release. Refer to the
+[Upgrading to v3.0 guide][upgrading-to-v3.0] for details.
+
+## Upgrade to v2.0.0
+
+v2.0.0 is a breaking release. Refer to the
+[Upgrading to v2.0 guide][upgrading-to-v2.0] for details.
+
+## Upgrade to v1.0.0
+
+Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths.
+
+In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
@@ -153,6 +169,7 @@ Then perform the following commands on the root folder:
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |

autogen/README.md

@@ -201,6 +201,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |

autogen/cluster.tf

@@ -352,6 +352,7 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_cluster" {
+  count = var.skip_provisioners ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"

autogen/dns.tf

@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
+  count = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"

autogen/variables.tf

@@ -304,6 +304,11 @@ variable "cluster_resource_labels" {
   default     = {}
 }
 
+variable "skip_provisioners" {
+  type        = bool
+  description = "Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set."
+  default     = false
+}
 {% if private_cluster %}
 
 variable "deploy_using_private_endpoint" {

cluster.tf

@@ -227,6 +227,7 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_cluster" {
+  count = var.skip_provisioners ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"

dns.tf

@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
+  count = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"

examples/disable_client_cert/README.md

@@ -12,13 +12,13 @@ This example illustrates how to create a simple cluster and disable deprecated s
 |------|-------------|:----:|:-----:|:-----:|
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
-| credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |
 | network\_project\_id | The GCP project housing the VPC network to host the cluster in | string | n/a | yes |
 | project\_id | The project ID to host the cluster in | string | n/a | yes |
 | region | The region to host the cluster in | string | n/a | yes |
+| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no |
 | subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
 
 ## Outputs

examples/disable_client_cert/main.tf

@@ -37,6 +37,7 @@ module "gke" {
   create_service_account   = false
   service_account          = var.compute_engine_service_account
   issue_client_certificate = false
+  skip_provisioners        = var.skip_provisioners
 }
 
 data "google_client_config" "default" {

examples/disable_client_cert/variables.tf

@@ -18,10 +18,6 @@ variable "project_id" {
   description = "The project ID to host the cluster in"
 }
 
-variable "credentials_path" {
-  description = "The path to the GCP credentials JSON file"
-}
-
 variable "cluster_name_suffix" {
   description = "A suffix to append to the default cluster name"
   default     = ""
@@ -55,3 +51,9 @@ variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
 
+variable "skip_provisioners" {
+  type        = bool
+  description = "Flag to skip local-exec provisioners"
+  default     = false
+}
+

examples/simple_regional/README.md

@@ -14,6 +14,7 @@ This example illustrates how to create a simple cluster.
 | network | The VPC network to host the cluster in | string | n/a | yes |
 | project\_id | The project ID to host the cluster in | string | n/a | yes |
 | region | The region to host the cluster in | string | n/a | yes |
+| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no |
 | subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
 
 ## Outputs

examples/simple_regional/main.tf

@@ -35,6 +35,7 @@ module "gke" {
   ip_range_services      = var.ip_range_services
   create_service_account = false
   service_account        = var.compute_engine_service_account
+  skip_provisioners      = var.skip_provisioners
 }
 
 data "google_client_config" "default" {

examples/simple_regional/variables.tf

@@ -47,3 +47,8 @@ variable "compute_engine_service_account" {
   description = "Service account to associate to the nodes in the cluster"
 }
 
+variable "skip_provisioners" {
+  type        = bool
+  description = "Flag to skip local-exec provisioners"
+  default     = false
+}

modules/beta-private-cluster/README.md

@@ -194,6 +194,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |

modules/beta-private-cluster/cluster.tf

@@ -328,6 +328,7 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_cluster" {
+  count = var.skip_provisioners ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"

modules/beta-private-cluster/dns.tf

@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
+  count = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"

modules/beta-private-cluster/variables.tf

@@ -302,6 +302,11 @@ variable "cluster_resource_labels" {
   default     = {}
 }
 
+variable "skip_provisioners" {
+  type        = bool
+  description = "Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set."
+  default     = false
+}
 
 variable "deploy_using_private_endpoint" {
   type        = bool

modules/beta-public-cluster/README.md

@@ -185,6 +185,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |

modules/beta-public-cluster/cluster.tf

@@ -323,6 +323,7 @@ resource "google_container_node_pool" "pools" {
 }
 
 resource "null_resource" "wait_for_cluster" {
+  count = var.skip_provisioners ? 0 : 1
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/wait-for-cluster.sh ${var.project_id} ${var.name}"

modules/beta-public-cluster/dns.tf

@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0
+  count = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners ? 1 : 0
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"

modules/beta-public-cluster/variables.tf

@@ -302,6 +302,11 @@ variable "cluster_resource_labels" {
   default     = {}
 }
 
+variable "skip_provisioners" {
+  type        = bool
+  description = "Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set."
+  default     = false
+}
 
 variable "istio" {
   description = "(Beta) Enable Istio addon"

modules/private-cluster/README.md

@@ -178,6 +178,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip local-exec provisioners. Does not affect if `stub_domains` or `upstream_nameservers` variable set. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |