Merge branch 'master' into feat/firewall_disco_pod_ranges

Author: splichy

CHANGELOG.md

@@ -6,6 +6,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [24.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v23.3.0...v24.0.0) (2022-11-21)
+
+
+### ⚠ BREAKING CHANGES
+
+* cost_management_config is out of beta now (#1470)
+* update variant - recreate node pools on max_pods_per_node or pod_range change (#1464)
+* expose global master access in GA modules (#1421)
+* min tpb bump for location_policy
+* min TPG bump for location_policy (#1453)
+* add service_external_ips option (#1441)
+* Adding Support for Cost Allocation Feature in Beta (#1413)
+* add boot_disk_kms_key variable for node pools to GA modules (#1371)
+
+### Features
+
+* add boot_disk_kms_key variable for node pools to GA modules ([#1371](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1371)) ([d9a44c6](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d9a44c60198e2bea72aa1f36c5dbe34e59416dbf))
+* add location_policy and fix permadiff ([#1452](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1452)) ([aecccf0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/aecccf0bb8ca950fab5598ce8ec4b91f45dcb4a9))
+* add nodepool autoscaling vars avail in GKE 1.24.1 ([#1415](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1415)) ([f57f3ce](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f57f3ce58de14076a03182aa3b37aae58beac29a))
+* add service_external_ips option ([#1441](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1441)) ([e9de006](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e9de006f535e67a311a01e60a554c636f127fafa))
+* Add support for https_proxy parameter for the config_sync.git block ([#1457](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1457)) ([43bbd3c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/43bbd3c7ac48560e76a6ad2448d8e1901f9d4e4a))
+* Adding Support for Cost Allocation Feature in Beta ([#1413](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1413)) ([ba3dcd0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/ba3dcd0b617ff82367c5fbaffa5dc76e6f9f2cb1))
+* cost_management_config is out of beta now ([#1470](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1470)) ([10ea608](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/10ea6081c532aa0bcd5fdd8addbb15fedfe18ee0))
+* expose global master access in GA modules ([#1421](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1421)) ([4278f2c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/4278f2cd2dfc81ae71230162d53ec30401a5e54f))
+* Make creation of istio-system namespace optional ([#1439](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1439)) ([335c62a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/335c62a546f9b35b6825783e004c46f3d5f2440b))
+* update variant - recreate node pools on max_pods_per_node or pod_range change ([#1464](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1464)) ([b006593](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b006593cf9d81ca018468ad440c70509fdcef082))
+
+
+### Bug Fixes
+
+* location-policy permadrifting [#1445](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1445) ([aecccf0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/aecccf0bb8ca950fab5598ce8ec4b91f45dcb4a9))
+* min tpb bump for location_policy ([0ddd297](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0ddd297a1d57cd4e58849e780d592147eac24321))
+* min TPG bump for location_policy ([#1453](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1453)) ([0ddd297](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0ddd297a1d57cd4e58849e780d592147eac24321))
+
 ## [23.3.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v23.2.0...v23.3.0) (2022-10-28)
 
 

README.md

@@ -147,6 +147,7 @@ Then perform the following commands on the root folder:
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
+| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |

autogen/main/cluster.tf.tmpl

@@ -53,13 +53,13 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
-{% if beta_cluster %}
   dynamic "cost_management_config" {
     for_each = var.enable_cost_allocation ? [1] : []
     content {
       enabled = var.enable_cost_allocation
     }
   }
+{% if beta_cluster %}
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
@@ -434,14 +434,12 @@ resource "google_container_cluster" "primary" {
       enable_private_endpoint = private_cluster_config.value.enable_private_endpoint
       enable_private_nodes    = private_cluster_config.value.enable_private_nodes
       master_ipv4_cidr_block  = private_cluster_config.value.master_ipv4_cidr_block
-      {% if beta_cluster %}
       dynamic "master_global_access_config" {
         for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : []
         content {
           enabled = master_global_access_config.value
         }
       }
-      {% endif %}
     }
   }
 {% endif %}
@@ -499,7 +497,9 @@ locals {
     "enable_integrity_monitoring",
     "local_ssd_count",
     "machine_type",
+    "max_pods_per_node",
     "min_cpu_platform",
+    "pod_range",
     "preemptible",
     "spot",
     "service_account",
@@ -510,8 +510,9 @@ locals {
 }
 
 # This keepers list is based on the terraform google provider schemaNodeConfig
-# resources where "ForceNew" is "true". schemaNodeConfig can be found in node_config.go at
-# https://github.com/terraform-providers/terraform-provider-google/blob/master/google/node_config.go#L22
+# resources where "ForceNew" is "true". schemaNodeConfig can be found in resource_container_node_pool.go at
+# https://github.com/hashicorp/terraform-provider-google/blob/main/google/resource_container_node_pool.go and node_config.go at
+# https://github.com/terraform-providers/terraform-provider-google/blob/main/google/node_config.go
 resource "random_id" "name" {
   for_each    = merge(local.node_pools, local.windows_node_pools)
   byte_length = 2
@@ -597,7 +598,7 @@ resource "google_container_node_pool" "windows_pools" {
   for_each = local.node_pools
   {% else %}
   for_each = local.windows_node_pools
-  {% endif %}  
+  {% endif %}
   {% if update_variant %}
   name     = { for k, v in random_id.name : k => v.hex }[each.key]
   {% else %}
@@ -632,6 +633,8 @@ resource "google_container_node_pool" "windows_pools" {
       min_node_count = lookup(autoscaling.value, "min_count", 1)
       max_node_count = lookup(autoscaling.value, "max_count", 100)
       location_policy = lookup(autoscaling.value, "location_policy", null)
+      total_min_node_count = lookup(autoscaling.value, "total_min_count", null)
+      total_max_node_count = lookup(autoscaling.value, "total_max_count", null)
     }
   }
 
@@ -642,7 +645,7 @@ resource "google_container_node_pool" "windows_pools" {
       type = lookup(placement_policy.value, "placement_policy", null)
     }
   }
-  
+
   dynamic "network_config" {
     for_each = length(lookup(each.value, "pod_range", "")) > 0  ? [each.value] : []
     content {

autogen/main/variables.tf.tmpl

@@ -196,13 +196,11 @@ variable "node_pools_linux_node_configs_sysctls" {
 {% endif %}
 {% endif %}
 
-{% if beta_cluster %}
 variable "enable_cost_allocation" {
   type        = bool
   description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery"
   default     = false
 }
-{% endif %}
 variable "resource_usage_export_dataset_id" {
   type        = string
   description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export."
@@ -410,16 +408,13 @@ variable "master_ipv4_cidr_block" {
   description = "(Beta) The IP range in CIDR notation to use for the hosted master network"
   default     = "10.0.0.0/28"
 }
-{% if beta_cluster %}
 
 variable "master_global_access_enabled" {
   type        = bool
-  description = "(Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint."
-
+  description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint."
   default     = true
 }
 {% endif %}
-{% endif %}
 
 variable "dns_cache" {
   type        = bool

autogen/main/versions.tf.tmpl

@@ -24,15 +24,15 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.36.0, < 5.0"
+      version = ">= 4.42.0, < 5.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
       version = "~> 2.10"
     }
   }
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v24.0.0"
   }
 {% else %}
   required_providers {
@@ -46,7 +46,7 @@ terraform {
     }
   }
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v24.0.0"
   }
 {% endif %}
 }

autogen/safer-cluster/main.tf.tmpl

@@ -161,6 +161,9 @@ module "gke" {
   // We suggest to define policies about  which images can run on a cluster.
   enable_binary_authorization = true
 
+  // Enable cost allocation support
+  enable_cost_allocation = var.enable_cost_allocation
+
   // Use of PodSecurityPolicy admission controller
   // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
   enable_pod_security_policy = var.enable_pod_security_policy

autogen/safer-cluster/variables.tf.tmpl

@@ -356,6 +356,12 @@ variable "enable_resource_consumption_export" {
   default     = true
 }
 
+variable "enable_cost_allocation" {
+  type        = bool
+  description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

autogen/safer-cluster/versions.tf.tmpl

@@ -23,6 +23,6 @@ terraform {
   required_version = ">=0.13"
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v24.0.0"
   }
 }

cluster.tf

@@ -47,6 +47,12 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+  dynamic "cost_management_config" {
+    for_each = var.enable_cost_allocation ? [1] : []
+    content {
+      enabled = var.enable_cost_allocation
+    }
+  }
 
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
@@ -303,7 +309,6 @@ resource "google_container_cluster" "primary" {
 resource "google_container_node_pool" "pools" {
   provider = google
   for_each = local.node_pools
-
   name     = each.key
   project  = var.project_id
   location = local.location
@@ -331,9 +336,11 @@ resource "google_container_node_pool" "pools" {
   dynamic "autoscaling" {
     for_each = lookup(each.value, "autoscaling", true) ? [each.value] : []
     content {
-      min_node_count  = lookup(autoscaling.value, "min_count", 1)
-      max_node_count  = lookup(autoscaling.value, "max_count", 100)
-      location_policy = lookup(autoscaling.value, "location_policy", null)
+      min_node_count       = lookup(autoscaling.value, "min_count", 1)
+      max_node_count       = lookup(autoscaling.value, "max_count", 100)
+      location_policy      = lookup(autoscaling.value, "location_policy", null)
+      total_min_node_count = lookup(autoscaling.value, "total_min_count", null)
+      total_max_node_count = lookup(autoscaling.value, "total_max_count", null)
     }
   }
 
@@ -456,7 +463,6 @@ resource "google_container_node_pool" "pools" {
 resource "google_container_node_pool" "windows_pools" {
   provider = google
   for_each = local.windows_node_pools
-
   name     = each.key
   project  = var.project_id
   location = local.location
@@ -484,9 +490,11 @@ resource "google_container_node_pool" "windows_pools" {
   dynamic "autoscaling" {
     for_each = lookup(each.value, "autoscaling", true) ? [each.value] : []
     content {
-      min_node_count  = lookup(autoscaling.value, "min_count", 1)
-      max_node_count  = lookup(autoscaling.value, "max_count", 100)
-      location_policy = lookup(autoscaling.value, "location_policy", null)
+      min_node_count       = lookup(autoscaling.value, "min_count", 1)
+      max_node_count       = lookup(autoscaling.value, "max_count", 100)
+      location_policy      = lookup(autoscaling.value, "location_policy", null)
+      total_min_node_count = lookup(autoscaling.value, "total_min_count", null)
+      total_max_node_count = lookup(autoscaling.value, "total_max_count", null)
     }
   }
 

docs/upgrading_to_v24.0.md

@@ -0,0 +1,62 @@
+# Upgrading to v24.0
+The v24.0 release of *kubernetes-engine* is a backwards incompatible
+release.
+
+### master_global_access_enabled in GA private-cluster module
+
+`master_global_access` is now supported in GA private-cluster module and defaults to true. To opt out, set `master_global_access_enabled` to `false`.
+
+```diff
+  module "gke" {
+-   source           = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
+-   version          = "~> 23.0"
++   source           = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
++   version          = "~> 24.0"
+...
++   master_global_access_enabled  = false
+}
+```
+
+### Update variant random ID keepers updated
+
+The v24.0 release updates the keepers for the update variant modules. This will force a recreation of the nodepools.
+
+To avoid this, it is possible to edit the remote state of the `random_id` resource to add the new attributes.
+
+1. Perform a `terraform plan` as normal, identifying the `random_id` resources changing and the new `max_pods_per_node` and `pod_range` attributes
+```tf
+      ~ keepers     = { # forces replacement
+          + "max_pods_per_node"           = ""
+          + "pod_range"                   = ""
+            # (19 unchanged elements hidden)
+        }
+        # (2 unchanged attributes hidden)
+    }
+```
+2. Pull the remote state locally: `terraform state pull > default.tfstate`
+1. Back up the original remote state: `cp default.tfstate original.tfstate`
+1. Edit the `random_id` resources to add in the new `max_pods_per_node` and `pod_range` attributes from the `terraform plan` step
+```diff
+"attributes": {
+            "b64_std": "pool-02-vb4=",
+            "b64_url": "pool-02-vb4",
+            "byte_length": 2,
+            "dec": "pool-02-48574",
+            "hex": "pool-02-bdbe",
+            "id": "vb4",
+            "keepers": {
+            ...
+              "taints": "",
++             "max_pods_per_node": "",
++             "pod_range": ""
+            },
+            "prefix": "pool-02-"
+          }
+```
+5. Bump the serial number at the top
+1. Push the modified state to the remote `terraform state push default.tfstate`
+1. Confirm the `random_id` resource no longer changes (or the corresponding `nodepool`) in a `terraform plan`
+
+### Minimum Google Provider versions
+
+Minimum Google Provider versions have been updated to `4.42.0`.

examples/simple_regional/main.tf

@@ -38,6 +38,7 @@ module "gke" {
   ip_range_services           = var.ip_range_services
   create_service_account      = false
   service_account             = var.compute_engine_service_account
+  enable_cost_allocation      = true
   enable_binary_authorization = var.enable_binary_authorization
   skip_provisioners           = var.skip_provisioners
 }

modules/acm/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_version = ">= 0.13.0"
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v24.0.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v24.0.0"
   }
 
   required_providers {

modules/asm/versions.tf

@@ -26,10 +26,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v24.0.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v24.0.0"
   }
 }

modules/auth/versions.tf

@@ -19,6 +19,6 @@ terraform {
   required_version = ">= 0.13.0"
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v23.3.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v24.0.0"
   }
 }