feat!: Add support for enable_l4_ilb_subsetting flag (#896)

* Add support for enable_l4_ilb_subsetting flag

* Fix typo

* Bump minimum google-beta provider version

* Bump google-provider-beta version in test definitions

* Update autogen/main/variables.tf.tmpl

Remove unnecessary mention of `enabled` RE: `enable_l4_ilb_subsetting` variable

Co-authored-by: Bharath KKB <[email protected]>

* Remove unnecessary `enabled` identifier in description

Co-authored-by: Bharath KKB <[email protected]>

Author: Jberlinsky

autogen/main/cluster.tf.tmpl

@@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 {% endif %}
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config

autogen/main/variables.tf.tmpl

@@ -505,6 +505,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

autogen/main/versions.tf.tmpl

@@ -24,7 +24,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

examples/node_pool/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 

examples/node_pool_update_variant_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.49.0"
+  version     = "~> 3.63.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/node_pool_update_variant_public_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.49.0"
+  version     = "~> 3.63.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/regional_private_node_pool_oauth_scopes/provider.tf

@@ -19,7 +19,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
 }
 
 data "google_client_config" "default" {}

examples/safer_cluster/main.tf

@@ -35,7 +35,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
 }
 
 data "google_client_config" "default" {}

examples/safer_cluster_iap_bastion/provider.tf

@@ -19,7 +19,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
 }
 
 data "google_client_config" "default" {}

examples/simple_regional_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 

examples/simple_regional_private_beta/main.tf

@@ -24,7 +24,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 

examples/simple_zonal_with_asm/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 

examples/workload_metadata_config/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.49.0"
+  version = "~> 3.63.0"
   region  = var.region
 }
 

modules/beta-private-cluster-update-variant/README.md

@@ -180,6 +180,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-private-cluster-update-variant/variables.tf

@@ -486,6 +486,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-private-cluster-update-variant/versions.tf

@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster/README.md

@@ -158,6 +158,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |

modules/beta-private-cluster/cluster.tf

@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-private-cluster/variables.tf

@@ -486,6 +486,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-private-cluster/versions.tf

@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-public-cluster-update-variant/README.md

@@ -173,6 +173,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |

modules/beta-public-cluster-update-variant/cluster.tf

@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-public-cluster-update-variant/variables.tf

@@ -455,6 +455,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-public-cluster-update-variant/versions.tf

@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-public-cluster/README.md

@@ -151,6 +151,7 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
+| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |

modules/beta-public-cluster/cluster.tf

@@ -104,6 +104,8 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
+
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {

modules/beta-public-cluster/variables.tf

@@ -455,6 +455,12 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting on the cluster"
+  default     = false
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

modules/beta-public-cluster/versions.tf

@@ -21,7 +21,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.49.0, <4.0.0"
+      version = ">= 3.63.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

test/bundle.hcl

@@ -8,7 +8,7 @@ providers {
     source  = "hashicorp/google"
   }
   google-beta = {
-    version = "~> 3.49.0"
+    version = "~> 3.63.0"
     source  = "hashicorp/google-beta"
   }
   external = {