Merge pull request #5 from terraform-google-modules/master

update

Author: bharathkkb

.kitchen.yml

@@ -45,6 +45,13 @@ suites:
       systems:
         - name: shared_vpc
           backend: local
+  - name: "safer_cluster"
+    driver:
+      root_module_directory: test/fixtures/safer_cluster
+    verifier:
+      systems:
+        - name: safer_cluster
+          backend: local
   - name: "simple_regional"
     driver:
       root_module_directory: test/fixtures/simple_regional

CHANGELOG.md

@@ -14,12 +14,30 @@ Extending the adopted spec, each change should have a link to its corresponding
 * Support for setting node_locations on node pools. [#303]
 * Fix for specifying  `node_count` on node pools when autoscaling is disabled. [#311]
 * Added submodule for installing Anthos Config Management. [#268]
-* Support for `local_ssd_count` in node pool configuration. [#244]
+* Support for `local_ssd_count` in node pool configuration. [#339]
 * Wait for cluster to be ready before returning endpoint. [#340]
+* `safer-cluster` submodule. [#315]
+* `simple_regional_with_networking` example. [#195]
+* `release_channel` variable for beta submodules. [#271]
+* The `node_locations` attribute to the `node_pools` object for beta submodules. [#290]
+* `private_zonal_with_nteworking` example. [#308]
+* `regional_private_node_pool_oauth_scopes` example. [#321]
+
+### Changed
+
+* The `node_pool_labels`, `node_pool_tags`, and `node_pool_taints` variables have defaults and can be overridden within the
+  `node_pools` object. [#3]
+* `upstream_nameservers` variable is typed as a list of strings. [#350]
 
 ### Removed
 
 * **Breaking**: Removed support for enabling the Kubernetes dashboard, as this is deprecated on GKE. [#337]
+* **Beaking**: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. [#261]
+
+### Fixed
+
+* `identity_namespace` output depends on the `google_container_cluster.primary` resource. [#301]
+* Idempotency of the beta submodules. [#326]
 
 ## [v5.1.1] - 2019-10-25
 
@@ -217,7 +235,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 * Initial release of module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.1...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.2.0...HEAD
+[v5.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.1...v5.2.0
 [v5.1.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.0...v5.1.1
 [v5.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.0.0...v5.1.0
 [v5.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v4.1.0...v5.0.0
@@ -234,17 +253,27 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
-[#337]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/337
+[#350]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/350
 [#340]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/340
-[#268]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/268
+[#339]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/339
+[#337]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/337
+[#326]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/326
+[#321]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/321
+[#315]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/315
 [#311]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/311
+[#308]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/308
 [#303]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/303
+[#301]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/301
 [#300]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/300
+[#290]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/290
 [#286]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/286
 [#285]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/285
 [#284]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/284
 [#282]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/282
 [#273]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/273
+[#271]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/271
+[#268]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/268
+[#261]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/261
 [#258]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/258
 [#256]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/256
 [#248]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/248
@@ -253,7 +282,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 [#238]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/238
 [#241]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/241
 [#250]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/250
-[#244]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/244
 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236
 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217
 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234
@@ -265,6 +293,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 [#203]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/203
 [#198]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/198
 [#197]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/197
+[#195]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/195
 [#193]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/193
 [#188]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/188
 [#187]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/187
@@ -312,6 +341,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 [#15]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/15
 [#10]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/10
 [#9]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/9
+[#3]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/3
 
 [upgrading-to-v2.0]: docs/upgrading_to_v2.0.md
 [upgrading-to-v3.0]: docs/upgrading_to_v3.0.md

README.md

@@ -172,7 +172,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
+| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
 
 ## Outputs

autogen/variables.tf.tmpl

@@ -217,7 +217,7 @@ variable "stub_domains" {
 }
 
 variable "upstream_nameservers" {
-  type        = "list"
+  type        = list(string)
   description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
   default     = []
 }

build/int.cloudbuild.yaml

@@ -64,6 +64,26 @@ steps:
     - verify shared-vpc-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy shared-vpc-local']
+- id: create safer-cluster-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create safer-cluster-local']
+- id: converge safer-cluster-local
+  waitFor:
+    - create safer-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge safer-cluster-local']
+- id: verify safer-cluster-local
+  waitFor:
+    - converge safer-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify safer-cluster-local']
+- id: destroy safer-cluster-local
+  waitFor:
+    - verify safer-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy safer-cluster-local']
 - id: create simple-regional-local
   waitFor:
     - prepare

examples/safer_cluster/README.md

@@ -0,0 +1,37 @@
+# Safer GKE Cluster
+
+This example illustrates how to instantiate the opinionated Safer Cluster module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | `"us-central1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | The cluster ca certificate (base64 encoded) |
+| client\_token | The bearer token for auth |
+| cluster\_name | Cluster name |
+| kubernetes\_endpoint | The cluster endpoint |
+| location |  |
+| master\_kubernetes\_version | Kubernetes version of the master |
+| network\_name | The name of the VPC being created |
+| project\_id | The project ID the cluster is in |
+| region | The region in which the cluster resides |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| subnet\_names | The names of the subnet being created |
+| zones | List of zones in which the cluster resides |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/safer_cluster/main.tf

@@ -0,0 +1,68 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+locals {
+  cluster_type           = "safer-cluster"
+  network_name           = "safer-cluster-network-${random_string.suffix.result}"
+  subnet_name            = "safer-cluster-subnet-${random_string.suffix.result}"
+  master_auth_subnetwork = "safer-cluster-master-subnet-${random_string.suffix.result}"
+  pods_range_name        = "ip-range-pods-${random_string.suffix.result}"
+  svc_range_name         = "ip-range-svc-${random_string.suffix.result}"
+}
+
+provider "google" {
+  version = "~> 2.18.0"
+}
+
+provider "google-beta" {
+  version = "~> 2.18.0"
+}
+
+module "gke" {
+  source                         = "../../modules/safer-cluster/"
+  project_id                     = var.project_id
+  name                           = "${local.cluster_type}-cluster-${random_string.suffix.result}"
+  regional                       = true
+  region                         = var.region
+  network                        = module.gcp-network.network_name
+  subnetwork                     = module.gcp-network.subnets_names[0]
+  ip_range_pods                  = local.pods_range_name
+  ip_range_services              = local.svc_range_name
+  compute_engine_service_account = var.compute_engine_service_account
+  master_ipv4_cidr_block         = "172.16.0.0/28"
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = "10.60.0.0/17"
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
+  istio    = true
+  cloudrun = true
+}
+
+data "google_client_config" "default" {
+}
+

examples/safer_cluster/network.tf

@@ -0,0 +1,48 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "gcp-network" {
+  source       = "terraform-google-modules/network/google"
+  version      = "~> 1.4.0"
+  project_id   = var.project_id
+  network_name = local.network_name
+
+  subnets = [
+    {
+      subnet_name   = local.subnet_name
+      subnet_ip     = "10.0.0.0/17"
+      subnet_region = var.region
+    },
+    {
+      subnet_name   = local.master_auth_subnetwork
+      subnet_ip     = "10.60.0.0/17"
+      subnet_region = var.region
+    },
+  ]
+
+  secondary_ranges = {
+    "${local.subnet_name}" = [
+      {
+        range_name    = local.pods_range_name
+        ip_cidr_range = "192.168.0.0/18"
+      },
+      {
+        range_name    = local.svc_range_name
+        ip_cidr_range = "192.168.64.0/18"
+      },
+    ]
+  }
+}

examples/safer_cluster/outputs.tf

@@ -0,0 +1,76 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  description = "The cluster endpoint"
+  sensitive   = true
+  value       = module.gke.endpoint
+}
+
+output "cluster_name" {
+  description = "Cluster name"
+  value       = module.gke.name
+}
+
+output "location" {
+  value = module.gke.location
+}
+
+output "master_kubernetes_version" {
+  description = "Kubernetes version of the master"
+  value       = module.gke.master_version
+}
+
+output "client_token" {
+  description = "The bearer token for auth"
+  sensitive   = true
+  value       = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+  description = "The cluster ca certificate (base64 encoded)"
+  value       = module.gke.ca_certificate
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = module.gke.service_account
+}
+
+output "network_name" {
+  description = "The name of the VPC being created"
+  value       = module.gcp-network.network_name
+}
+
+output "subnet_names" {
+  description = "The names of the subnet being created"
+  value       = module.gcp-network.subnets_names
+}
+
+output "region" {
+  description = "The region in which the cluster resides"
+  value       = module.gke.region
+}
+
+output "zones" {
+  description = "List of zones in which the cluster resides"
+  value       = module.gke.zones
+}
+
+output "project_id" {
+  description = "The project ID the cluster is in"
+  value       = var.project_id
+}