feat(multi nic): support enabling multi networking

modules/beta-autopilot-private-cluster/cluster.tf

@@ -129,6 +129,9 @@ resource "google_container_cluster" "primary" {
 
   networking_mode = "VPC_NATIVE"
 
+  enable_multi_networking = var.enable_multi_networking
+
+
   protect_config {
     workload_config {
       audit_mode = var.workload_config_audit_mode

modules/beta-autopilot-private-cluster/variables.tf

@@ -416,3 +416,9 @@ variable "timeouts" {
   }
 }
 
+variable "enable_multi_networking" {
+  default     = false
+  type        = bool
+  description = "Enable multi NIC support."
+}
+

modules/beta-autopilot-public-cluster/cluster.tf

@@ -129,6 +129,8 @@ resource "google_container_cluster" "primary" {
 
   networking_mode = "VPC_NATIVE"
 
+  enable_multi_networking = var.enable_multi_networking
+
   protect_config {
     workload_config {
       audit_mode = var.workload_config_audit_mode

modules/beta-autopilot-public-cluster/variables.tf

@@ -386,3 +386,9 @@ variable "timeouts" {
   }
 }
 
+variable "enable_multi_networking" {
+  default     = false
+  type        = bool
+  description = "Enable multi NIC support."
+}
+

modules/beta-private-cluster-update-variant/cluster.tf

@@ -268,6 +268,8 @@ resource "google_container_cluster" "primary" {
 
   networking_mode = "VPC_NATIVE"
 
+  enable_multi_networking = var.enable_multi_networking
+
   protect_config {
     workload_config {
       audit_mode = var.workload_config_audit_mode

modules/beta-private-cluster-update-variant/variables.tf

@@ -746,3 +746,9 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "enable_multi_networking" {
+  default     = false
+  type        = bool
+  description = "Enable multi NIC support."
+}

modules/beta-private-cluster/cluster.tf

@@ -268,6 +268,8 @@ resource "google_container_cluster" "primary" {
 
   networking_mode = "VPC_NATIVE"
 
+  enable_multi_networking = var.enable_multi_networking
+
   protect_config {
     workload_config {
       audit_mode = var.workload_config_audit_mode
@@ -501,15 +503,27 @@ resource "google_container_node_pool" "pools" {
   dynamic "placement_policy" {
     for_each = length(lookup(each.value, "placement_policy", "")) > 0 ? [each.value] : []
     content {
-      type = lookup(placement_policy.value, "placement_policy", null)
+      type        = lookup(placement_policy.value, "placement_policy", null)
+      policy_name = lookup(placement_policy.value, "placement_policy_resource_policy_name", null)
     }
   }
 
   dynamic "network_config" {
     for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : []
     content {
       pod_range            = lookup(network_config.value, "pod_range", null)
-      enable_private_nodes = var.enable_private_nodes
+      enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
+    }
+  }
+
+  network_config {
+    dynamic "additional_node_network_configs" {
+      for_each = {for idx, x in lookup(var.node_pools_additional_networks, each.value["name"], []) : idx => x}
+      iterator = additional_network
+      content {
+        network    = additional_network.value.network_name
+        subnetwork = additional_network.value.subnetwork_name
+      }
     }
   }
 
@@ -734,7 +748,7 @@ resource "google_container_node_pool" "windows_pools" {
     for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : []
     content {
       pod_range            = lookup(network_config.value, "pod_range", null)
-      enable_private_nodes = var.enable_private_nodes
+      enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
     }
   }
 

modules/beta-private-cluster/variables.tf

@@ -170,6 +170,20 @@ variable "node_pools_labels" {
   }
 }
 
+variable "node_pools_additional_networks" {
+  type = map(list(object({
+    network_name    = string
+    subnetwork_name = string
+  })))
+  description = "Map of maps containing additional networks by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = []
+    default-node-pool = []
+  }
+}
+
 variable "node_pools_resource_labels" {
   type        = map(map(string))
   description = "Map of maps containing resource labels by node-pool name"
@@ -496,7 +510,7 @@ variable "shadow_firewall_rules_log_config" {
     metadata = string
   })
   description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
-  default = {
+  default     = {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
@@ -581,10 +595,12 @@ variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))
 
-  default = [{
-    state    = "DECRYPTED"
-    key_name = ""
-  }]
+  default = [
+    {
+      state    = "DECRYPTED"
+      key_name = ""
+    }
+  ]
 }
 
 variable "enable_shielded_nodes" {
@@ -605,7 +621,9 @@ variable "node_metadata" {
   type        = string
 
   validation {
-    condition     = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+    condition = contains([
+      "GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"
+    ], var.node_metadata)
     error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA, UNSPECIFIED, GKE_METADATA_SERVER or EXPOSE."
   }
 }
@@ -722,7 +740,6 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
-
 variable "enable_l4_ilb_subsetting" {
   type        = bool
   description = "Enable L4 ILB Subsetting on the cluster"
@@ -746,3 +763,9 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "enable_multi_networking" {
+  default     = false
+  type        = bool
+  description = "Enable multi NIC support."
+}

modules/beta-public-cluster-update-variant/cluster.tf

@@ -268,6 +268,8 @@ resource "google_container_cluster" "primary" {
 
   networking_mode = "VPC_NATIVE"
 
+  enable_multi_networking = var.enable_multi_networking
+
   protect_config {
     workload_config {
       audit_mode = var.workload_config_audit_mode

modules/beta-public-cluster-update-variant/variables.tf

@@ -716,3 +716,9 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "enable_multi_networking" {
+  default     = false
+  type        = bool
+  description = "Enable multi NIC support."
+}

modules/beta-public-cluster/cluster.tf

@@ -268,6 +268,8 @@ resource "google_container_cluster" "primary" {
 
   networking_mode = "VPC_NATIVE"
 
+  enable_multi_networking = var.enable_multi_networking
+
   protect_config {
     workload_config {
       audit_mode = var.workload_config_audit_mode
@@ -482,7 +484,8 @@ resource "google_container_node_pool" "pools" {
   dynamic "placement_policy" {
     for_each = length(lookup(each.value, "placement_policy", "")) > 0 ? [each.value] : []
     content {
-      type = lookup(placement_policy.value, "placement_policy", null)
+      type        = lookup(placement_policy.value, "placement_policy", null)
+      policy_name = lookup(placement_policy.value, "placement_policy_resource_policy_name", null)
     }
   }
 
@@ -494,6 +497,17 @@ resource "google_container_node_pool" "pools" {
     }
   }
 
+  network_config {
+    dynamic "additional_node_network_configs" {
+      for_each = {for idx, x in lookup(var.node_pools_additional_networks, each.value["name"], []) : idx => x}
+      iterator = additional_network
+      content {
+        network    = additional_network.value.network_name
+        subnetwork = additional_network.value.subnetwork_name
+      }
+    }
+  }
+
   management {
     auto_repair  = lookup(each.value, "auto_repair", true)
     auto_upgrade = lookup(each.value, "auto_upgrade", local.default_auto_upgrade)

modules/beta-public-cluster/variables.tf

@@ -170,6 +170,20 @@ variable "node_pools_labels" {
   }
 }
 
+variable "node_pools_additional_networks" {
+  type = map(list(object({
+    network_name    = string
+    subnetwork_name = string
+  })))
+  description = "Map of maps containing additional networks by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = []
+    default-node-pool = []
+  }
+}
+
 variable "node_pools_resource_labels" {
   type        = map(map(string))
   description = "Map of maps containing resource labels by node-pool name"
@@ -466,7 +480,7 @@ variable "shadow_firewall_rules_log_config" {
     metadata = string
   })
   description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
-  default = {
+  default     = {
     metadata = "INCLUDE_ALL_METADATA"
   }
 }
@@ -551,10 +565,12 @@ variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))
 
-  default = [{
-    state    = "DECRYPTED"
-    key_name = ""
-  }]
+  default = [
+    {
+      state    = "DECRYPTED"
+      key_name = ""
+    }
+  ]
 }
 
 variable "enable_shielded_nodes" {
@@ -575,7 +591,9 @@ variable "node_metadata" {
   type        = string
 
   validation {
-    condition     = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
+    condition = contains([
+      "GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"
+    ], var.node_metadata)
     error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA, UNSPECIFIED, GKE_METADATA_SERVER or EXPOSE."
   }
 }
@@ -716,3 +734,9 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+variable "enable_multi_networking" {
+  default     = false
+  type        = bool
+  description = "Enable multi NIC support."
+}