terraform-google-modules · dzoeteman · Dec 5, 2023 · Jan 19, 2024
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -333,6 +333,9 @@ resource "google_container_cluster" "primary" {
   {% if autopilot_cluster != true %}
 
   datapath_provider = var.datapath_provider
+  {% if beta_cluster %}
+  enable_multi_networking = var.enable_multi_networking
+  {% endif %}
   {% endif %}
 
   {% if beta_cluster %}
@@ -727,16 +730,36 @@ resource "google_container_node_pool" "windows_pools" {
     }
   }
 
-  dynamic "network_config" {
-    for_each = length(lookup(each.value, "pod_range", "")) > 0  ? [each.value] : []
-    content {
-      pod_range            = lookup(network_config.value, "pod_range", null)
-      {% if private_cluster %}
-      enable_private_nodes = var.enable_private_nodes
-      {% else %}
-      enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
-      {% endif %}
+  network_config {
+    pod_range            = lookup(network_config.value, "pod_range", null)
+    {% if private_cluster %}
+    enable_private_nodes = var.enable_private_nodes
+    {% else %}
+    enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
+    {% endif %}
+    {% if beta_cluster %}
+    dynamic "additional_node_network_configs" {
+      for_each = concat(
+        local.node_pools_additional_node_network_configs["all"],
+        local.node_pools_additional_node_network_configs[each.value["name"]]
+      )
+      content {
+        network = additional_node_network_configs.value.network
+        subnetwork = additional_node_network_configs.value.subnetwork
+      }
+    }
+    dynamic "additional_pod_network_configs" {
+      for_each = concat(
+        local.node_pools_additional_pod_network_configs["all"],
+        local.node_pools_additional_pod_network_configs[each.value["name"]]
+      )
+      content {
+        subnetwork = additional_pod_network_configs.value.subnetwork
+        secondary_pod_range = additional_pod_network_configs.value.secondary_pod_range
+        max_pods_per_node = additional_pod_network_configs.value.max_pods_per_node
+      }
     }
+    {% endif %}
   }
 
   management {

diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -108,6 +108,14 @@ variable "datapath_provider" {
   description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."
   default     = "DATAPATH_PROVIDER_UNSPECIFIED"
 }
+{% if beta_cluster %}
+
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster."
+  default     = false
+}
+{% endif %}
 
 {% endif %}
 variable "maintenance_start_time" {
@@ -216,6 +224,28 @@ variable "node_pools_linux_node_configs_sysctls" {
     default-node-pool = {}
   }
 }
+{% if beta_cluster %}
+
+variable "node_pools_additional_node_network_configs" {
+  type = map(list(object({ network = string, subnetwork = string })))
+  description = "Map of maps containing additional node network configs by node-pool name"
+
+  default = {
+    all = []
+    default-node-pool = []
+  }
+}
+
+variable "node_pools_additional_pod_network_configs" {
+  type = map(list(object({ subnetwork = string, secondary_pod_range = string, max_pods_per_node = number })))
+  description = "Map of maps containing additional pod network configs by node-pool name"
+
+  default = {
+    all = []
+    default-node-pool = []
+  }
+}
+{% endif %}
 {% endif %}
 
 variable "enable_cost_allocation" {

diff --git a/autogen/main/variables_defaults.tf.tmpl b/autogen/main/variables_defaults.tf.tmpl
@@ -114,5 +114,26 @@ locals {
     ),
     var.node_pools_linux_node_configs_sysctls
   )
+  {% if beta_cluster %}
+  node_pools_additional_node_network_configs = merge(
+    { all = [] },
+    { default-node-pool = [] },
+    zipmap(
+      [for node_pool in var.node_pools : node_pool["name"]],
+      [for node_pool in var.node_pools : []]
+    ),
+    var.node_pools_additional_node_network_configs
+  )
+
+  node_pools_additional_pod_network_configs = merge(
+    { all = [] },
+    { default-node-pool = [] },
+    zipmap(
+      [for node_pool in var.node_pools : node_pool["name"]],
+      [for node_pool in var.node_pools : []]
+    ),
+    var.node_pools_additional_pod_network_configs
+  )
+  {% endif %}
 }
 {% endif %}
diff --git a/cluster.tf b/cluster.tf
@@ -449,12 +449,9 @@ resource "google_container_node_pool" "pools" {
     }
   }
 
-  dynamic "network_config" {
-    for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : []
-    content {
-      pod_range            = lookup(network_config.value, "pod_range", null)
-      enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
-    }
+  network_config {
+    pod_range            = lookup(network_config.value, "pod_range", null)
+    enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
   }
 
   management {
@@ -658,12 +655,9 @@ resource "google_container_node_pool" "windows_pools" {
     }
   }
 
-  dynamic "network_config" {
-    for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : []
-    content {
-      pod_range            = lookup(network_config.value, "pod_range", null)
-      enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
-    }
+  network_config {
+    pod_range            = lookup(network_config.value, "pod_range", null)
+    enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
   }
 
   management {

diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -200,6 +200,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster. | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
@@ -250,6 +251,8 @@ Then perform the following commands on the root folder:
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
+| node\_pools\_additional\_node\_network\_configs | Map of maps containing additional node network configs by node-pool name | `map(list(object({ network = string, subnetwork = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
+| node\_pools\_additional\_pod\_network\_configs | Map of maps containing additional pod network configs by node-pool name | `map(list(object({ subnetwork = string, secondary_pod_range = string, max_pods_per_node = number })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |

diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -265,7 +265,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  datapath_provider = var.datapath_provider
+  datapath_provider       = var.datapath_provider
+  enable_multi_networking = var.enable_multi_networking
 
   networking_mode = "VPC_NATIVE"
 
@@ -617,11 +618,29 @@ resource "google_container_node_pool" "pools" {
     }
   }
 
-  dynamic "network_config" {
-    for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : []
-    content {
-      pod_range            = lookup(network_config.value, "pod_range", null)
-      enable_private_nodes = var.enable_private_nodes
+  network_config {
+    pod_range            = lookup(network_config.value, "pod_range", null)
+    enable_private_nodes = var.enable_private_nodes
+    dynamic "additional_node_network_configs" {
+      for_each = concat(
+        local.node_pools_additional_node_network_configs["all"],
+        local.node_pools_additional_node_network_configs[each.value["name"]]
+      )
+      content {
+        network    = additional_node_network_configs.value.network
+        subnetwork = additional_node_network_configs.value.subnetwork
+      }
+    }
+    dynamic "additional_pod_network_configs" {
+      for_each = concat(
+        local.node_pools_additional_pod_network_configs["all"],
+        local.node_pools_additional_pod_network_configs[each.value["name"]]
+      )
+      content {
+        subnetwork          = additional_pod_network_configs.value.subnetwork
+        secondary_pod_range = additional_pod_network_configs.value.secondary_pod_range
+        max_pods_per_node   = additional_pod_network_configs.value.max_pods_per_node
+      }
     }
   }
 
@@ -852,11 +871,29 @@ resource "google_container_node_pool" "windows_pools" {
     }
   }
 
-  dynamic "network_config" {
-    for_each = length(lookup(each.value, "pod_range", "")) > 0 ? [each.value] : []
-    content {
-      pod_range            = lookup(network_config.value, "pod_range", null)
-      enable_private_nodes = var.enable_private_nodes
+  network_config {
+    pod_range            = lookup(network_config.value, "pod_range", null)
+    enable_private_nodes = var.enable_private_nodes
+    dynamic "additional_node_network_configs" {
+      for_each = concat(
+        local.node_pools_additional_node_network_configs["all"],
+        local.node_pools_additional_node_network_configs[each.value["name"]]
+      )
+      content {
+        network    = additional_node_network_configs.value.network
+        subnetwork = additional_node_network_configs.value.subnetwork
+      }
+    }
+    dynamic "additional_pod_network_configs" {
+      for_each = concat(
+        local.node_pools_additional_pod_network_configs["all"],
+        local.node_pools_additional_pod_network_configs[each.value["name"]]
+      )
+      content {
+        subnetwork          = additional_pod_network_configs.value.subnetwork
+        secondary_pod_range = additional_pod_network_configs.value.secondary_pod_range
+        max_pods_per_node   = additional_pod_network_configs.value.max_pods_per_node
+      }
     }
   }
 

diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -108,6 +108,12 @@ variable "datapath_provider" {
   default     = "DATAPATH_PROVIDER_UNSPECIFIED"
 }
 
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster."
+  default     = false
+}
+
 variable "maintenance_start_time" {
   type        = string
   description = "Time window specified for daily or recurring maintenance operations in RFC3339 format"
@@ -214,6 +220,26 @@ variable "node_pools_linux_node_configs_sysctls" {
   }
 }
 
+variable "node_pools_additional_node_network_configs" {
+  type        = map(list(object({ network = string, subnetwork = string })))
+  description = "Map of maps containing additional node network configs by node-pool name"
+
+  default = {
+    all               = []
+    default-node-pool = []
+  }
+}
+
+variable "node_pools_additional_pod_network_configs" {
+  type        = map(list(object({ subnetwork = string, secondary_pod_range = string, max_pods_per_node = number })))
+  description = "Map of maps containing additional pod network configs by node-pool name"
+
+  default = {
+    all               = []
+    default-node-pool = []
+  }
+}
+
 variable "enable_cost_allocation" {
   type        = bool
   description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery"

diff --git a/modules/beta-private-cluster-update-variant/variables_defaults.tf b/modules/beta-private-cluster-update-variant/variables_defaults.tf
@@ -113,4 +113,23 @@ locals {
     ),
     var.node_pools_linux_node_configs_sysctls
   )
+  node_pools_additional_node_network_configs = merge(
+    { all = [] },
+    { default-node-pool = [] },
+    zipmap(
+      [for node_pool in var.node_pools : node_pool["name"]],
+      [for node_pool in var.node_pools : []]
+    ),
+    var.node_pools_additional_node_network_configs
+  )
+
+  node_pools_additional_pod_network_configs = merge(
+    { all = [] },
+    { default-node-pool = [] },
+    zipmap(
+      [for node_pool in var.node_pools : node_pool["name"]],
+      [for node_pool in var.node_pools : []]
+    ),
+    var.node_pools_additional_pod_network_configs
+  )
 }
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -178,6 +178,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster. | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
@@ -228,6 +229,8 @@ Then perform the following commands on the root folder:
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
+| node\_pools\_additional\_node\_network\_configs | Map of maps containing additional node network configs by node-pool name | `map(list(object({ network = string, subnetwork = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
+| node\_pools\_additional\_pod\_network\_configs | Map of maps containing additional pod network configs by node-pool name | `map(list(object({ subnetwork = string, secondary_pod_range = string, max_pods_per_node = number })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |