# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. variable "description" { type = string description = "The description of the cluster" default = "GKE Cluster CNCS" } variable "regional" { type = bool description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" default = true } variable "region" { type = string description = "The region to host the cluster in (optional if zonal cluster / required if regional)" default = "us-central1" } variable "zones" { type = list(string) description = "The zones to host the cluster in (optional if regional cluster / required if zonal)" default = ["us-central1-a", "us-central1-b", "us-central1-c"] } variable "network_project_id" { type = string description = "The project ID of the shared VPC's host (for shared vpc support)" default = "" } variable "kubernetes_version" { type = string description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region." default = "latest" } variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." default = [] } variable "deploy_using_private_endpoint" { type = bool description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" default = false } variable "horizontal_pod_autoscaling" { type = bool description = "Enable horizontal pod autoscaling addon" default = true } variable "http_load_balancing" { type = bool description = "Enable httpload balancer addon" default = false } variable "service_external_ips" { type = bool description = "Whether external ips specified by a service will be allowed in this cluster" default = false } variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." default = "DATAPATH_PROVIDER_UNSPECIFIED" } variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" default = "05:00" } variable "maintenance_exclusions" { type = list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string })) description = "List of maintenance exclusions. A cluster can have up to three" default = [] } variable "maintenance_end_time" { type = string description = "Time window specified for recurring maintenance operations in RFC3339 format" default = "" } variable "maintenance_recurrence" { type = string description = "Frequency of the recurring maintenance window in RFC5545 format." default = "" } variable "additional_ip_range_pods" { type = list(string) description = "List of _names_ of the additional secondary subnet ip ranges to use for pods" default = [] } variable "stack_type" { type = string description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." default = "IPV4" } variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" default = [ { name = "default-node-pool-again" machine_type = "e2-medium" node_locations = "us-central1-b,us-central1-c" min_count = 1 max_count = 100 local_ssd_count = 0 spot = false disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false enable_gvnic = false logging_variant = "DEFAULT" auto_repair = true auto_upgrade = true preemptible = false initial_node_count = 10 gpu_driver_version = "LATEST" gpu_sharing_strategy = "TIME_SHARING" max_shared_clients_per_gpu = 2 }, ] } variable "windows_node_pools" { type = list(map(string)) description = "List of maps containing Windows node pools" default = [] } variable "node_pools_labels" { type = map(map(string)) description = "Map of maps containing node labels by node-pool name" default = { all = {} default-node-pool = { default-node-pool = true } } } variable "node_pools_resource_labels" { type = map(map(string)) description = "Map of maps containing resource labels by node-pool name" default = { all = {} default-node-pool = {} } } variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" # Default is being set in variables_defaults.tf default = { all = {} default-node-pool = {} } } variable "node_pools_linux_node_configs_sysctls" { type = map(map(string)) description = "Map of maps containing linux node config sysctls by node-pool name" # Default is being set in variables_defaults.tf default = { all = {} default-node-pool = {} } } variable "enable_cost_allocation" { type = bool description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery" default = false } variable "resource_usage_export_dataset_id" { type = string description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export." default = "" } variable "enable_network_egress_export" { type = bool description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic." default = false } variable "enable_resource_consumption_export" { type = bool description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export." default = true } variable "cluster_autoscaling" { type = object({ enabled = bool autoscaling_profile = string min_cpu_cores = number max_cpu_cores = number min_memory_gb = number max_memory_gb = number gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) auto_repair = bool auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) node_pool_soak_duration = optional(string) batch_soak_duration = optional(string) batch_percentage = optional(number) batch_node_count = optional(number) enable_secure_boot = optional(bool, false) enable_integrity_monitoring = optional(bool, true) }) default = { enabled = false autoscaling_profile = "BALANCED" max_cpu_cores = 0 min_cpu_cores = 0 max_memory_gb = 0 min_memory_gb = 0 gpu_resources = [] auto_repair = true auto_upgrade = true disk_size = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_secure_boot = false enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } variable "node_pools_taints" { type = map(list(object({ key = string, value = string, effect = string }))) description = "Map of lists containing node taints by node-pool name" default = { all = [] default-node-pool = [ { key = "default-node-pool-again" value = true effect = "PREFER_NO_SCHEDULE" }, ] } } variable "node_pools_tags" { type = map(list(string)) description = "Map of lists containing node network tags by node-pool name" default = { all = [] default-node-pool = [ "default-node-pool-again", ] } } variable "node_pools_oauth_scopes" { type = map(list(string)) description = "Map of lists containing node oauth scopes by node-pool name" default = { all = [ "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring", ] } } variable "network_tags" { description = "(Optional) - List of network tags applied to auto-provisioned node pools." type = list(string) default = [] } variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" default = {} } variable "upstream_nameservers" { type = list(string) description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf" default = [] } variable "non_masquerade_cidrs" { type = list(string) description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading." default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] } variable "ip_masq_resync_interval" { type = string description = "The interval at which the agent attempts to sync its ConfigMap file from the disk." default = "60s" } variable "ip_masq_link_local" { type = bool description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)." default = false } variable "configure_ip_masq" { type = bool description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server." default = false } variable "logging_service" { type = string description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" default = "logging.googleapis.com/kubernetes" } variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." default = true } variable "grant_registry_access" { type = bool description = "Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles." default = false } variable "registry_project_ids" { type = list(string) description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects." default = [] } variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable." default = "" } variable "service_account_name" { type = string description = "The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable." default = "" } variable "boot_disk_kms_key" { type = string description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" default = null } variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" default = false } variable "cluster_ipv4_cidr" { type = string default = null description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." } variable "cluster_resource_labels" { type = map(string) description = "The GCE resource labels (a map of key/value pairs) to be applied to the cluster" default = {} } variable "dns_cache" { type = bool description = "The status of the NodeLocal DNSCache addon." default = false } variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" default = null } variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string default = "enabled" } variable "enable_mesh_certificates" { type = bool default = false description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." } variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." default = "REGULAR" } variable "gateway_api_channel" { type = string description = "The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`." default = null } variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" default = false } variable "add_master_webhook_firewall_rules" { type = bool description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" default = false } variable "firewall_priority" { type = number description = "Priority rule for firewall rules" default = 1000 } variable "firewall_inbound_ports" { type = list(string) description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." default = ["8443", "9443", "15017"] } variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." default = false } variable "shadow_firewall_rules_priority" { type = number description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." default = 999 validation { condition = var.shadow_firewall_rules_priority < 1000 error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)." } } variable "shadow_firewall_rules_log_config" { type = object({ metadata = string }) description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging." default = { metadata = "INCLUDE_ALL_METADATA" } } variable "enable_confidential_nodes" { type = bool description = "An optional flag to enable confidential node config." default = false } variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" default = false } variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." default = "" } variable "notification_filter_event_type" { type = list(string) description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." default = [] } variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." default = true } variable "enable_tpu" { type = bool description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } variable "network_policy" { type = bool description = "Enable network policy addon" default = false } variable "network_policy_provider" { type = string description = "The network policy provider." default = "CALICO" } variable "initial_node_count" { type = number description = "The number of nodes to create in this cluster's default node pool." default = 0 } variable "remove_default_node_pool" { type = bool description = "Remove default node pool while setting up the cluster" default = false } variable "filestore_csi_driver" { type = bool description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" default = false } variable "disable_legacy_metadata_endpoints" { type = bool description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." default = true } variable "default_max_pods_per_node" { type = number description = "The maximum number of pods to schedule per node" default = 110 } variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) default = [{ state = "DECRYPTED" key_name = "" }] } variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" default = true } variable "enable_binary_authorization" { type = bool description = "Enable BinAuthZ Admission controller" default = false } variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" type = string validation { condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA, UNSPECIFIED, GKE_METADATA_SERVER or EXPOSE." } } variable "cluster_dns_provider" { type = string description = "Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS." default = "PROVIDER_UNSPECIFIED" } variable "cluster_dns_scope" { type = string description = "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. " default = "DNS_SCOPE_UNSPECIFIED" } variable "cluster_dns_domain" { type = string description = "The suffix used for all cluster service records." default = "" } variable "gce_pd_csi_driver" { type = bool description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = true } variable "gke_backup_agent_config" { type = bool description = "Whether Backup for GKE agent is enabled for this cluster." default = false } variable "gcs_fuse_csi_driver" { type = bool description = "Whether GCE FUSE CSI driver is enabled for this cluster." default = false } variable "stateful_ha" { type = bool description = "Whether the Stateful HA Addon is enabled for this cluster." default = false } variable "timeouts" { type = map(string) description = "Timeout for cluster operations." default = {} validation { condition = !contains([for t in keys(var.timeouts) : contains(["create", "update", "delete"], t)], false) error_message = "Only create, update, delete timeouts can be specified." } } variable "monitoring_enable_managed_prometheus" { type = bool description = "Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled." default = false } variable "monitoring_enable_observability_metrics" { type = bool description = "Whether or not the advanced datapath metrics are enabled." default = false } variable "monitoring_observability_metrics_relay_mode" { type = string description = "Mode used to make advanced datapath metrics relay available." default = null validation { condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." } } variable "monitoring_enabled_components" { type = list(string) description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } variable "enable_kubernetes_alpha" { type = bool description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." default = false } variable "config_connector" { type = bool description = "Whether ConfigConnector is enabled for this cluster." default = false } variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" default = false } variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" default = false } variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string default = null } variable "master_ipv4_cidr_block" { type = string description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } variable "enable_private_endpoint" { type = bool description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" default = false } variable "config_folder_path" { description = "Location of YAML files holding GKE configuration values." type = string default = "../../../configuration/producer/GKE/config" }