feat: Add support for KALM config (terraform-google-modules#528)

Author: c0ffeec0der

autogen/main/cluster.tf.tmpl

@@ -160,6 +160,10 @@ resource "google_container_cluster" "primary" {
         enabled = gce_persistent_disk_csi_driver_config.value.enabled
       }
     }
+
+    kalm_config {
+      enabled = var.kalm_config
+    }
     {% endif %}
   }
 

autogen/main/variables.tf.tmpl

@@ -423,6 +423,12 @@ variable "gce_pd_csi_driver" {
   default     = false
 }
 
+variable "kalm_config" {
+  type        = bool
+  description = "(Beta) Whether KALM is enabled for this cluster."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

autogen/main/versions.tf.tmpl

@@ -19,7 +19,7 @@ terraform {
 
   required_providers {
 {% if beta_cluster %}
-    google-beta = ">= 3.19, <4.0.0"
+    google-beta = ">= 3.21.0, <4.0.0"
 {% else %}
     google = ">= 3.16, <4.0.0"
 {% endif %}

examples/node_pool/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.19.0"
+  version = "~> 3.21.0"
   region  = var.region
 }
 

examples/node_pool_update_variant_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.19.0"
+  version     = "~> 3.21.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/safer_cluster/main.tf

@@ -34,7 +34,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.19.0"
+  version = "~> 3.21.0"
 }
 
 module "gke" {

examples/simple_regional_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.19.0"
+  version = "~> 3.21.0"
   region  = var.region
 }
 

examples/simple_regional_private_beta/main.tf

@@ -24,7 +24,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.19.0"
+  version = "~> 3.21.0"
   region  = var.region
 }
 

examples/workload_metadata_config/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.19.0"
+  version = "~> 3.21.0"
   region  = var.region
 }
 

modules/beta-private-cluster-update-variant/README.md

@@ -196,6 +196,7 @@ Then perform the following commands on the root folder:
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
 | istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
+| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | bool | `"false"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -145,6 +145,10 @@ resource "google_container_cluster" "primary" {
         enabled = gce_persistent_disk_csi_driver_config.value.enabled
       }
     }
+
+    kalm_config {
+      enabled = var.kalm_config
+    }
   }
 
   ip_allocation_policy {

modules/beta-private-cluster-update-variant/variables.tf

@@ -416,6 +416,12 @@ variable "gce_pd_csi_driver" {
   default     = false
 }
 
+variable "kalm_config" {
+  type        = bool
+  description = "(Beta) Whether KALM is enabled for this cluster."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

modules/beta-private-cluster-update-variant/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google-beta = ">= 3.19, <4.0.0"
+    google-beta = ">= 3.21.0, <4.0.0"
   }
 }

modules/beta-private-cluster/README.md

@@ -174,6 +174,7 @@ Then perform the following commands on the root folder:
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
 | istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
+| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | bool | `"false"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

modules/beta-private-cluster/cluster.tf

@@ -145,6 +145,10 @@ resource "google_container_cluster" "primary" {
         enabled = gce_persistent_disk_csi_driver_config.value.enabled
       }
     }
+
+    kalm_config {
+      enabled = var.kalm_config
+    }
   }
 
   ip_allocation_policy {

modules/beta-private-cluster/variables.tf

@@ -416,6 +416,12 @@ variable "gce_pd_csi_driver" {
   default     = false
 }
 
+variable "kalm_config" {
+  type        = bool
+  description = "(Beta) Whether KALM is enabled for this cluster."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

modules/beta-private-cluster/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google-beta = ">= 3.19, <4.0.0"
+    google-beta = ">= 3.21.0, <4.0.0"
   }
 }

modules/beta-public-cluster/README.md

@@ -153,6 +153,7 @@ Then perform the following commands on the root folder:
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
 | istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
+| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | bool | `"false"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

modules/beta-public-cluster/cluster.tf

@@ -145,6 +145,10 @@ resource "google_container_cluster" "primary" {
         enabled = gce_persistent_disk_csi_driver_config.value.enabled
       }
     }
+
+    kalm_config {
+      enabled = var.kalm_config
+    }
   }
 
   ip_allocation_policy {

modules/beta-public-cluster/variables.tf

@@ -392,6 +392,12 @@ variable "gce_pd_csi_driver" {
   default     = false
 }
 
+variable "kalm_config" {
+  type        = bool
+  description = "(Beta) Whether KALM is enabled for this cluster."
+  default     = false
+}
+
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))

modules/beta-public-cluster/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google-beta = ">= 3.19, <4.0.0"
+    google-beta = ">= 3.21.0, <4.0.0"
   }
 }

test/setup/versions.tf

@@ -23,5 +23,5 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "2.20.1"
+  version = "3.21.0"
 }