-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
748 lines (631 loc) · 25.3 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// This file was automatically generated from a template in ./autogen/main
variable "project_id" {
type = string
description = "The project ID to host the cluster in (required)"
}
variable "name" {
type = string
description = "The name of the cluster (required)"
}
variable "description" {
type = string
description = "The description of the cluster"
default = ""
}
variable "regional" {
type = bool
description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
default = true
}
variable "region" {
type = string
description = "The region to host the cluster in (optional if zonal cluster / required if regional)"
default = null
}
variable "zones" {
type = list(string)
description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
default = []
}
variable "network" {
type = string
description = "The VPC network to host the cluster in (required)"
}
variable "network_project_id" {
type = string
description = "The project ID of the shared VPC's host (for shared vpc support)"
default = ""
}
variable "subnetwork" {
type = string
description = "The subnetwork to host the cluster in (required)"
}
variable "kubernetes_version" {
type = string
description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region."
default = "latest"
}
variable "master_authorized_networks" {
type = list(object({ cidr_block = string, display_name = string }))
description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)."
default = []
}
variable "enable_vertical_pod_autoscaling" {
type = bool
description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it"
default = false
}
variable "horizontal_pod_autoscaling" {
type = bool
description = "Enable horizontal pod autoscaling addon"
default = true
}
variable "http_load_balancing" {
type = bool
description = "Enable httpload balancer addon"
default = true
}
variable "service_external_ips" {
type = bool
description = "Whether external ips specified by a service will be allowed in this cluster"
default = false
}
variable "datapath_provider" {
type = string
description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."
default = "DATAPATH_PROVIDER_UNSPECIFIED"
}
variable "maintenance_start_time" {
type = string
description = "Time window specified for daily or recurring maintenance operations in RFC3339 format"
default = "05:00"
}
variable "maintenance_exclusions" {
type = list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))
description = "List of maintenance exclusions. A cluster can have up to three"
default = []
}
variable "maintenance_end_time" {
type = string
description = "Time window specified for recurring maintenance operations in RFC3339 format"
default = ""
}
variable "maintenance_recurrence" {
type = string
description = "Frequency of the recurring maintenance window in RFC5545 format."
default = ""
}
variable "ip_range_pods" {
type = string
description = "The _name_ of the secondary subnet ip range to use for pods"
}
variable "additional_ip_range_pods" {
type = list(string)
description = "List of _names_ of the additional secondary subnet ip ranges to use for pods"
default = []
}
variable "ip_range_services" {
type = string
description = "The _name_ of the secondary subnet range to use for services"
}
variable "stack_type" {
type = string
description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`."
default = "IPV4"
}
variable "node_pools" {
type = list(map(any))
description = "List of maps containing node pools"
default = [
{
name = "default-node-pool"
},
]
}
variable "windows_node_pools" {
type = list(map(string))
description = "List of maps containing Windows node pools"
default = []
}
variable "node_pools_labels" {
type = map(map(string))
description = "Map of maps containing node labels by node-pool name"
# Default is being set in variables_defaults.tf
default = {
all = {}
default-node-pool = {}
}
}
variable "node_pools_resource_labels" {
type = map(map(string))
description = "Map of maps containing resource labels by node-pool name"
default = {
all = {}
default-node-pool = {}
}
}
variable "node_pools_metadata" {
type = map(map(string))
description = "Map of maps containing node metadata by node-pool name"
# Default is being set in variables_defaults.tf
default = {
all = {}
default-node-pool = {}
}
}
variable "node_pools_linux_node_configs_sysctls" {
type = map(map(string))
description = "Map of maps containing linux node config sysctls by node-pool name"
# Default is being set in variables_defaults.tf
default = {
all = {}
default-node-pool = {}
}
}
variable "enable_cost_allocation" {
type = bool
description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery"
default = false
}
variable "resource_usage_export_dataset_id" {
type = string
description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export."
default = ""
}
variable "enable_network_egress_export" {
type = bool
description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic."
default = false
}
variable "enable_resource_consumption_export" {
type = bool
description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export."
default = true
}
variable "cluster_autoscaling" {
type = object({
enabled = bool
autoscaling_profile = string
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
auto_repair = bool
auto_upgrade = bool
disk_size = optional(number)
disk_type = optional(string)
image_type = optional(string)
strategy = optional(string)
max_surge = optional(number)
max_unavailable = optional(number)
node_pool_soak_duration = optional(string)
batch_soak_duration = optional(string)
batch_percentage = optional(number)
batch_node_count = optional(number)
enable_secure_boot = optional(bool, false)
enable_integrity_monitoring = optional(bool, true)
})
default = {
enabled = false
autoscaling_profile = "BALANCED"
max_cpu_cores = 0
min_cpu_cores = 0
max_memory_gb = 0
min_memory_gb = 0
gpu_resources = []
auto_repair = true
auto_upgrade = true
disk_size = 100
disk_type = "pd-standard"
image_type = "COS_CONTAINERD"
enable_secure_boot = false
enable_integrity_monitoring = true
}
description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)"
}
variable "node_pools_taints" {
type = map(list(object({ key = string, value = string, effect = string })))
description = "Map of lists containing node taints by node-pool name"
# Default is being set in variables_defaults.tf
default = {
all = []
default-node-pool = []
}
}
variable "node_pools_tags" {
type = map(list(string))
description = "Map of lists containing node network tags by node-pool name"
# Default is being set in variables_defaults.tf
default = {
all = []
default-node-pool = []
}
}
variable "node_pools_oauth_scopes" {
type = map(list(string))
description = "Map of lists containing node oauth scopes by node-pool name"
# Default is being set in variables_defaults.tf
default = {
all = ["https://www.googleapis.com/auth/cloud-platform"]
default-node-pool = []
}
}
variable "network_tags" {
description = "(Optional) - List of network tags applied to auto-provisioned node pools."
type = list(string)
default = []
}
variable "stub_domains" {
type = map(list(string))
description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
default = {}
}
variable "upstream_nameservers" {
type = list(string)
description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
default = []
}
variable "non_masquerade_cidrs" {
type = list(string)
description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."
default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
}
variable "ip_masq_resync_interval" {
type = string
description = "The interval at which the agent attempts to sync its ConfigMap file from the disk."
default = "60s"
}
variable "ip_masq_link_local" {
type = bool
description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)."
default = false
}
variable "configure_ip_masq" {
type = bool
description = "Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server."
default = false
}
variable "logging_service" {
type = string
description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
default = "logging.googleapis.com/kubernetes"
}
variable "monitoring_service" {
type = string
description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
default = "monitoring.googleapis.com/kubernetes"
}
variable "create_service_account" {
type = bool
description = "Defines if service account specified to run nodes should be created."
default = true
}
variable "grant_registry_access" {
type = bool
description = "Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles."
default = false
}
variable "registry_project_ids" {
type = list(string)
description = "Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects."
default = []
}
variable "service_account" {
type = string
description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable."
default = ""
}
variable "service_account_name" {
type = string
description = "The name of the service account that will be created if create_service_account is true. If you wish to use an existing service account, use service_account variable."
default = ""
}
variable "boot_disk_kms_key" {
type = string
description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption"
default = null
}
variable "issue_client_certificate" {
type = bool
description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"
default = false
}
variable "cluster_ipv4_cidr" {
type = string
default = null
description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR."
}
variable "cluster_resource_labels" {
type = map(string)
description = "The GCE resource labels (a map of key/value pairs) to be applied to the cluster"
default = {}
}
variable "dns_cache" {
type = bool
description = "The status of the NodeLocal DNSCache addon."
default = false
}
variable "authenticator_security_group" {
type = string
description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected]"
default = null
}
variable "identity_namespace" {
description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)"
type = string
default = "enabled"
}
variable "enable_mesh_certificates" {
type = bool
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}
variable "release_channel" {
type = string
description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."
default = "REGULAR"
}
variable "gateway_api_channel" {
type = string
description = "The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`."
default = null
}
variable "add_cluster_firewall_rules" {
type = bool
description = "Create additional firewall rules"
default = false
}
variable "add_master_webhook_firewall_rules" {
type = bool
description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`"
default = false
}
variable "firewall_priority" {
type = number
description = "Priority rule for firewall rules"
default = 1000
}
variable "firewall_inbound_ports" {
type = list(string)
description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied."
default = ["8443", "9443", "15017"]
}
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
validation {
condition = var.shadow_firewall_rules_priority < 1000
error_message = "The shadow firewall rule priority must be lower than auto-created one(1000)."
}
}
variable "shadow_firewall_rules_log_config" {
type = object({
metadata = string
})
description = "The log_config for shadow firewall rules. You can set this variable to `null` to disable logging."
default = {
metadata = "INCLUDE_ALL_METADATA"
}
}
variable "enable_confidential_nodes" {
type = bool
description = "An optional flag to enable confidential node config."
default = false
}
variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}
variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}
variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}
variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
default = false
}
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
default = ""
}
variable "deletion_protection" {
type = bool
description = "Whether or not to allow Terraform to destroy the cluster."
default = true
}
variable "enable_tpu" {
type = bool
description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!"
default = false
}
variable "network_policy" {
type = bool
description = "Enable network policy addon"
default = false
}
variable "network_policy_provider" {
type = string
description = "The network policy provider."
default = "CALICO"
}
variable "initial_node_count" {
type = number
description = "The number of nodes to create in this cluster's default node pool."
default = 0
}
variable "remove_default_node_pool" {
type = bool
description = "Remove default node pool while setting up the cluster"
default = false
}
variable "filestore_csi_driver" {
type = bool
description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes"
default = false
}
variable "disable_legacy_metadata_endpoints" {
type = bool
description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated."
default = true
}
variable "default_max_pods_per_node" {
type = number
description = "The maximum number of pods to schedule per node"
default = 110
}
variable "database_encryption" {
description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
type = list(object({ state = string, key_name = string }))
default = [{
state = "DECRYPTED"
key_name = ""
}]
}
variable "enable_shielded_nodes" {
type = bool
description = "Enable Shielded Nodes features on all nodes in this cluster"
default = true
}
variable "enable_binary_authorization" {
type = bool
description = "Enable BinAuthZ Admission controller"
default = false
}
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
default = "GKE_METADATA"
type = string
validation {
condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata)
error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA, UNSPECIFIED, GKE_METADATA_SERVER or EXPOSE."
}
}
variable "cluster_dns_provider" {
type = string
description = "Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS."
default = "PROVIDER_UNSPECIFIED"
}
variable "cluster_dns_scope" {
type = string
description = "The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE. "
default = "DNS_SCOPE_UNSPECIFIED"
}
variable "cluster_dns_domain" {
type = string
description = "The suffix used for all cluster service records."
default = ""
}
variable "gce_pd_csi_driver" {
type = bool
description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver."
default = true
}
variable "gke_backup_agent_config" {
type = bool
description = "Whether Backup for GKE agent is enabled for this cluster."
default = false
}
variable "gcs_fuse_csi_driver" {
type = bool
description = "Whether GCE FUSE CSI driver is enabled for this cluster."
default = false
}
variable "stateful_ha" {
type = bool
description = "Whether the Stateful HA Addon is enabled for this cluster."
default = false
}
variable "timeouts" {
type = map(string)
description = "Timeout for cluster operations."
default = {}
validation {
condition = !contains([for t in keys(var.timeouts) : contains(["create", "update", "delete"], t)], false)
error_message = "Only create, update, delete timeouts can be specified."
}
}
variable "monitoring_enable_managed_prometheus" {
type = bool
description = "Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled."
default = false
}
variable "monitoring_enable_observability_metrics" {
type = bool
description = "Whether or not the advanced datapath metrics are enabled."
default = false
}
variable "monitoring_observability_metrics_relay_mode" {
type = string
description = "Mode used to make advanced datapath metrics relay available."
default = null
validation {
condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode)
error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB."
}
}
variable "monitoring_enabled_components" {
type = list(string)
description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration."
default = []
}
variable "logging_enabled_components" {
type = list(string)
description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration."
default = []
}
variable "enable_kubernetes_alpha" {
type = bool
description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days."
default = false
}
variable "config_connector" {
type = bool
description = "Whether ConfigConnector is enabled for this cluster."
default = false
}
variable "enable_intranode_visibility" {
type = bool
description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
default = false
}
variable "enable_l4_ilb_subsetting" {
type = bool
description = "Enable L4 ILB Subsetting on the cluster"
default = false
}
variable "fleet_project" {
description = "(Optional) Register the cluster with the fleet in this project."
type = string
default = null
}