Add autopilot support (#12)

* Add autopilot support

* Fix nodes location logic

* terraform-docs: automated action

* Add output

* Fix formatting

* Add variable to enable subnet private access

* terraform-docs: automated action

* terraform-docs: automated action

* Add subnet name to outputs

* terraform-docs: automated action

* Change node-pools var structure, update doc, fix autopilot support

* Remove commented code, remove unused variable, add description

* Fix examples, formatting

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: gkocur

README.md

@@ -8,12 +8,11 @@ module "gke" {
   k8s_network_base = "10.100.0.0/16"
   regional         = false
   zones            = ["europe-central2-a"]
-  node_pools = [
-    {
-      name         = "default-pool"
+  node_pools = {
+    default-pool = {
       disk_size_gb = 50
       max_count    = 3
       preemptible  = true
     }
-  ]
+  }
 }

examples/terraform/private-cluster-existing-project/main.tf

@@ -9,12 +9,22 @@ module "gke" {
   subnet_network   = "10.1.0.0/20"
   regional         = false
   zones            = ["europe-central2-a"]
-  node_pools = [
-    {
-      name         = "default-pool"
+  node_pools = {
+    default-pool = {
       disk_size_gb = 50
       max_count    = 3
-      preemptible  = true
+      labels = {
+        "node.pool/name" = "default"
+      }
+      oauth_scopes = ["https://www.googleapis.com/auth/compute"]
+      spot         = true
+      taint = [
+        {
+          key    = "test"
+          value  = "test"
+          effect = "NO_SCHEDULE"
+        }
+      ]
     }
-  ]
+  }
 }

examples/terraform/private-cluster-new-project/main.tf

@@ -9,12 +9,11 @@ module "gke" {
   regional             = false
   zones                = ["europe-central2-a"]
   enable_private_nodes = false
-  node_pools = [
-    {
-      name         = "default-pool"
+  node_pools = {
+    default-pool = {
       disk_size_gb = 50
       max_count    = 3
       preemptible  = true
     }
-  ]
+  }
 }

examples/terraform/public-cluster-existing-project/main.tf

@@ -10,12 +10,12 @@ module "gke" {
   regional             = false
   zones                = ["europe-central2-a"]
   enable_private_nodes = false
-  node_pools = [
-    {
+  node_pools = {
+    default-pool = {
       name         = "default-pool"
       disk_size_gb = 50
       max_count    = 3
       preemptible  = true
     }
-  ]
+  }
 }

examples/terraform/public-cluster-new-project/main.tf

@@ -1,16 +1,13 @@
 locals {
-  project_id             = var.create_project ? module.project.0.project_id : var.project_id
-  project_name           = var.project_name != "" ? var.project_name : var.platform_name
-  subnet_name            = "${var.platform_name}-subnet"
-  router                 = "${var.platform_name}-router"
-  cloud_nat_name         = "${var.platform_name}-cloud-nat"
-  pods_network_name      = "${local.subnet_name}-pods"
-  services_network_name  = "${local.subnet_name}-services"
-  pods_ip_range          = cidrsubnet(var.k8s_network_base, 4, 1)
-  services_ip_range      = cidrsubnet(var.k8s_network_base, 4, 2)
-  location               = var.regional ? var.region : var.zones.0
-  node_pool_names        = [for np in toset(var.node_pools) : np.name]
-  node_pools             = zipmap(local.node_pool_names, tolist(toset(var.node_pools)))
-  node_locations         = var.regional ? var.zones : slice(var.zones, 1, length(var.zones))
-  node_pool_oauth_scopes = { for key, value in var.additional_node_pool_oauth_scopes : key => distinct(concat(value, var.default_node_pools_oauth_scopes)) }
+  project_id            = var.create_project ? module.project.0.project_id : var.project_id
+  project_name          = var.project_name != "" ? var.project_name : var.platform_name
+  subnet_name           = "${var.platform_name}-subnet"
+  router                = "${var.platform_name}-router"
+  cloud_nat_name        = "${var.platform_name}-cloud-nat"
+  pods_network_name     = "${local.subnet_name}-pods"
+  services_network_name = "${local.subnet_name}-services"
+  pods_ip_range         = cidrsubnet(var.k8s_network_base, 4, 1)
+  services_ip_range     = cidrsubnet(var.k8s_network_base, 4, 2)
+  location              = var.regional ? var.region : var.zones.0
+  node_locations        = var.regional ? (length(var.zones) != 0 ? var.zones : null) : slice(var.zones, 1, length(var.zones))
 }

locals.tf

@@ -1,6 +1,6 @@
 module "project" {
   source            = "registry.terraform.io/terraform-google-modules/project-factory/google"
-  version           = "13.0.0"
+  version           = "14.2.1"
   billing_account   = var.billing_account
   name              = var.platform_name
   org_id            = var.org_id
@@ -10,8 +10,8 @@ module "project" {
 }
 
 module "project_services" {
-  source                      = "registry.terraform.io/terraform-google-modules/project-factory/google//modules/project_services"
-  version                     = "13.0.0"
+  source                      = "terraform-google-modules/project-factory/google//modules/project_services"
+  version                     = "14.2.1"
   project_id                  = var.project_id
   activate_apis               = var.activate_apis
   disable_services_on_destroy = var.disable_services_on_destroy
@@ -20,15 +20,16 @@ module "project_services" {
 
 module "network" {
   source                  = "registry.terraform.io/terraform-google-modules/network/google"
-  version                 = "5.0.0"
+  version                 = "7.1.0"
   network_name            = var.platform_name
   project_id              = local.project_id
   auto_create_subnetworks = false
   subnets = [
     {
-      subnet_name   = local.subnet_name
-      subnet_ip     = var.subnet_network
-      subnet_region = var.region
+      subnet_name           = local.subnet_name
+      subnet_ip             = var.subnet_network
+      subnet_region         = var.region
+      subnet_private_access = var.subnet_private_access
     }
   ]
   secondary_ranges = {
@@ -60,7 +61,7 @@ resource "google_compute_address" "cloud_nat_address" {
 
 module "cloud_nat" {
   source        = "registry.terraform.io/terraform-google-modules/cloud-nat/google"
-  version       = "2.2.0"
+  version       = "4.0.0"
   project_id    = local.project_id
   region        = var.region
   network       = module.network.network_name
@@ -81,7 +82,8 @@ resource "google_container_cluster" "gke" {
   node_locations           = local.node_locations
   network                  = module.network.network_self_link
   subnetwork               = local.subnet_name
-  remove_default_node_pool = true
+  remove_default_node_pool = var.enable_autopilot == null ? true : null
+  enable_autopilot         = var.enable_autopilot
   initial_node_count       = 1
   node_config {
     machine_type = var.default_pool_machine_type
@@ -95,11 +97,15 @@ resource "google_container_cluster" "gke" {
   depends_on = [
     module.network.subnets
   ]
+  ip_allocation_policy {
+    cluster_secondary_range_name  = local.pods_network_name
+    services_secondary_range_name = local.services_network_name
+  }
 }
 
 resource "google_container_node_pool" "pools" {
   provider       = google-beta
-  for_each       = local.node_pools
+  for_each       = var.node_pools
   location       = local.location
   project        = local.project_id
   cluster        = google_container_cluster.gke.name
@@ -129,8 +135,10 @@ resource "google_container_node_pool" "pools" {
     disk_type        = lookup(each.value, "disk_type", "pd-standard")
     preemptible      = lookup(each.value, "preemptible", false)
     spot             = lookup(each.value, "spot", false)
-    labels           = lookup(var.node_pools_labels, each.value["name"], {})
-    oauth_scopes     = lookup(local.node_pool_oauth_scopes, each.value["name"], [])
+    labels           = lookup(each.value, "labels", {})
+    oauth_scopes     = lookup(each.value, "oauth_scopes", var.default_node_pools_oauth_scopes)
+    service_account  = lookup(each.value, "service_account", null)
+    taint            = lookup(each.value, "taint", [])
 
     dynamic "guest_accelerator" {
       for_each = lookup(each.value, "guest_accelerator", null) != null ? [1] : []
@@ -159,4 +167,3 @@ resource "google_container_registry" "registry" {
   project  = local.project_id
   location = var.gcr_location
 }
-

main.tf

@@ -34,10 +34,19 @@ output "vpc_id" {
   value       = module.network.network_id
   description = "VPC (network) ID"
 }
+output "vpc_self_link" {
+  value       = module.network.network_self_link
+  description = "VPC (network) self link"
+}
 output "gke_zones" {
   value       = google_container_cluster.gke.node_locations
   description = "List of zones where the cluster lives"
 }
 output "nat_ip" {
-  value = google_compute_address.cloud_nat_address.*.address
+  value       = google_compute_address.cloud_nat_address.*.address
+  description = "The IP address allocated for NAT"
+}
+output "subnetwork_name" {
+  value       = module.network.subnets_names.0
+  description = "Name of the subnetwork"
 }

outputs.tf

@@ -22,7 +22,7 @@ variable "project_id" {
   default     = ""
   description = "Existing project id. Required if `create_project` set to `false`"
   validation {
-    condition     = can(regex("^[a-z]{1}[0-9a-z-]{5,29}$", var.project_id))
+    condition     = (var.project_id == "" || can(regex("^[a-z]{1}[0-9a-z-]{5,29}$", var.project_id)))
     error_message = "The project id must be 6 to 30 characters in length, can only contain lowercase letters, numbers, and hyphens"
   }
 }
@@ -31,7 +31,7 @@ variable "project_name" {
   default     = ""
   description = "The name of the created project. Defaults to `platform_name` if not set."
   validation {
-    condition     = length(var.project_name) < 25 && length(var.project_name) > 4
+    condition     = (var.project_name == "" || length(var.project_name) < 25 && length(var.project_name) > 4)
     error_message = "The project name should contain only 25 characters. Last 5 characters up to 30 total are generated"
   }
 }
@@ -70,24 +70,11 @@ variable "zones" {
   default     = []
   description = "List of zones for `zonal` cluster. Required if `regional` set to `false`."
 }
-variable "node_pools" {
-  type = list(any)
-  default = [
-    {
-      name = "default-node-pool"
-    },
-  ]
-  description = "List of node pools. For parameter details refer to node_pool variable table below"
-}
 
-variable "node_pools_labels" {
-  type = map(map(string))
-  default = {
-    "default-node-pool" = {
-      "node.pool/name" = "default-node-pool"
-    },
-  }
-  description = "List of node pools labels. https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/21.1.0/submodules/private-cluster-update-variant?tab=inputs#:~:text=default%2Dnode%2Dpool%22%20%7D%20%5D-,node_pools_labels,-map(map(string"
+variable "node_pools" {
+  type        = map(map(any))
+  default     = {}
+  description = "The object which describes the node pools. The structure is described in the README file."
 }
 
 variable "master_ipv4_cidr_block" {
@@ -144,22 +131,22 @@ variable "default_pool_machine_type" {
   description = "In some cases the GKE won't be created unless the default pool uses specific machine type (for example confidential nodes) so we have to set the type even if the default pool is removed."
 }
 
-variable "additional_node_pool_oauth_scopes" {
-  type = map(list(string))
-  default = {
-    default-node-pool = []
-  }
-  description = "Node pool oauth scopes added to specified node pool in addition to default_node_pool_oauth_scopes. It's referenced by node_pool `name`"
-}
-
 variable "default_node_pools_oauth_scopes" {
   type = list(string)
   default = [
-    "https://www.googleapis.com/auth/devstorage.read_only",
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/logging.write",
-    "https://www.googleapis.com/auth/monitoring",
-    "https://www.googleapis.com/auth/compute"
+    "https://www.googleapis.com/auth/cloud-platform"
   ]
   description = "Default node pool oauth scopes added to all node pools"
 }
+
+variable "enable_autopilot" {
+  type        = bool
+  default     = null
+  description = "Whether to enable Autopilot feature"
+}
+
+variable "subnet_private_access" {
+  type        = bool
+  default     = true
+  description = "Whether to enable google private IP access for the subnet"
+}