bukzor
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 11 additions & 5 deletions b/‎CONTRIBUTING.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎autogen/main/firewall.tf.tmpl‎
Lines changed: 5 additions & 5 deletions b/‎autogen/main/firewall.tf.tmpl‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎autogen/main/main.tf.tmpl‎
Lines changed: 13 additions & 14 deletions b/‎autogen/main/main.tf.tmpl‎
Lines changed: 13 additions & 14 deletions
diff --git a/‎firewall.tf‎
Lines changed: 5 additions & 5 deletions b/‎firewall.tf‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎main.tf‎
Lines changed: 11 additions & 12 deletions b/‎main.tf‎
Lines changed: 11 additions & 12 deletions
diff --git a/‎modules/beta-autopilot-private-cluster/firewall.tf‎
Lines changed: 5 additions & 5 deletions b/‎modules/beta-autopilot-private-cluster/firewall.tf‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎modules/beta-autopilot-private-cluster/main.tf‎
Lines changed: 11 additions & 12 deletions b/‎modules/beta-autopilot-private-cluster/main.tf‎
Lines changed: 11 additions & 12 deletions
@@ -19,12 +19,17 @@ must be refreshed if the module interfaces are changed.
 
 ## Templating
 
-To more cleanly handle cases where desired functionality would require complex duplication of Terraform resources (i.e. [PR 51](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/51)), this repository is largely generated from the [`autogen`](/autogen) directory.
+To more cleanly handle cases where desired functionality would require complex
+duplication of Terraform resources (e.g. [PR
+51](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/51)),
+this repository is largely generated from the [`autogen`](/autogen) directory.
 
-The root module is generated by running `make build`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate.
+The root module is generated by running `make build`. Changes to this
+repository should be made in the [`autogen`](/autogen) directory where
+appropriate.
 
-Note: The correct sequence to update the repo using autogen functionality is to run
-`make build`. This will create the various Terraform files, and then
+Note: The correct sequence to update the repo using autogen functionality is to
+run `make build`. This will create the various Terraform files, and then
 generate the Terraform documentation using `terraform-docs`.
 
 ### Autogeneration of documentation from .tf files
@@ -56,7 +61,8 @@ Six test-kitchen instances are defined:
 - `simple-zonal`
 - `stub-domains`
 
-The test-kitchen instances in `test/fixtures/` wrap identically-named examples in the `examples/` directory.`
+The test-kitchen instances in `test/fixtures/` wrap identically-named examples
+in the `examples/` directory.
 
 ### Test Environment
 The easiest way to test the module is in an isolated test project. The
 
@@ -34,11 +34,11 @@ resource "google_compute_firewall" "intra_egress" {
  direction = "EGRESS"
 
  target_tags = [local.cluster_network_tag]
- destination_ranges = [
+ destination_ranges = compact([
  local.cluster_endpoint_for_nodes,
  local.cluster_subnet_cidr,
- local.cluster_alias_ranges_cidr[var.ip_range_pods],
- ]
+ lookup(local.cluster_alias_ranges_cidr, var.ip_range_pods, null),
+ ])
 
  # Allow all possible protocols
  allow { protocol = "tcp" }
@@ -134,7 +134,7 @@ resource "google_compute_firewall" "master_webhooks" {
  traffic flow between the managed firewall rules
  *****************************************/
 resource "google_compute_firewall" "shadow_allow_pods" {
- count = var.add_shadow_firewall_rules ? 1 : 0
+ count = var.add_shadow_firewall_rules && can(local.cluster_alias_ranges_cidr[var.ip_range_pods]) ? 1 : 0
 
  name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
@@ -183,7 +183,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
 }
 
 resource "google_compute_firewall" "shadow_allow_nodes" {
- count = var.add_shadow_firewall_rules ? 1 : 0
+ count = var.add_shadow_firewall_rules && local.cluster_subnet_cidr != null ? 1 : 0
 
  name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
  description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
 
@@ -20,30 +20,34 @@
  Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
+ count = var.zones == [] ? 1 : 0
  {% if beta_cluster %}
  provider = google-beta
  {% else %}
  provider = google
  {% endif %}
 
  project = var.project_id
- region = local.region
+ region = var.region
 }
 
 resource "random_shuffle" "available_zones" {
- input = data.google_compute_zones.available.names
+ count = var.zones == [] ? 1 : 0
+ input = one(data.google_compute_zones.available[*].names)
  result_count = 3
 }
 
 locals {
  // ID of the cluster
  cluster_id = google_container_cluster.primary.id
+ // Zone(s) of the cluster
+ zones = var.zones == [] ? sort(one(random_shuffle.available_zones[*].result)) : var.zones
 
  // location
  location = var.regional ? var.region : var.zones[0]
- region = var.regional ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2))
+ region = var.region != null ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2))
  // for regional cluster - use var.zones if provided, use available otherwise, for zonal cluster use var.zones with first element extracted
- node_locations = var.regional ? coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result)) : slice(var.zones, 1, length(var.zones))
+ node_locations = var.regional ? local.zones : slice(local.zones, 1, length(local.zones))
  // Kubernetes version
  master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
  master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
@@ -74,7 +78,6 @@ locals {
  custom_kube_dns_config = length(keys(var.stub_domains)) > 0
  upstream_nameservers_config = length(var.upstream_nameservers) > 0
  network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id
- zone_count = length(var.zones)
  cluster_type = var.regional ? "regional" : "zonal"
  // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
 {% if beta_cluster %}
@@ -85,7 +88,7 @@ locals {
 {% endif %}
 
  cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
- cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+ cluster_alias_ranges_cidr = var.add_cluster_firewall_rules && data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range != null ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
 {% if autopilot_cluster != true %}
  cluster_network_policy = var.network_policy ? [{
@@ -129,7 +132,7 @@ locals {
 
  cluster_output_name = google_container_cluster.primary.name
  cluster_output_regional_zones = google_container_cluster.primary.node_locations
- cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : []
+ cluster_output_zonal_zones = local.zones
  cluster_output_zones = local.cluster_output_regional_zones
 
 {% if private_cluster %}
@@ -170,11 +173,11 @@ locals {
  [for np in google_container_node_pool.pools : np.name], [""],
  [for np in google_container_node_pool.windows_pools : np.name], [""]
  )
- 
+
  cluster_output_node_pools_versions = merge(
  { for np in google_container_node_pool.pools : np.name => np.version },
  { for np in google_container_node_pool.windows_pools : np.name => np.version },
- ) 
+ )
  {% endif %}
 
  cluster_master_auth_list_layer1 = local.cluster_output_master_auth
@@ -236,10 +239,6 @@ data "google_container_engine_versions" "region" {
 }
 
 data "google_container_engine_versions" "zone" {
- // Work around to prevent a lack of zone declaration from causing regional cluster creation from erroring out due to error
- //
- // data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
- //
- location = local.zone_count == 0 ? data.google_compute_zones.available.names[0] : var.zones[0]
+ location = local.zones[0]
  project = var.project_id
 }
@@ -34,11 +34,11 @@ resource "google_compute_firewall" "intra_egress" {
  direction = "EGRESS"
 
  target_tags = [local.cluster_network_tag]
- destination_ranges = [
+ destination_ranges = compact([
  local.cluster_endpoint_for_nodes,
  local.cluster_subnet_cidr,
- local.cluster_alias_ranges_cidr[var.ip_range_pods],
- ]
+ lookup(local.cluster_alias_ranges_cidr, var.ip_range_pods, null),
+ ])
 
  # Allow all possible protocols
  allow { protocol = "tcp" }
@@ -90,7 +90,7 @@ resource "google_compute_firewall" "master_webhooks" {
  traffic flow between the managed firewall rules
  *****************************************/
 resource "google_compute_firewall" "shadow_allow_pods" {
- count = var.add_shadow_firewall_rules ? 1 : 0
+ count = var.add_shadow_firewall_rules && can(local.cluster_alias_ranges_cidr[var.ip_range_pods]) ? 1 : 0
 
  name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
@@ -139,7 +139,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
 }
 
 resource "google_compute_firewall" "shadow_allow_nodes" {
- count = var.add_shadow_firewall_rules ? 1 : 0
+ count = var.add_shadow_firewall_rules && local.cluster_subnet_cidr != null ? 1 : 0
 
  name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
  description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
 
@@ -20,26 +20,30 @@
  Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
+ count = var.zones == [] ? 1 : 0
  provider = google
 
  project = var.project_id
- region = local.region
+ region = var.region
 }
 
 resource "random_shuffle" "available_zones" {
- input = data.google_compute_zones.available.names
+ count = var.zones == [] ? 1 : 0
+ input = one(data.google_compute_zones.available[*].names)
  result_count = 3
 }
 
 locals {
  // ID of the cluster
  cluster_id = google_container_cluster.primary.id
+ // Zone(s) of the cluster
+ zones = var.zones == [] ? sort(one(random_shuffle.available_zones[*].result)) : var.zones
 
  // location
  location = var.regional ? var.region : var.zones[0]
- region = var.regional ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2))
+ region = var.region != null ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2))
  // for regional cluster - use var.zones if provided, use available otherwise, for zonal cluster use var.zones with first element extracted
- node_locations = var.regional ? coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result)) : slice(var.zones, 1, length(var.zones))
+ node_locations = var.regional ? local.zones : slice(local.zones, 1, length(local.zones))
  // Kubernetes version
  master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
  master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
@@ -66,13 +70,12 @@ locals {
  custom_kube_dns_config = length(keys(var.stub_domains)) > 0
  upstream_nameservers_config = length(var.upstream_nameservers) > 0
  network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id
- zone_count = length(var.zones)
  cluster_type = var.regional ? "regional" : "zonal"
  // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
  default_auto_upgrade = var.regional ? true : false
 
  cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
- cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+ cluster_alias_ranges_cidr = var.add_cluster_firewall_rules && data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range != null ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
  cluster_network_policy = var.network_policy ? [{
  enabled = true
@@ -95,7 +98,7 @@ locals {
 
  cluster_output_name = google_container_cluster.primary.name
  cluster_output_regional_zones = google_container_cluster.primary.node_locations
- cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : []
+ cluster_output_zonal_zones = local.zones
  cluster_output_zones = local.cluster_output_regional_zones
 
  cluster_endpoint = google_container_cluster.primary.endpoint
@@ -167,10 +170,6 @@ data "google_container_engine_versions" "region" {
 }
 
 data "google_container_engine_versions" "zone" {
- // Work around to prevent a lack of zone declaration from causing regional cluster creation from erroring out due to error
- //
- // data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
- //
- location = local.zone_count == 0 ? data.google_compute_zones.available.names[0] : var.zones[0]
+ location = local.zones[0]
  project = var.project_id
 }
@@ -34,11 +34,11 @@ resource "google_compute_firewall" "intra_egress" {
  direction = "EGRESS"
 
  target_tags = [local.cluster_network_tag]
- destination_ranges = [
+ destination_ranges = compact([
  local.cluster_endpoint_for_nodes,
  local.cluster_subnet_cidr,
- local.cluster_alias_ranges_cidr[var.ip_range_pods],
- ]
+ lookup(local.cluster_alias_ranges_cidr, var.ip_range_pods, null),
+ ])
 
  # Allow all possible protocols
  allow { protocol = "tcp" }
@@ -117,7 +117,7 @@ resource "google_compute_firewall" "master_webhooks" {
  traffic flow between the managed firewall rules
  *****************************************/
 resource "google_compute_firewall" "shadow_allow_pods" {
- count = var.add_shadow_firewall_rules ? 1 : 0
+ count = var.add_shadow_firewall_rules && can(local.cluster_alias_ranges_cidr[var.ip_range_pods]) ? 1 : 0
 
  name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
  description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
@@ -166,7 +166,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
 }
 
 resource "google_compute_firewall" "shadow_allow_nodes" {
- count = var.add_shadow_firewall_rules ? 1 : 0
+ count = var.add_shadow_firewall_rules && local.cluster_subnet_cidr != null ? 1 : 0
 
  name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
  description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication."
 
@@ -20,26 +20,30 @@
  Get available zones in region
  *****************************************/
 data "google_compute_zones" "available" {
+ count = var.zones == [] ? 1 : 0
  provider = google-beta
 
  project = var.project_id
- region = local.region
+ region = var.region
 }
 
 resource "random_shuffle" "available_zones" {
- input = data.google_compute_zones.available.names
+ count = var.zones == [] ? 1 : 0
+ input = one(data.google_compute_zones.available[*].names)
  result_count = 3
 }
 
 locals {
  // ID of the cluster
  cluster_id = google_container_cluster.primary.id
+ // Zone(s) of the cluster
+ zones = var.zones == [] ? sort(one(random_shuffle.available_zones[*].result)) : var.zones
 
  // location
  location = var.regional ? var.region : var.zones[0]
- region = var.regional ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2))
+ region = var.region != null ? var.region : join("-", slice(split("-", var.zones[0]), 0, 2))
  // for regional cluster - use var.zones if provided, use available otherwise, for zonal cluster use var.zones with first element extracted
- node_locations = var.regional ? coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result)) : slice(var.zones, 1, length(var.zones))
+ node_locations = var.regional ? local.zones : slice(local.zones, 1, length(local.zones))
  // Kubernetes version
  master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version
  master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
@@ -52,14 +56,13 @@ locals {
  custom_kube_dns_config = length(keys(var.stub_domains)) > 0
  upstream_nameservers_config = length(var.upstream_nameservers) > 0
  network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id
- zone_count = length(var.zones)
  cluster_type = var.regional ? "regional" : "zonal"
  // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
  // When a release channel is used, node auto-upgrade are enabled and cannot be disabled.
  default_auto_upgrade = var.regional || var.release_channel != null ? true : false
 
  cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
- cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
+ cluster_alias_ranges_cidr = var.add_cluster_firewall_rules && data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range != null ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
 
 
  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
@@ -69,7 +72,7 @@ locals {
 
  cluster_output_name = google_container_cluster.primary.name
  cluster_output_regional_zones = google_container_cluster.primary.node_locations
- cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : []
+ cluster_output_zonal_zones = local.zones
  cluster_output_zones = local.cluster_output_regional_zones
 
  cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint
@@ -145,10 +148,6 @@ data "google_container_engine_versions" "region" {
 }
 
 data "google_container_engine_versions" "zone" {
- // Work around to prevent a lack of zone declaration from causing regional cluster creation from erroring out due to error
- //
- // data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
- //
- location = local.zone_count == 0 ? data.google_compute_zones.available.names[0] : var.zones[0]
+ location = local.zones[0]
  project = var.project_id
 }