feat!: add service_external_ips option (terraform-google-modules#1441)

* add service_external_ips option * fixing formatting error Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

Author: jpetrucciani

README.md

@@ -194,6 +194,7 @@ Then perform the following commands on the root folder:
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
+| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |

autogen/main/cluster.tf.tmpl

@@ -208,6 +208,13 @@ resource "google_container_cluster" "primary" {
  }
  }
 
+ dynamic "service_external_ips_config" {
+ for_each = var.service_external_ips ? [1] : []
+ content {
+ enabled = var.service_external_ips
+ }
+ }
+
  addons_config {
  http_load_balancing {
  disabled = !var.http_load_balancing

autogen/main/variables.tf.tmpl

@@ -96,6 +96,12 @@ variable "http_load_balancing" {
  default = true
 }
 
+variable "service_external_ips" {
+ type = bool
+ description = "Whether external ips specified by a service will be allowed in this cluster"
+ default = false
+}
+
 variable "datapath_provider" {
  type = string
  description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."

autogen/main/versions.tf.tmpl

@@ -38,7 +38,7 @@ terraform {
  required_providers {
  google = {
  source = "hashicorp/google"
- version = ">= 4.31.0, < 5.0"
+ version = ">= 4.35.0, < 5.0"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"

cluster.tf

@@ -109,6 +109,13 @@ resource "google_container_cluster" "primary" {
  }
  }
 
+ dynamic "service_external_ips_config" {
+ for_each = var.service_external_ips ? [1] : []
+ content {
+ enabled = var.service_external_ips
+ }
+ }
+
  addons_config {
  http_load_balancing {
  disabled = !var.http_load_balancing

modules/beta-autopilot-private-cluster/README.md

@@ -124,6 +124,7 @@ Then perform the following commands on the root folder:
 | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no |
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
+| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |

modules/beta-autopilot-private-cluster/cluster.tf

@@ -94,6 +94,13 @@ resource "google_container_cluster" "primary" {
  }
  }
 
+ dynamic "service_external_ips_config" {
+ for_each = var.service_external_ips ? [1] : []
+ content {
+ enabled = var.service_external_ips
+ }
+ }
+
  addons_config {
  http_load_balancing {
  disabled = !var.http_load_balancing

modules/beta-autopilot-private-cluster/variables.tf

@@ -96,6 +96,12 @@ variable "http_load_balancing" {
  default = true
 }
 
+variable "service_external_ips" {
+ type = bool
+ description = "Whether external ips specified by a service will be allowed in this cluster"
+ default = false
+}
+
 variable "datapath_provider" {
  type = string
  description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."

modules/beta-autopilot-public-cluster/README.md

@@ -113,6 +113,7 @@ Then perform the following commands on the root folder:
 | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no |
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
+| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
 | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |

modules/beta-autopilot-public-cluster/cluster.tf

@@ -94,6 +94,13 @@ resource "google_container_cluster" "primary" {
  }
  }
 
+ dynamic "service_external_ips_config" {
+ for_each = var.service_external_ips ? [1] : []
+ content {
+ enabled = var.service_external_ips
+ }
+ }
+
  addons_config {
  http_load_balancing {
  disabled = !var.http_load_balancing