feat: Add beta support for confidential_nodes (terraform-google-modules#1040)

* Add beta support for confidential_nodes * Cannot use a null value in for_each * Add example and test * Add example and test * Update test name * Review Comments * Review Comments * Review Comments Co-authored-by: Stenal P Jolly <stenalpjolly@google.com>

Author: stenalpjolly

autogen/main/README.md

@@ -179,6 +179,7 @@ The node_pools variable takes the following parameters:
 | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional |
 | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional |
 | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 {% endif %}
 | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional |
 | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |

autogen/main/cluster.tf.tmpl

@@ -52,6 +52,14 @@ resource "google_container_cluster" "primary" {
  channel = release_channel.value.channel
  }
  }
+{% if beta_cluster %}
+ dynamic "confidential_nodes" {
+ for_each = local.confidential_node_config
+ content {
+ enabled = confidential_nodes.value.enabled
+ }
+ }
+{% endif %}
 
  subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 

autogen/main/main.tf.tmpl

@@ -188,6 +188,7 @@ locals {
  cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
  cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+ confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
  # /BETA features
 {% endif %}

autogen/main/variables.tf.tmpl

@@ -614,6 +614,12 @@ variable "shadow_firewall_rules_priority" {
 }
 
 {% if beta_cluster %}
+variable "enable_confidential_nodes" {
+ type = bool
+ description = "An optional flag to enable confidential node config."
+ default = false
+}
+
 variable "disable_default_snat" {
  type = bool
  description = "Whether to disable the default SNAT to support the private use of public IP addresses"

examples/simple_regional_private_beta/main.tf

@@ -64,6 +64,8 @@ module "gke" {
  },
  ]
 
+ enable_confidential_nodes = true
+
  istio = var.istio
  cloudrun = var.cloudrun
  dns_cache = var.dns_cache

modules/beta-private-cluster-update-variant/README.md

@@ -180,6 +180,7 @@ Then perform the following commands on the root folder:
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
@@ -301,6 +302,7 @@ The node_pools variable takes the following parameters:
 | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional |
 | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional |
 | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional |
 | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | effect | Effect for the taint | | Required |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -48,6 +48,12 @@ resource "google_container_cluster" "primary" {
  channel = release_channel.value.channel
  }
  }
+ dynamic "confidential_nodes" {
+ for_each = local.confidential_node_config
+ content {
+ enabled = confidential_nodes.value.enabled
+ }
+ }
 
  subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 

modules/beta-private-cluster-update-variant/main.tf

@@ -170,6 +170,7 @@ locals {
  cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
  cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+ confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
  # /BETA features
 

modules/beta-private-cluster-update-variant/variables.tf

@@ -593,6 +593,12 @@ variable "shadow_firewall_rules_priority" {
  default = 999
 }
 
+variable "enable_confidential_nodes" {
+ type = bool
+ description = "An optional flag to enable confidential node config."
+ default = false
+}
+
 variable "disable_default_snat" {
  type = bool
  description = "Whether to disable the default SNAT to support the private use of public IP addresses"

modules/beta-private-cluster/README.md

@@ -158,6 +158,7 @@ Then perform the following commands on the root folder:
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
@@ -279,6 +280,7 @@ The node_pools variable takes the following parameters:
 | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional |
 | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional |
 | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional |
 | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | effect | Effect for the taint | | Required |