feat: Require actively enabling network policy (terraform-google-modules#809)

BREAKING CHANGE: The `network_policy` variable now defaults to `false`.

Author: Jérémy Keusters

README.md

@@ -43,7 +43,7 @@ module "gke" {
  ip_range_services = "us-central1-01-gke-01-services"
  http_load_balancing = false
  horizontal_pod_autoscaling = true
- network_policy = true
+ network_policy = false
 
  node_pools = [
  {
@@ -164,7 +164,7 @@ Then perform the following commands on the root folder:
 | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no |
 | name | The name of the cluster (required) | `string` | n/a | yes |
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
-| network\_policy | Enable network policy addon | `bool` | `true` | no |
+| network\_policy | Enable network policy addon | `bool` | `false` | no |
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |

autogen/main/README.md

@@ -73,7 +73,7 @@ module "gke" {
  ip_range_services = "us-central1-01-gke-01-services"
  http_load_balancing = false
  horizontal_pod_autoscaling = true
- network_policy = true
+ network_policy = false
  {% if private_cluster %}
  enable_private_endpoint = true
  enable_private_nodes = true

autogen/main/variables.tf.tmpl

@@ -99,7 +99,7 @@ variable "http_load_balancing" {
 variable "network_policy" {
  type = bool
  description = "Enable network policy addon"
- default = true
+ default = false
 }
 
 variable "network_policy_provider" {

docs/upgrading_to_v14.0.md

@@ -17,6 +17,20 @@ The `registry_project_id` variable has been replaced with a `registry_project_id
 }
 ```
 
+### network_policy disabled by default
+The `network_policy` variable is now `false` by default (instead of `true`).
+If you want to keep using the network policy addon for your cluster, make
+sure that the `network_policy` variable is set to `true`:
+```diff
+module "gke" {
+ source = "terraform-google-modules/kubernetes-engine/google"
+- version = "~> 13.0"
++ version = "~> 14.0"
+
++ network_policy = true
+}
+```
+
 ### ASM default version changed to 1.8
 
 [ASM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/asm) has been changed to use ASM v1.8 as default.

modules/beta-private-cluster-update-variant/README.md

@@ -68,7 +68,7 @@ module "gke" {
  ip_range_services = "us-central1-01-gke-01-services"
  http_load_balancing = false
  horizontal_pod_autoscaling = true
- network_policy = true
+ network_policy = false
  enable_private_endpoint = true
  enable_private_nodes = true
  master_ipv4_cidr_block = "10.0.0.0/28"
@@ -217,7 +217,7 @@ Then perform the following commands on the root folder:
 | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no |
 | name | The name of the cluster (required) | `string` | n/a | yes |
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
-| network\_policy | Enable network policy addon | `bool` | `true` | no |
+| network\_policy | Enable network policy addon | `bool` | `false` | no |
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |

modules/beta-private-cluster-update-variant/variables.tf

@@ -99,7 +99,7 @@ variable "http_load_balancing" {
 variable "network_policy" {
  type = bool
  description = "Enable network policy addon"
- default = true
+ default = false
 }
 
 variable "network_policy_provider" {

modules/beta-private-cluster/README.md

@@ -46,7 +46,7 @@ module "gke" {
  ip_range_services = "us-central1-01-gke-01-services"
  http_load_balancing = false
  horizontal_pod_autoscaling = true
- network_policy = true
+ network_policy = false
  enable_private_endpoint = true
  enable_private_nodes = true
  master_ipv4_cidr_block = "10.0.0.0/28"
@@ -195,7 +195,7 @@ Then perform the following commands on the root folder:
 | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no |
 | name | The name of the cluster (required) | `string` | n/a | yes |
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
-| network\_policy | Enable network policy addon | `bool` | `true` | no |
+| network\_policy | Enable network policy addon | `bool` | `false` | no |
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |

modules/beta-private-cluster/variables.tf

@@ -99,7 +99,7 @@ variable "http_load_balancing" {
 variable "network_policy" {
  type = bool
  description = "Enable network policy addon"
- default = true
+ default = false
 }
 
 variable "network_policy_provider" {

modules/beta-public-cluster-update-variant/README.md

@@ -65,7 +65,7 @@ module "gke" {
  ip_range_services = "us-central1-01-gke-01-services"
  http_load_balancing = false
  horizontal_pod_autoscaling = true
- network_policy = true
+ network_policy = false
  istio = true
  cloudrun = true
  dns_cache = false
@@ -206,7 +206,7 @@ Then perform the following commands on the root folder:
 | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no |
 | name | The name of the cluster (required) | `string` | n/a | yes |
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
-| network\_policy | Enable network policy addon | `bool` | `true` | no |
+| network\_policy | Enable network policy addon | `bool` | `false` | no |
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no |

modules/beta-public-cluster-update-variant/variables.tf

@@ -99,7 +99,7 @@ variable "http_load_balancing" {
 variable "network_policy" {
  type = bool
  description = "Enable network policy addon"
- default = true
+ default = false
 }
 
 variable "network_policy_provider" {