feat(TPG>=5.33)!: add secret manager add-on config to beta modules (#1977)

Author: legal90

autogen/main/cluster.tf.tmpl

@@ -221,6 +221,13 @@ resource "google_container_cluster" "primary" {
  {% if beta_cluster %}
  enable_intranode_visibility = var.enable_intranode_visibility
 
+ dynamic "secret_manager_config" {
+ for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
+ content {
+ enabled = secret_manager_config.value
+ }
+ }
+
  dynamic "pod_security_policy_config" {
  for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
  content {

autogen/main/main.tf.tmpl

@@ -169,6 +169,7 @@ locals {
  cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
  cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
  cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
+ cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
  # /BETA features
  {% endif %}
@@ -239,6 +240,7 @@ locals {
  cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
  cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
+ cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 
  # /BETA features
 {% endif %}

autogen/main/outputs.tf.tmpl

@@ -233,6 +233,11 @@ output "identity_service_enabled" {
  description = "Whether Identity Service is enabled"
  value = local.cluster_identity_service_enabled
 }
+
+output "secret_manager_addon_enabled" {
+ description = "Whether Secret Manager add-on is enabled"
+ value = local.cluster_secret_manager_addon_enabled
+}
 {% endif %}
 
 output "fleet_membership" {

autogen/main/variables.tf.tmpl

@@ -862,6 +862,12 @@ variable "enable_pod_security_policy" {
  default = false
 }
 
+variable "enable_secret_manager_addon" {
+ description = "(Beta) Enable the Secret Manager add-on for this cluster"
+ type = bool
+ default = false
+}
+
 variable "sandbox_enabled" {
  type = bool
  description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

autogen/main/versions.tf.tmpl

@@ -24,11 +24,11 @@ terraform {
  required_providers {
  google = {
  source = "hashicorp/google"
- version = ">= 5.25.0, < 6"
+ version = ">= 5.33.0, < 6"
  }
  google-beta = {
  source = "hashicorp/google-beta"
- version = ">= 5.25.0, < 6"
+ version = ">= 5.33.0, < 6"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"

modules/beta-autopilot-private-cluster/README.md

@@ -181,6 +181,7 @@ Then perform the following commands on the root folder:
 | pod\_security\_policy\_enabled | Whether pod security policy is enabled |
 | region | Cluster region |
 | release\_channel | The release channel of this cluster |
+| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
 | type | Cluster type (regional / zonal) |

modules/beta-autopilot-private-cluster/main.tf

@@ -92,10 +92,11 @@ locals {
  cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
 
  # BETA features
- cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
- cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
- cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
- cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
+ cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
+ cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
+ cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
+ cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
+ cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
  # /BETA features
 
@@ -134,6 +135,7 @@ locals {
  cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
  cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
  cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
+ cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 
  # /BETA features
 

modules/beta-autopilot-private-cluster/outputs.tf

@@ -189,6 +189,11 @@ output "identity_service_enabled" {
  value = local.cluster_identity_service_enabled
 }
 
+output "secret_manager_addon_enabled" {
+ description = "Whether Secret Manager add-on is enabled"
+ value = local.cluster_secret_manager_addon_enabled
+}
+
 output "fleet_membership" {
  description = "Fleet membership (if registered)"
  value = local.fleet_membership

modules/beta-autopilot-private-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
  required_providers {
  google = {
  source = "hashicorp/google"
- version = ">= 5.25.0, < 6"
+ version = ">= 5.33.0, < 6"
  }
  google-beta = {
  source = "hashicorp/google-beta"
- version = ">= 5.25.0, < 6"
+ version = ">= 5.33.0, < 6"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"

modules/beta-autopilot-public-cluster/README.md

@@ -168,6 +168,7 @@ Then perform the following commands on the root folder:
 | pod\_security\_policy\_enabled | Whether pod security policy is enabled |
 | region | Cluster region |
 | release\_channel | The release channel of this cluster |
+| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
 | type | Cluster type (regional / zonal) |