From a7d1196fbfcda45124e88ecf383f2b01339ad98b Mon Sep 17 00:00:00 2001 From: Astian Seb Date: Tue, 22 Nov 2022 09:41:59 +0100 Subject: [PATCH 1/3] Default nodepool creation fix --- modules/gke-cluster/main.tf | 7 ++++++- modules/gke-cluster/variables.tf | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index bc94dd376e..c3b17fb3c4 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -48,7 +48,12 @@ resource "google_container_cluster" "cluster" { enable_autopilot = var.enable_features.autopilot ? true : null # the default nodepool is deleted here, use the gke-nodepool module instead - # node_config {} + node_config { + shielded_instance_config { + enable_secure_boot = var.enable_features.shielded_nodes ? true : null + enable_integrity_monitoring = var.enable_features.shielded_nodes ? true : null + } + } addons_config { dynamic "dns_cache_config" { diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf index f9a3b69e3c..bb112159ac 100644 --- a/modules/gke-cluster/variables.tf +++ b/modules/gke-cluster/variables.tf @@ -96,6 +96,13 @@ variable "enable_features" { })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, false) + # node_config = optional(object({ + # shielded_instance_config = optional(object({ + # enable_integrity_monitoring = optional(bool) + # enable_secure_boot = optional(bool) + # })) + # })) + }) default = { workload_identity = true From c34cc4acc4561292ee4240d2fa285fd6e9767d8a Mon Sep 17 00:00:00 2001 From: Astian Seb Date: Tue, 22 Nov 2022 16:59:32 +0100 Subject: [PATCH 2/3] Removed comments and fixded formatting with fmt --- modules/gke-cluster/main.tf | 2 +- modules/gke-cluster/variables.tf | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index c3b17fb3c4..9db6f465d0 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -50,7 +50,7 @@ resource "google_container_cluster" "cluster" { # the default nodepool is deleted here, use the gke-nodepool module instead node_config { shielded_instance_config { - enable_secure_boot = var.enable_features.shielded_nodes ? true : null + enable_secure_boot = var.enable_features.shielded_nodes ? true : null enable_integrity_monitoring = var.enable_features.shielded_nodes ? true : null } } diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf index bb112159ac..f9a3b69e3c 100644 --- a/modules/gke-cluster/variables.tf +++ b/modules/gke-cluster/variables.tf @@ -96,13 +96,6 @@ variable "enable_features" { })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, false) - # node_config = optional(object({ - # shielded_instance_config = optional(object({ - # enable_integrity_monitoring = optional(bool) - # enable_secure_boot = optional(bool) - # })) - # })) - }) default = { workload_identity = true From 2956d3d342d82bb949e8ece444bc05fc9f25b25c Mon Sep 17 00:00:00 2001 From: Astian Seb Date: Tue, 22 Nov 2022 18:56:59 +0100 Subject: [PATCH 3/3] Refactored per PR comment --- modules/gke-cluster/main.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index 9db6f465d0..cb3602cf97 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -48,13 +48,19 @@ resource "google_container_cluster" "cluster" { enable_autopilot = var.enable_features.autopilot ? true : null # the default nodepool is deleted here, use the gke-nodepool module instead + # default nodepool configuration based on a shielded_nodes variable node_config { - shielded_instance_config { - enable_secure_boot = var.enable_features.shielded_nodes ? true : null - enable_integrity_monitoring = var.enable_features.shielded_nodes ? true : null + dynamic "shielded_instance_config" { + for_each = var.enable_features.shielded_nodes ? [""] : [] + content { + enable_secure_boot = true + enable_integrity_monitoring = true + } } } + + addons_config { dynamic "dns_cache_config" { for_each = !var.enable_features.autopilot ? [""] : []