feat: Add variable disable_default_snat (#625)

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.12.0
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

autogen/main/cluster.tf.tmpl

@@ -57,6 +57,11 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
 
+{% if beta_cluster %}
+  default_snat_status{
+    disabled = var.disable_default_snat
+  }
+{% endif %}
 {% if beta_cluster %}
   min_master_version = var.release_channel != null ? null : local.master_version
 {% else %}

autogen/main/variables.tf.tmpl

@@ -550,3 +550,11 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+
+{% if beta_cluster %}
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}
+{% endif %}

autogen/main/versions.tf.tmpl

@@ -19,7 +19,7 @@ terraform {
 
   required_providers {
 {% if beta_cluster %}
-    google-beta = ">= 3.29.0, <4.0.0"
+    google-beta = ">= 3.32.0, <4.0.0"
 {% else %}
     google = ">= 3.16, <4.0.0"
 {% endif %}

autogen/safer-cluster/main.tf.tmpl

@@ -49,6 +49,8 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
 
+  disable_default_snat = var.disable_default_snat
+
   add_cluster_firewall_rules = var.add_cluster_firewall_rules
   firewall_priority          = var.firewall_priority
   firewall_inbound_ports     = var.firewall_inbound_ports

autogen/safer-cluster/variables.tf.tmpl

@@ -363,3 +363,9 @@ variable "config_connector" {
   description = "(Beta) Whether ConfigConnector is enabled for this cluster."
   default     = false
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

build/int.cloudbuild.yaml

@@ -429,6 +429,6 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.0'
 options:
   machineType: 'N1_HIGHCPU_8'

build/lint.cloudbuild.yaml

@@ -22,4 +22,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.0'

examples/node_pool/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
   region  = var.region
 }
 

examples/node_pool_update_variant_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.29.0"
+  version     = "~> 3.32.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/regional_private_node_pool_oauth_scopes/provider.tf

@@ -19,5 +19,5 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
 }

examples/safer_cluster/main.tf

@@ -34,7 +34,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
 }
 
 module "gke" {

examples/safer_cluster_iap_bastion/provider.tf

@@ -15,9 +15,9 @@
  */
 
 provider "google" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
 }

examples/simple_regional_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
   region  = var.region
 }
 

examples/simple_regional_private_beta/main.tf

@@ -24,7 +24,7 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
   region  = var.region
 }
 

examples/simple_zonal_with_asm/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
   region  = var.region
 }
 

examples/workload_metadata_config/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.29.0"
+  version = "~> 3.32.0"
   region  = var.region
 }
 

modules/beta-private-cluster-update-variant/README.md

@@ -159,6 +159,7 @@ Then perform the following commands on the root folder:
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no |
 | description | The description of the cluster | string | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
   min_master_version = var.release_channel != null ? null : local.master_version
 
   logging_service    = var.logging_service

modules/beta-private-cluster-update-variant/variables.tf

@@ -540,3 +540,9 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

modules/beta-private-cluster-update-variant/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = ">=0.12.6, <0.14"
 
   required_providers {
-    google-beta = ">= 3.29.0, <4.0.0"
+    google-beta = ">= 3.32.0, <4.0.0"
   }
 }

modules/beta-private-cluster/README.md

@@ -137,6 +137,7 @@ Then perform the following commands on the root folder:
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no |
 | description | The description of the cluster | string | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |

modules/beta-private-cluster/cluster.tf

@@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
   min_master_version = var.release_channel != null ? null : local.master_version
 
   logging_service    = var.logging_service

modules/beta-private-cluster/variables.tf

@@ -540,3 +540,9 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

modules/beta-private-cluster/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = ">=0.12.6, <0.14"
 
   required_providers {
-    google-beta = ">= 3.29.0, <4.0.0"
+    google-beta = ">= 3.32.0, <4.0.0"
   }
 }

modules/beta-public-cluster-update-variant/README.md

@@ -152,6 +152,7 @@ Then perform the following commands on the root folder:
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | description | The description of the cluster | string | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |

modules/beta-public-cluster-update-variant/cluster.tf

@@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
   min_master_version = var.release_channel != null ? null : local.master_version
 
   logging_service    = var.logging_service

modules/beta-public-cluster-update-variant/variables.tf

@@ -509,3 +509,9 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

modules/beta-public-cluster-update-variant/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = ">=0.12.6, <0.14"
 
   required_providers {
-    google-beta = ">= 3.29.0, <4.0.0"
+    google-beta = ">= 3.32.0, <4.0.0"
   }
 }

modules/beta-public-cluster/README.md

@@ -130,6 +130,7 @@ Then perform the following commands on the root folder:
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | description | The description of the cluster | string | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |

modules/beta-public-cluster/cluster.tf

@@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" {
 
   subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
 
+  default_snat_status {
+    disabled = var.disable_default_snat
+  }
   min_master_version = var.release_channel != null ? null : local.master_version
 
   logging_service    = var.logging_service

modules/beta-public-cluster/variables.tf

@@ -509,3 +509,9 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

modules/beta-public-cluster/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = ">=0.12.6, <0.14"
 
   required_providers {
-    google-beta = ">= 3.29.0, <4.0.0"
+    google-beta = ">= 3.32.0, <4.0.0"
   }
 }

modules/private-cluster-update-variant/variables.tf

@@ -374,3 +374,4 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+

modules/private-cluster/variables.tf

@@ -374,3 +374,4 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+

modules/safer-cluster-update-variant/README.md

@@ -209,6 +209,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | description | The description of the cluster | string | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |

modules/safer-cluster-update-variant/main.tf

@@ -45,6 +45,8 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
 
+  disable_default_snat = var.disable_default_snat
+
   add_cluster_firewall_rules = var.add_cluster_firewall_rules
   firewall_priority          = var.firewall_priority
   firewall_inbound_ports     = var.firewall_inbound_ports

modules/safer-cluster-update-variant/variables.tf

@@ -363,3 +363,9 @@ variable "config_connector" {
   description = "(Beta) Whether ConfigConnector is enabled for this cluster."
   default     = false
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

modules/safer-cluster/README.md

@@ -209,6 +209,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | description | The description of the cluster | string | `""` | no |
+| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |

modules/safer-cluster/main.tf

@@ -45,6 +45,8 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
 
+  disable_default_snat = var.disable_default_snat
+
   add_cluster_firewall_rules = var.add_cluster_firewall_rules
   firewall_priority          = var.firewall_priority
   firewall_inbound_ports     = var.firewall_inbound_ports

modules/safer-cluster/variables.tf

@@ -363,3 +363,9 @@ variable "config_connector" {
   description = "(Beta) Whether ConfigConnector is enabled for this cluster."
   default     = false
 }
+
+variable "disable_default_snat" {
+  type        = bool
+  description = "Whether to disable the default SNAT to support the private use of public IP addresses"
+  default     = false
+}

test/setup/versions.tf

@@ -23,5 +23,5 @@ provider "google" {
 }
 
 provider "google-beta" {
-  version = "3.25.0"
+  version = "3.32.0"
 }

variables.tf

@@ -350,3 +350,4 @@ variable "gcloud_skip_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
   default     = true
 }
+