fix: Remove provider config from module to be TF 0.13 compatible (#777)

BREAKING CHANGE: Using in-cluster features now requires additional provider configuration. See the upgrade guide for details.

README.md

@@ -21,6 +21,16 @@ intended for Terraform 0.11.x is [3.0.0].
 There are multiple examples included in the [examples](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/examples) folder but simple usage is as follows:
 
 ```hcl
+# google_client_config and kubernetes provider must be explicitly specified like the following.
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                     = "terraform-google-modules/kubernetes-engine/google"
   project_id                 = "<PROJECT ID>"

auth.tf

@@ -22,13 +22,3 @@
 data "google_client_config" "default" {
   provider = google
 }
-
-/******************************************
-  Configure provider
- *****************************************/
-provider "kubernetes" {
-  load_config_file       = false
-  host                   = "https://${local.cluster_endpoint}"
-  token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
-}

autogen/main/README.md

@@ -51,6 +51,16 @@ intended for Terraform 0.11.x is [3.0.0].
 There are multiple examples included in the [examples](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/examples) folder but simple usage is as follows:
 
 ```hcl
+# google_client_config and kubernetes provider must be explicitly specified like the following.
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                     = "terraform-google-modules/kubernetes-engine/google{{ module_path }}"
   project_id                 = "<PROJECT ID>"

autogen/main/auth.tf.tmpl

@@ -26,13 +26,3 @@ data "google_client_config" "default" {
   provider = google
   {% endif %}
 }
-
-/******************************************
-  Configure provider
- *****************************************/
-provider "kubernetes" {
-  load_config_file       = false
-  host                   = "https://${local.cluster_endpoint}"
-  token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
-}

autogen/safer-cluster/outputs.tf.tmpl

@@ -45,15 +45,6 @@ output "endpoint" {
   sensitive   = true
   description = "Cluster endpoint"
   value       = module.gke.endpoint
-  depends_on = [
-    /* Nominally, the endpoint is populated as soon as it is known to Terraform.
-    * However, the cluster may not be in a usable state yet.  Therefore any
-    * resources dependent on the cluster being up will fail to deploy.  With
-    * this explicit dependency, dependent resources can wait for the cluster
-    * to be up.
-    */
-    module.gke
-  ]
 }
 
 output "min_master_version" {

docs/upgrading_to_v13.0.md

@@ -0,0 +1,30 @@
+# Upgrading to v13.0
+
+The v13.0 release of *kubernetes-engine* is a backwards incompatible
+release.
+
+### `kubernetes` provider removed from the module
+
+- `kubernetes` provider has been removed across all modules/submodules and need to be specified in the calling module.
+
+To leverage Terraform v0.13 features such as custom variable validation and using `count`, `for_each` or `depends_on` in modules,
+it is [required](https://www.terraform.io/docs/modules/providers.html#legacy-shared-modules-with-provider-configurations) that
+a module does not contain any nested provider configuration and receives all of its provider configurations from the calling
+module. This release adapts to this requirement.
+
+```diff
++  data "google_client_config" "default" {}
+
++  provider "kubernetes" {
++    load_config_file       = false
++    host                   = "https://${module.gke.endpoint}"
++    token                  = data.google_client_config.default.access_token
++    cluster_ca_certificate = base64decode(module.gke.ca_certificate)
++  }
+
+ module "gke" {
+   source                  = "terraform-google-modules/kubernetes-engine/google"
+-  version                 = "~> 12.0"
++  version                 = "~> 13.0"
+}
+```

examples/deploy_service/main.tf

@@ -23,16 +23,15 @@ provider "google" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
 provider "kubernetes" {
   load_config_file       = false
-  host                   = module.gke.endpoint
+  host                   = "https://${module.gke.endpoint}"
   token                  = data.google_client_config.default.access_token
   cluster_ca_certificate = base64decode(module.gke.ca_certificate)
 }
 
-data "google_client_config" "default" {
-}
-
 module "gke" {
   source     = "../../"
   project_id = var.project_id

examples/disable_client_cert/main.tf

@@ -23,6 +23,15 @@ provider "google" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source = "../../"
 
@@ -38,6 +47,3 @@ module "gke" {
   service_account          = var.compute_engine_service_account
   issue_client_certificate = false
 }
-
-data "google_client_config" "default" {
-}

examples/node_pool/main.tf

@@ -23,6 +23,15 @@ provider "google-beta" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                            = "../../modules/beta-public-cluster/"
   project_id                        = var.project_id
@@ -113,6 +122,3 @@ module "gke" {
     ]
   }
 }
-
-data "google_client_config" "default" {
-}

examples/node_pool_update_variant/main.tf

@@ -29,6 +29,15 @@ data "google_compute_subnetwork" "subnetwork" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                  = "../../modules/private-cluster-update-variant"
   project_id              = var.project_id
@@ -110,6 +119,3 @@ module "gke" {
     pool-02 = []
   }
 }
-
-data "google_client_config" "default" {
-}

examples/node_pool_update_variant_beta/main.tf

@@ -30,6 +30,15 @@ data "google_compute_subnetwork" "subnetwork" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                  = "../../modules/beta-private-cluster-update-variant"
   project_id              = var.project_id
@@ -129,6 +138,3 @@ module "gke" {
     pool-02 = []
   }
 }
-
-data "google_client_config" "default" {
-}

examples/node_pool_update_variant_public_beta/main.tf

@@ -30,6 +30,15 @@ data "google_compute_subnetwork" "subnetwork" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                 = "../../modules/beta-public-cluster-update-variant"
   project_id             = var.project_id
@@ -125,6 +134,3 @@ module "gke" {
     pool-02 = []
   }
 }
-
-data "google_client_config" "default" {
-}

examples/private_zonal_with_networking/main.tf

@@ -14,6 +14,15 @@
  * limitations under the License.
  */
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gcp-network" {
   source       = "terraform-google-modules/network/google"
   version      = "~> 2.5"
@@ -74,6 +83,3 @@ module "gke" {
     },
   ]
 }
-
-data "google_client_config" "default" {
-}

examples/regional_private_node_pool_oauth_scopes/provider.tf

@@ -21,3 +21,12 @@ provider "google" {
 provider "google-beta" {
   version = "~> 3.42.0"
 }
+
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}

examples/safer_cluster/main.tf

@@ -37,6 +37,15 @@ provider "google-beta" {
   version = "~> 3.42.0"
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                         = "../../modules/safer-cluster/"
   project_id                     = var.project_id
@@ -65,9 +74,6 @@ module "gke" {
   notification_config_topic = google_pubsub_topic.updates.id
 }
 
-data "google_client_config" "default" {
-}
-
 resource "google_pubsub_topic" "updates" {
   name    = "cluster-updates-${random_string.suffix.result}"
   project = var.project_id

examples/safer_cluster_iap_bastion/provider.tf

@@ -21,3 +21,12 @@ provider "google" {
 provider "google-beta" {
   version = "~> 3.42.0"
 }
+
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}

examples/shared_vpc/main.tf

@@ -23,6 +23,15 @@ provider "google" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                     = "../../"
   project_id                 = var.project_id
@@ -38,6 +47,3 @@ module "gke" {
   add_cluster_firewall_rules = true
   firewall_inbound_ports     = ["9443", "15017"]
 }
-
-data "google_client_config" "default" {
-}

examples/simple_regional/main.tf

@@ -23,6 +23,15 @@ provider "google" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                      = "../../"
   project_id                  = var.project_id
@@ -38,6 +47,3 @@ module "gke" {
   enable_binary_authorization = var.enable_binary_authorization
   skip_provisioners           = var.skip_provisioners
 }
-
-data "google_client_config" "default" {
-}

examples/simple_regional_beta/main.tf

@@ -23,6 +23,15 @@ provider "google-beta" {
   region  = var.region
 }
 
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  load_config_file       = false
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
 module "gke" {
   source                      = "../../modules/beta-public-cluster/"
   project_id                  = var.project_id
@@ -52,6 +61,3 @@ module "gke" {
   identity_namespace = null
   node_metadata      = "UNSPECIFIED"
 }
-
-data "google_client_config" "default" {
-}