feat: add vault_update_policy_type parameter (#125)

* add vault_update_policy_type parameter * generate_docs * generate docs using developpertools 0.12.0 Co-authored-by: Mark Vinkx <mark.vinkx@uzleuven.be>
terraform-google-modules · Feb 15, 2021 · d25ae6a · d25ae6a
1 parent 1be9da6
commit d25ae6a
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.12.0
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

diff --git a/README.md b/README.md
@@ -227,6 +227,7 @@ done
 | vault\_tls\_kms\_key\_project | Project ID where the KMS key is stored. By default, same as `project_id` | string | `""` | no |
 | vault\_tls\_require\_and\_verify\_client\_cert | Always use client certificates. You may want to disable this if users will not be authenticating to Vault with client certificates. | string | `"false"` | no |
 | vault\_ui\_enabled | Controls whether the Vault UI is enabled and accessible. | string | `"true"` | no |
+| vault\_update\_policy\_type | Options are OPPORTUNISTIC or PROACTIVE. If `PROACTIVE`, the instance group manager proactively executes actions in order to bring instances to their target versions | string | `"OPPORTUNISTIC"` | no |
 | vault\_version | Version of vault to install. This version must be 1.0+ and must be published on the HashiCorp releases service. | string | `"1.6.0"` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -76,6 +76,7 @@ module "cluster" {
   vault_min_num_servers                        = var.vault_min_num_servers
   vault_machine_type                           = var.vault_machine_type
   vault_max_num_servers                        = var.vault_max_num_servers
+  vault_update_policy_type                     = var.vault_update_policy_type
   vault_port                                   = var.vault_port
   vault_proxy_port                             = var.vault_proxy_port
   vault_tls_disable_client_certs               = var.vault_tls_disable_client_certs

diff --git a/modules/cluster/README.md b/modules/cluster/README.md
@@ -78,6 +78,7 @@ module "vault_cluster" {
 | vault\_tls\_kms\_key\_project | Project ID where the KMS key is stored. By default, same as `project_id` | string | `""` | no |
 | vault\_tls\_require\_and\_verify\_client\_cert | Always use client certificates. You may want to disable this if users will not be authenticating to Vault with client certificates. | string | `"false"` | no |
 | vault\_ui\_enabled | Controls whether the Vault UI is enabled and accessible. | string | `"true"` | no |
+| vault\_update\_policy\_type | Options are OPPORTUNISTIC or PROACTIVE. If `PROACTIVE`, the instance group manager proactively executes actions in order to bring instances to their target versions | string | `"OPPORTUNISTIC"` | no |
 | vault\_version | Version of vault to install. This version must be 1.0+ and must be published on the HashiCorp releases service. | string | `"1.6.0"` | no |
 | zones | The zones to distribute instances across.  If empty, all zones in the region are used.  ['us-west1-a', 'us-west1-b', 'us-west1-c'] | list(string) | `<list>` | no |
 

diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf
@@ -201,7 +201,7 @@ resource "google_compute_region_instance_group_manager" "vault" {
   }
 
   update_policy {
-    type                  = "OPPORTUNISTIC"
+    type                  = var.vault_update_policy_type
     minimal_action        = "REPLACE"
     max_unavailable_fixed = length(local.zones)
     min_ready_sec         = var.min_ready_sec

diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
@@ -289,6 +289,12 @@ variable "user_startup_script" {
   description = "Additional user-provided code injected after Vault is setup"
 }
 
+variable "vault_update_policy_type" {
+  type        = string
+  default     = "OPPORTUNISTIC"
+  description = "Options are OPPORTUNISTIC or PROACTIVE. If `PROACTIVE`, the instance group manager proactively executes actions in order to bring instances to their target versions"
+}
+
 variable "min_ready_sec" {
   description = "Minimum number of seconds to wait before considering a new or restarted instance as updated. This value must be from range. [0,3600]"
   type        = number

diff --git a/variables.tf b/variables.tf
@@ -411,6 +411,13 @@ variable "vault_max_num_servers" {
   description = "Maximum number of Vault server nodes to run at one time. The group will not autoscale beyond this number."
 }
 
+
+variable "vault_update_policy_type" {
+  type        = string
+  default     = "OPPORTUNISTIC"
+  description = "Options are OPPORTUNISTIC or PROACTIVE. If `PROACTIVE`, the instance group manager proactively executes actions in order to bring instances to their target versions"
+}
+
 variable "vault_port" {
   type    = string
   default = "8200"