feat(TPG>=6.11)!: add endpoint_dns (#2180)

Author: apeabody

README.md

@@ -264,6 +264,7 @@ Then perform the following commands on the root folder:
 | cluster\_id | Cluster ID |
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
+| endpoint\_dns | Cluster endpoint DNS |
 | fleet\_membership | Fleet membership (if registered) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |

autogen/main/cluster.tf.tmpl

@@ -630,6 +630,15 @@ resource "google_container_cluster" "primary" {
       }
     }
   }
+
+  dynamic "control_plane_endpoints_config" {
+    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0]
+    content {
+      dns_endpoint_config {
+        allow_external_traffic = var.deploy_using_private_endpoint
+      }
+    }
+  }
 {% endif %}
 
   {% if autopilot_cluster != true %}

autogen/main/outputs.tf.tmpl

@@ -76,6 +76,23 @@ output "endpoint" {
   ]
 }
 
+output "endpoint_dns" {
+  description = "Cluster endpoint DNS"
+  value       = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint
+  depends_on = [
+    /* Nominally, the endpoint is populated as soon as it is known to Terraform.
+    * However, the cluster may not be in a usable state yet.  Therefore any
+    * resources dependent on the cluster being up will fail to deploy.  With
+    * this explicit dependency, dependent resources can wait for the cluster
+    * to be up.
+    */
+    google_container_cluster.primary,
+    {% if autopilot_cluster != true %}
+    google_container_node_pool.pools,
+    {% endif %}
+  ]
+}
+
 output "min_master_version" {
   description = "Minimum master kubernetes version"
   value       = local.cluster_min_master_version

autogen/main/versions.tf.tmpl

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,33 +24,33 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
 {% elif beta_cluster and autopilot_cluster %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.8.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source = "hashicorp/google-beta"
-      version = ">= 6.8.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
 {% elif autopilot_cluster  %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.8.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
 {% else %}
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
 {% endif %}
     kubernetes = {

autogen/safer-cluster/outputs.tf.tmpl

@@ -52,6 +52,11 @@ output "endpoint" {
   value       = module.gke.endpoint
 }
 
+output "endpoint_dns" {
+  description = "Cluster endpoint DNS"
+  value       = module.gke.endpoint_dns
+}
+
 output "min_master_version" {
   description = "Minimum master kubernetes version"
   value       = module.gke.min_master_version

examples/safer_cluster_iap_bastion/README.md

@@ -60,6 +60,7 @@ To deploy this example:
 | ca\_certificate | Cluster ca certificate (base64 encoded) |
 | cluster\_name | Cluster name |
 | endpoint | Cluster endpoint |
+| endpoint\_dns | Cluster endpoint DNS |
 | get\_credentials\_command | gcloud get-credentials command to generate kubeconfig for the private cluster |
 | keyring | The name of the keyring. |
 | keyring\_resource | The location of the keyring. |

examples/safer_cluster_iap_bastion/bastion.tf

@@ -34,4 +34,6 @@ module "bastion" {
   startup_script = templatefile("${path.module}/templates/startup-script.tftpl", {})
   members        = var.bastion_members
   shielded_vm    = "false"
+
+  service_account_roles = ["roles/container.viewer"]
 }

examples/safer_cluster_iap_bastion/outputs.tf

@@ -35,6 +35,12 @@ output "endpoint" {
   value       = module.gke.endpoint
 }
 
+output "endpoint_dns" {
+  sensitive   = true
+  description = "Cluster endpoint DNS"
+  value       = module.gke.endpoint_dns
+}
+
 output "master_authorized_networks_config" {
   description = "Networks from which access to master is permitted"
   value       = module.gke.master_authorized_networks_config

examples/simple_regional_beta/main.tf

@@ -20,12 +20,6 @@ locals {
 
 data "google_client_config" "default" {}
 
-provider "kubernetes" {
-  host                   = "https://${module.gke.endpoint}"
-  token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
-}
-
 module "gke" {
   source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster"
   version = "~> 34.0"

examples/simple_regional_beta/versions.tf

@@ -23,8 +23,5 @@ terraform {
     google-beta = {
       source = "hashicorp/google-beta"
     }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-    }
   }
 }