Merge branch 'main' into safer-clusters-missing-variables

Author: apeabody

CHANGELOG.md

@@ -6,6 +6,69 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [41.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v41.0.0...v41.0.1) (2025-10-28)
+
+
+### Bug Fixes
+
+* Regex for network, subnetwork, CIDR block and Workload Pool in standard and autopilot cluster ([#2479](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2479)) ([4f47d6a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/4f47d6a4b258300c64c1ae45191ec1b3b96d1ad2))
+
+## [41.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v40.0.0...v41.0.0) (2025-10-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* **TPG>=7.0:** adding default_compute_class_enabled ([#2434](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2434))
+
+### Features
+
+* add support for anonymous_authentication_config ([#2436](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2436)) ([f27a2dd](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f27a2ddab530a5952a3e3466174bac20623a5f71))
+* add support for NAP/autopilot resource manager tags ([#2447](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2447)) ([3a1945f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3a1945f75479af7e694ec5f1a32f5a61265f2e44))
+* **TPG>=7.0:** adding default_compute_class_enabled ([#2434](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2434)) ([b61584c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b61584c78076e6bf4dabdf5c2964f2ffcc6a9c77))
+
+
+### Bug Fixes
+
+* add required fields for GKE autopilot and standard cluster ([#2461](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2461)) ([a3da13d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a3da13d2dc773b574a1d7b71e406d0265a11d965))
+* syntax in main.tf for field cost_management_config ([#2466](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2466)) ([6a9b284](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6a9b28408b342cfc423320b02f10cc96b9dad51b))
+* updated description in nodepool field ([#2471](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2471)) ([f43ad46](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f43ad4686ac68f58024b72c04e7d716c1af1a971))
+
+## [40.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v39.0.0...v40.0.0) (2025-09-23)
+
+
+### ⚠ BREAKING CHANGES
+
+* properly implement additional_ip_ranges_config ([#2451](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2451))
+* **deps:** Update Terraform terraform-google-modules/gcloud/google to v4 ([#2446](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2446))
+
+### Bug Fixes
+
+* **deps:** Update Terraform terraform-google-modules/gcloud/google to v4 ([#2446](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2446)) ([d30964c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d30964c496f5b33acb81762edfc33d41653ebf61))
+* properly implement additional_ip_ranges_config ([#2451](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2451)) ([57c366a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/57c366a7de88a051a59e6a081b19e980cad899b9))
+
+## [39.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.1.0...v39.0.0) (2025-09-15)
+
+
+### ⚠ BREAKING CHANGES
+
+* **TPG >= 6.47:** add support for lustre csi driver ([#2433](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2433))
+* **TPG>=6.47:** add support for rbac_binding_config ([#2401](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2401))
+
+### Features
+
+* add enable_k8s_beta_apis support ([#2387](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2387)) ([090781d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/090781d4edc596cafe8a4241ea3d068e851ff0c6))
+* add support for additional_pod_ranges_config ([#2435](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2435)) ([8b6a803](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/8b6a803b7c56574a13797aff892357326e9df0ad))
+* **TPG >= 6.47:** add support for lustre csi driver ([#2433](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2433)) ([b56546d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b56546d24fb83a0d34952f9b5d0fd97893fd4f8b))
+* **TPG>=6.47:** add support for rbac_binding_config ([#2401](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2401)) ([2c8b78d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/2c8b78dd0acfa050fd7fdb020fce4ddc4b451c32))
+
+
+### Bug Fixes
+
+* Add the nodepool cgroup mode to the NAP config ([#2356](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2356)) ([eeaf95d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/eeaf95d511a9cf500e45c1cd9c34d0e13482b0f3))
+* Avoid flapping network_tags when insecure_kubelet_readonly_port_enabled is non-null ([#2439](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2439)) ([0ffe3f9](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0ffe3f9929f28e4d4b449fc32e67a5c30e0e12c0))
+* Make GKE components ADC compatible ([#2440](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2440)) ([74d37d8](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/74d37d8b2d489150acc839991719e0fb70f2ecdb))
+* typo in taint dynamic block in main.tf for gke-node-pools module ([#2424](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2424)) ([0848345](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0848345a65b7f5192385d79410c4a98203045f70))
+
 ## [38.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.0.1...v38.1.0) (2025-08-29)
 
 

README.md

@@ -144,7 +144,9 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
+| additional\_ip\_ranges\_config | the configuration for individual additional subnetworks attached to the cluster | `list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))` | `[]` | no |
 | additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no |
+| anonymous\_authentication\_config\_mode | Allows users to restrict or enable anonymous access to the cluster. Valid values are `ENABLED` and `LIMITED`. | `string` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
 | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = optional(number)<br>    max_cpu_cores               = optional(number)<br>    min_memory_gb               = optional(number)<br>    max_memory_gb               = optional(number)<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
@@ -158,6 +160,7 @@ Then perform the following commands on the root folder:
 | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br>  {<br>    "key_name": "",<br>    "state": "DECRYPTED"<br>  }<br>]</pre> | no |
 | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
+| default\_compute\_class\_enabled | Enable Spot VMs as the default compute class for Node Auto-Provisioning | `bool` | `null` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no |
 | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no |
 | description | The description of the cluster | `string` | `""` | no |
@@ -175,8 +178,10 @@ Then perform the following commands on the root folder:
 | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no |
 | enable\_identity\_service | (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. NOTE: Starting on July 1, 2025, new Google Cloud organizations that you create won't support Identity Service for GKE. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
+| enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
+| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
 | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
@@ -214,6 +219,7 @@ Then perform the following commands on the root folder:
 | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no |
 | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no |
+| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no |
 | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no |
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
@@ -230,7 +236,7 @@ Then perform the following commands on the root folder:
 | network\_policy | Enable network policy addon | `bool` | `false` | no |
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
@@ -256,6 +262,7 @@ Then perform the following commands on the root folder:
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
 | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
 | security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
@@ -435,7 +442,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP][terraform-provider-google] v6.41+
+- [Terraform Provider for GCP][terraform-provider-google] v6.47+
 
 #### gcloud
 

autogen/main/README.md

@@ -319,9 +319,9 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
 {% if beta_cluster %}
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+
 {% else %}
-- [Terraform Provider for GCP][terraform-provider-google] v6.41+
+- [Terraform Provider for GCP][terraform-provider-google] v6.47+
 {% endif %}
 
 #### gcloud