fix: Regex for network, subnetwork, CIDR block and Workload Pool in standard and autopilot cluster (#2479)

Author: Daisyprakash

modules/gke-autopilot-cluster/README.md

@@ -41,7 +41,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | logging\_config | The GKE components exposing logs. Supported values include: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. | <pre>object({<br>    enable_components = optional(list(string))<br>  })</pre> | `null` | no |
 | maintenance\_policy | The maintenance policy to use for the cluster. | <pre>object({<br>    daily_maintenance_window = optional(object({<br>      start_time = optional(string)<br>    }))<br>    recurring_window = optional(object({<br>      start_time = optional(string)<br>      end_time   = optional(string)<br>      recurrence = optional(string)<br>    }))<br>    maintenance_exclusion = optional(list(object({<br>      exclusion_name = optional(string)<br>      start_time     = optional(string)<br>      end_time       = optional(string)<br>      exclusion_options = optional(object({<br>        scope = optional(string)<br>      }))<br>    })))<br>  })</pre> | <pre>{<br>  "daily_maintenance_window": {<br>    "start_time": "05:00"<br>  }<br>}</pre> | no |
 | master\_auth | The authentication information for accessing the Kubernetes master. | <pre>object({<br>    client_certificate_config = optional(object({<br>      issue_client_certificate = optional(bool)<br>    }))<br>  })</pre> | `null` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br>    cidr_blocks = list(object({<br>      display_name = string<br>      cidr_block   = string<br>    }))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | n/a | yes |
+| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) | <pre>object({<br>    cidr_blocks = list(object({<br>      display_name = string<br>      cidr_block   = string<br>    }))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | n/a | yes |
 | mesh\_certificates | Configuration for the provisioning of managed mesh certificates. | <pre>object({<br>    enable_certificates = optional(bool)<br>  })</pre> | `null` | no |
 | min\_master\_version | The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master\_version field to obtain a current version. If unset, the server's default version will be used. | `string` | `null` | no |
 | monitoring\_config | (Optional) The GKE components exposing metrics. Supported values include: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR, DCGM and JOBSET. | <pre>object({<br>    enable_components = optional(list(string))<br>  })</pre> | `null` | no |

modules/gke-autopilot-cluster/metadata.display.yaml

@@ -256,6 +256,16 @@ spec:
         master_authorized_networks_config:
           name: master_authorized_networks_config
           title: Master Authorized Networks Config
+          properties:
+            cidr_blocks:
+              name: cidr_blocks
+              title: Cidr Blocks
+              properties:
+                cidr_block:
+                  name: cidr_block
+                  title: Cidr Block
+                  regexValidation: ^((((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9]))|((((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))))$
+                  validation: Enter the valid CIDR notation.
         mesh_certificates:
           name: mesh_certificates
           title: Mesh Certificates
@@ -306,6 +316,11 @@ spec:
         network:
           name: network
           title: Network
+          regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$
+          validation: Network name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
+          altDefaults:
+            - type: ALTERNATE_TYPE_DC
+              value: default
         node_locations:
           name: node_locations
           title: Node Locations
@@ -456,6 +471,11 @@ spec:
         subnetwork:
           name: subnetwork
           title: Subnetwork
+          regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$
+          validation: Subnetwork name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
+          altDefaults:
+            - type: ALTERNATE_TYPE_DC
+              value: default
         timeouts:
           name: timeouts
           title: Timeouts
@@ -468,6 +488,12 @@ spec:
         workload_identity_config:
           name: workload_identity_config
           title: Workload Identity Config
+          properties:
+            workload_pool:
+              name: workload_pool
+              title: Workload Pool
+              regexValidation: ^[a-z]([-a-z0-9]{4,28}[a-z0-9])\.svc\.id\.goog$
+              validation: Workload pool must be in the format <project_id>.svc.id.goog. project_id must be between 6 and 30 characters can have lowercase letters, digits, or hyphens. It must start with a lowercase letter and end with a letter or number.
     runtime:
       outputs:
         cluster_id:

modules/gke-autopilot-cluster/metadata.yaml

@@ -274,7 +274,7 @@ spec:
               }))
             })
       - name: master_authorized_networks_config
-        description: The desired configuration options for master authorized networks.
+        description: The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
         varType: |-
           object({
               cidr_blocks = list(object({
@@ -571,9 +571,9 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/iam.serviceAccountUser
           - roles/compute.admin
           - roles/container.admin
+          - roles/iam.serviceAccountUser
     services:
       - compute.googleapis.com
       - container.googleapis.com

modules/gke-autopilot-cluster/variables.tf

@@ -201,7 +201,7 @@ variable "master_auth" {
 }
 
 variable "master_authorized_networks_config" {
-  description = "The desired configuration options for master authorized networks."
+  description = "The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)"
   type = object({
     cidr_blocks = list(object({
       display_name = string

modules/gke-node-pool/metadata.display.yaml

@@ -63,6 +63,8 @@ spec:
           name: name
           title: Name
           level: 1
+          regexValidation: ^[a-z]([a-z0-9-]{0,38}[a-z0-9])?$
+          validation: Node pool name must start with a lowercase letter followed by up to 39 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
         name_prefix:
           name: name_prefix
           title: Name Prefix

modules/gke-standard-cluster/README.md

@@ -48,7 +48,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | logging\_service | The logging service that the cluster should write logs to. Available options include `logging.googleapis.com`, `logging.googleapis.com/kubernetes`, and `none`. | `string` | `null` | no |
 | maintenance\_policy | The maintenance policy to use for the cluster. | <pre>object({<br>    daily_maintenance_window = optional(object({<br>      start_time = optional(string)<br>    }))<br>    recurring_window = optional(object({<br>      start_time = optional(string)<br>      end_time   = optional(string)<br>      recurrence = optional(string)<br>    }))<br>    maintenance_exclusion = optional(list(object({<br>      exclusion_name = optional(string)<br>      start_time     = optional(string)<br>      end_time       = optional(string)<br>      exclusion_options = optional(object({<br>        scope = optional(string)<br>      }))<br>    })))<br>  })</pre> | `null` | no |
 | master\_auth | The authentication information for accessing the Kubernetes master. | <pre>object({<br>    client_certificate_config = optional(object({<br>      issue_client_certificate = optional(bool)<br>    }))<br>  })</pre> | `null` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br>    cidr_blocks = list(object({<br>      display_name = string<br>      cidr_block   = string<br>    }))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | n/a | yes |
+| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) | <pre>object({<br>    cidr_blocks = list(object({<br>      display_name = string<br>      cidr_block   = string<br>    }))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | n/a | yes |
 | mesh\_certificates | Configuration for the provisioning of managed mesh certificates. | <pre>object({<br>    enable_certificates = optional(bool)<br>  })</pre> | `null` | no |
 | min\_master\_version | The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master\_version field to obtain a current version. If unset, the server's default version will be used. | `string` | `null` | no |
 | monitoring\_config | Monitoring configuration for the cluster. | <pre>object({<br>    enable_components = optional(list(string))<br>  })</pre> | `null` | no |

modules/gke-standard-cluster/metadata.display.yaml

@@ -375,6 +375,16 @@ spec:
         master_authorized_networks_config:
           name: master_authorized_networks_config
           title: Master Authorized Networks Config
+          properties:
+            cidr_blocks:
+              name: cidr_blocks
+              title: Cidr Blocks
+              properties:
+                cidr_block:
+                  name: cidr_block
+                  title: Cidr Block
+                  regexValidation: ^((((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9]))|((((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))))$
+                  validation: Enter the valid CIDR notation.
         mesh_certificates:
           name: mesh_certificates
           title: Mesh Certificates
@@ -406,6 +416,11 @@ spec:
         network:
           name: network
           title: Network
+          regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$
+          validation: Network name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
+          altDefaults:
+            - type: ALTERNATE_TYPE_DC
+              value: default
         network_policy:
           name: network_policy
           title: Network Policy
@@ -977,6 +992,11 @@ spec:
         subnetwork:
           name: subnetwork
           title: Subnetwork
+          regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$
+          validation: Subnetwork name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
+          altDefaults:
+            - type: ALTERNATE_TYPE_DC
+              value: default
         timeouts:
           name: timeouts
           title: Timeouts
@@ -989,6 +1009,12 @@ spec:
         workload_identity_config:
           name: workload_identity_config
           title: Workload Identity Config
+          properties:
+            workload_pool:
+              name: workload_pool
+              title: Workload Pool
+              regexValidation: ^[a-z]([-a-z0-9]{4,28}[a-z0-9])\.svc\.id\.goog$
+              validation: Workload pool must be in the format <project_id>.svc.id.goog. project_id must be between 6 and 30 characters can have lowercase letters, digits, or hyphens. It must start with a lowercase letter and end with a letter or number.
     runtime:
       outputs:
         cluster_id:

modules/gke-standard-cluster/metadata.yaml

@@ -359,7 +359,7 @@ spec:
               }))
             })
       - name: master_authorized_networks_config
-        description: The desired configuration options for master authorized networks.
+        description: The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
         varType: |-
           object({
               cidr_blocks = list(object({
@@ -1013,9 +1013,9 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/iam.serviceAccountUser
           - roles/compute.admin
           - roles/container.admin
+          - roles/iam.serviceAccountUser
     services:
       - compute.googleapis.com
       - container.googleapis.com

modules/gke-standard-cluster/variables.tf

@@ -309,7 +309,7 @@ variable "master_auth" {
 }
 
 variable "master_authorized_networks_config" {
-  description = "The desired configuration options for master authorized networks."
+  description = "The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)"
   type = object({
     cidr_blocks = list(object({
       display_name = string