Merge branch 'master' into add_storage_viewer_role_to_sa

morgante · web-flow · commit 7f9559cc1b81 · 2019-08-21T20:47:43.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,10 +9,10 @@ Extending the adopted spec, each change should have a link to its corresponding
 ## [Unreleased]
 ### Added
 
-* Added `grant_registry_access` variable to grant `roles/storage.objectViewer` to created SA [#236]
-
+* Added `grant_registry_access` variable to grant Container Registry access to created SA [#236]
 * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216]
 * Support for Workload Identity beta feature [#234]
+* Support for Google Groups based RBAC beta feature [#217]
 
 ## [v4.1.0] 2019-07-24
 
@@ -171,6 +171,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236
+[#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217
+[#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234
 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216
 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214
 [#210]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/210
diff --git a/autogen/cluster.tf b/autogen/cluster.tf
@@ -182,8 +182,19 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  workload_identity_config {
-    identity_namespace = var.identity_namespace
+  dynamic "workload_identity_config" {
+    for_each = local.cluster_workload_identity_config
+
+    content {
+      identity_namespace = workload_identity_config.value.identity_namespace
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
   }
 {% endif %}
 }
diff --git a/autogen/main.tf b/autogen/main.tf
@@ -71,6 +71,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 {% endif %}
 
   cluster_output_name           = google_container_cluster.primary.name
@@ -136,6 +140,9 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+  cluster_workload_identity_config         = var.identity_namespace == "" ? [] : [{
+    identity_namespace = var.identity_namespace
+  }]
   # /BETA features
 {% endif %}
 }
diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -384,9 +384,15 @@ variable "enable_intranode_visibility" {
 }
 
 variable "identity_namespace" {
-  type        = string
   description = "Workload Identity namespace"
+  type        = string
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
+
 {% endif %}
diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
@@ -19,13 +19,13 @@ locals {
 }
 
 provider "google" {
-  version     = "~> 2.9.0"
+  version     = "~> 2.12.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
 
 provider "google-beta" {
-  version     = "~> 2.9.0"
+  version     = "~> 2.12.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 2.9.0"
+  version     = "~> 2.12.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }
diff --git a/examples/simple_zonal/main.tf b/examples/simple_zonal/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf
@@ -15,7 +15,7 @@
  */
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf
@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf
@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 2.9.0"
+  version = "~> 2.12.0"
   region  = var.region
 }
 
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -169,8 +169,19 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  workload_identity_config {
-    identity_namespace = var.identity_namespace
+  dynamic "workload_identity_config" {
+    for_each = local.cluster_workload_identity_config
+
+    content {
+      identity_namespace = workload_identity_config.value.identity_namespace
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
   }
 }
 
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -66,6 +66,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
@@ -123,6 +127,9 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+  cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{
+    identity_namespace = var.identity_namespace
+  }]
   # /BETA features
 }
 
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -381,8 +381,14 @@ variable "enable_vertical_pod_autoscaling" {
 }
 
 variable "identity_namespace" {
-  type        = string
   description = "Workload Identity namespace"
+  type        = string
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
+
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -164,8 +164,19 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  workload_identity_config {
-    identity_namespace = var.identity_namespace
+  dynamic "workload_identity_config" {
+    for_each = local.cluster_workload_identity_config
+
+    content {
+      identity_namespace = workload_identity_config.value.identity_namespace
+    }
+  }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
   }
 }
 
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -66,6 +66,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
@@ -123,6 +127,9 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
+  cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{
+    identity_namespace = var.identity_namespace
+  }]
   # /BETA features
 }
 
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -182,8 +182,19 @@ resource "google_container_cluster" "primary" {`
`182`	`182`	`}`
`183`	`183`	`}`
`184`	`184`
`185`		`- workload_identity_config {`
`186`		`- identity_namespace = var.identity_namespace`
	`185`	`+ dynamic "workload_identity_config" {`
	`186`	`+ for_each = local.cluster_workload_identity_config`
	`187`	`+`
	`188`	`+ content {`
	`189`	`+ identity_namespace = workload_identity_config.value.identity_namespace`
	`190`	`+ }`
	`191`	`+ }`
	`192`	`+`
	`193`	`+ dynamic "authenticator_groups_config" {`
	`194`	`+ for_each = local.cluster_authenticator_security_group`
	`195`	`+ content {`
	`196`	`+ security_group = authenticator_groups_config.value.security_group`
	`197`	`+ }`
`187`	`198`	`}`
`188`	`199`	`{% endif %}`
`189`	`200`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,12 +19,12 @@ locals {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`provider "google" {`
`22`		`- version = "~> 2.9.0"`
	`22`	`+ version = "~> 2.12.0"`
`23`	`23`	`region = var.region`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`provider "google-beta" {`
`27`		`- version = "~> 2.9.0"`
	`27`	`+ version = "~> 2.12.0"`
`28`	`28`	`region = var.region`
`29`	`29`	`}`
`30`	`30`
Original file line number	Diff line number	Diff line change
`@@ -19,13 +19,13 @@ locals {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`provider "google" {`
`22`		`- version = "~> 2.9.0"`
	`22`	`+ version = "~> 2.12.0"`
`23`	`23`	`credentials = file(var.credentials_path)`
`24`	`24`	`region = var.region`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`provider "google-beta" {`
`28`		`- version = "~> 2.9.0"`
	`28`	`+ version = "~> 2.12.0"`
`29`	`29`	`credentials = file(var.credentials_path)`
`30`	`30`	`region = var.region`
`31`	`31`	`}`