fix: use private endpoint

apeabody · apeabody · commit 877ea5572e35 · 2024-11-13T21:58:03.000Z
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
@@ -146,7 +146,7 @@ locals {
   cluster_output_zones          = local.cluster_output_regional_zones
 
 {% if private_cluster %}
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 {% else %}
diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
@@ -24,11 +24,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf
@@ -34,4 +34,6 @@ module "bastion" {
   startup_script = templatefile("${path.module}/templates/startup-script.tftpl", {})
   members        = var.bastion_members
   shielded_vm    = "false"
+
+  service_account_roles = ["roles/container.viewer"]
 }
diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf
@@ -77,7 +77,7 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
@@ -123,7 +123,7 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 
diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf
@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -123,7 +123,7 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf
@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
@@ -111,7 +111,7 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
@@ -111,7 +111,7 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = var.deploy_using_private_endpoint || var.enable_private_endpoint ? google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 
diff --git a/test/fixtures/safer_cluster_iap_bastion/example.tf b/test/fixtures/safer_cluster_iap_bastion/example.tf
@@ -15,7 +15,7 @@
  */
 
 locals {
-  test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} --ssh-flag=\"-T\" -q -- curl -sS https://${module.example.endpoint}/version -k"
+  test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} -q --command='curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"Content-Type: application/json\" -sS https://${module.example.endpoint}/version -k'"
 }
 
 module "example" {

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,11 @@ terraform {`
`24`	`24`	`required_providers {`
`25`	`25`	`google = {`
`26`	`26`	`source = "hashicorp/google"`
`27`		`- version = ">= 6.7.0, < 7"`
	`27`	`+ version = ">= 6.11.0, < 7"`
`28`	`28`	`}`
`29`	`29`	`google-beta = {`
`30`	`30`	`source = "hashicorp/google-beta"`
`31`		`- version = ">= 6.7.0, < 7"`
	`31`	`+ version = ">= 6.11.0, < 7"`
`32`	`32`	`}`
`33`	`33`	`kubernetes = {`
`34`	`34`	`source = "hashicorp/kubernetes"`
Original file line number	Diff line number	Diff line change
`@@ -34,4 +34,6 @@ module "bastion" {`
`34`	`34`	`startup_script = templatefile("${path.module}/templates/startup-script.tftpl", {})`
`35`	`35`	`members = var.bastion_members`
`36`	`36`	`shielded_vm = "false"`
	`37`	`+`
	`38`	`+ service_account_roles = ["roles/container.viewer"]`
`37`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,11 +21,11 @@ terraform {`
`21`	`21`	`required_providers {`
`22`	`22`	`google = {`
`23`	`23`	`source = "hashicorp/google"`
`24`		`- version = ">= 6.7.0, < 7"`
	`24`	`+ version = ">= 6.11.0, < 7"`
`25`	`25`	`}`
`26`	`26`	`google-beta = {`
`27`	`27`	`source = "hashicorp/google-beta"`
`28`		`- version = ">= 6.7.0, < 7"`
	`28`	`+ version = ">= 6.11.0, < 7"`
`29`	`29`	`}`
`30`	`30`	`kubernetes = {`
`31`	`31`	`source = "hashicorp/kubernetes"`