Merge branch 'main' into inference_gateway

Author: apeabody

CHANGELOG.md

@@ -6,6 +6,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [41.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v41.0.0...v41.0.1) (2025-10-28)
+
+
+### Bug Fixes
+
+* Regex for network, subnetwork, CIDR block and Workload Pool in standard and autopilot cluster ([#2479](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2479)) ([4f47d6a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/4f47d6a4b258300c64c1ae45191ec1b3b96d1ad2))
+
+## [41.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v40.0.0...v41.0.0) (2025-10-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* **TPG>=7.0:** adding default_compute_class_enabled ([#2434](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2434))
+
+### Features
+
+* add support for anonymous_authentication_config ([#2436](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2436)) ([f27a2dd](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f27a2ddab530a5952a3e3466174bac20623a5f71))
+* add support for NAP/autopilot resource manager tags ([#2447](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2447)) ([3a1945f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3a1945f75479af7e694ec5f1a32f5a61265f2e44))
+* **TPG>=7.0:** adding default_compute_class_enabled ([#2434](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2434)) ([b61584c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b61584c78076e6bf4dabdf5c2964f2ffcc6a9c77))
+
+
+### Bug Fixes
+
+* add required fields for GKE autopilot and standard cluster ([#2461](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2461)) ([a3da13d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a3da13d2dc773b574a1d7b71e406d0265a11d965))
+* syntax in main.tf for field cost_management_config ([#2466](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2466)) ([6a9b284](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6a9b28408b342cfc423320b02f10cc96b9dad51b))
+* updated description in nodepool field ([#2471](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2471)) ([f43ad46](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f43ad4686ac68f58024b72c04e7d716c1af1a971))
+
+## [40.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v39.0.0...v40.0.0) (2025-09-23)
+
+
+### ⚠ BREAKING CHANGES
+
+* properly implement additional_ip_ranges_config ([#2451](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2451))
+* **deps:** Update Terraform terraform-google-modules/gcloud/google to v4 ([#2446](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2446))
+
+### Bug Fixes
+
+* **deps:** Update Terraform terraform-google-modules/gcloud/google to v4 ([#2446](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2446)) ([d30964c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d30964c496f5b33acb81762edfc33d41653ebf61))
+* properly implement additional_ip_ranges_config ([#2451](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2451)) ([57c366a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/57c366a7de88a051a59e6a081b19e980cad899b9))
+
 ## [39.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.1.0...v39.0.0) (2025-09-15)
 
 

README.md

@@ -144,8 +144,9 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
-| additional\_pod\_ranges\_config | the configuration for individual additional subnetworks attached to the cluster | `list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))` | `[]` | no |
+| additional\_ip\_ranges\_config | the configuration for individual additional subnetworks attached to the cluster | `list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))` | `[]` | no |
 | additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no |
+| anonymous\_authentication\_config\_mode | Allows users to restrict or enable anonymous access to the cluster. Valid values are `ENABLED` and `LIMITED`. | `string` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
 | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = optional(number)<br>    max_cpu_cores               = optional(number)<br>    min_memory_gb               = optional(number)<br>    max_memory_gb               = optional(number)<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
@@ -159,6 +160,7 @@ Then perform the following commands on the root folder:
 | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br>  {<br>    "key_name": "",<br>    "state": "DECRYPTED"<br>  }<br>]</pre> | no |
 | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
+| default\_compute\_class\_enabled | Enable Spot VMs as the default compute class for Node Auto-Provisioning | `bool` | `null` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no |
 | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no |
 | description | The description of the cluster | `string` | `""` | no |
@@ -234,7 +236,7 @@ Then perform the following commands on the root folder:
 | network\_policy | Enable network policy addon | `bool` | `false` | no |
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
@@ -260,6 +262,7 @@ Then perform the following commands on the root folder:
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
 | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
 | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
 | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
 | security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |

autogen/main/cluster.tf.tmpl

@@ -156,6 +156,7 @@ resource "google_container_cluster" "primary" {
 
   cluster_autoscaling {
     enabled = var.cluster_autoscaling.enabled
+    default_compute_class_enabled = var.default_compute_class_enabled
     dynamic "auto_provisioning_defaults" {
       for_each = var.cluster_autoscaling.enabled ? [1] : []
 
@@ -217,6 +218,7 @@ resource "google_container_cluster" "primary" {
 {% endif %}
   {% if autopilot_cluster == true %}
   cluster_autoscaling {
+    default_compute_class_enabled = var.default_compute_class_enabled
     dynamic "auto_provisioning_defaults" {
       for_each = (var.create_service_account || var.service_account != "" || var.boot_disk_kms_key != null) ? [1] : []
 
@@ -274,6 +276,13 @@ resource "google_container_cluster" "primary" {
 
   in_transit_encryption_config = var.in_transit_encryption_config
 
+  dynamic "anonymous_authentication_config" {
+    for_each = var.anonymous_authentication_config_mode != null ? [1] : []
+    content {
+      mode = var.anonymous_authentication_config_mode
+    }
+  }
+
   dynamic "network_performance_config" {
     for_each = var.total_egress_bandwidth_tier != null ? [1] : []
     content {
@@ -329,7 +338,7 @@ resource "google_container_cluster" "primary" {
   }
 {% if autopilot_cluster %}
   dynamic "node_pool_auto_config" {
-    for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
+    for_each = length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
     content {
       dynamic "network_tags" {
         for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : []
@@ -338,6 +347,8 @@ resource "google_container_cluster" "primary" {
         }
       }
 
+      resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
       dynamic "node_kubelet_config" {
         for_each = var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
         content {
@@ -356,7 +367,7 @@ resource "google_container_cluster" "primary" {
 
 {% if autopilot_cluster != true %}
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
       dynamic "network_tags" {
         for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -365,6 +376,8 @@ resource "google_container_cluster" "primary" {
         }
       }
 
+      resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
       dynamic "linux_node_config" {
         for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
         content {
@@ -541,11 +554,11 @@ resource "google_container_cluster" "primary" {
         pod_range_names = var.additional_ip_range_pods
       }
     }
-    dynamic "additional_pod_ranges_config" {
-      for_each = var.additional_pod_ranges_config
+    dynamic "additional_ip_ranges_config" {
+      for_each = var.additional_ip_ranges_config
       content {
-        subnetwork           = var.additional_pod_ranges_config.subnetwork
-        pod_ipv4_range_names = var.additional_pod_ranges_config.pod_ipv4_range_names
+        subnetwork           = var.additional_ip_ranges_config.subnetwork
+        pod_ipv4_range_names = var.additional_ip_ranges_config.pod_ipv4_range_names
       }
     }
     stack_type                    = var.stack_type

autogen/main/variables.tf.tmpl

@@ -174,7 +174,7 @@ variable "additional_ip_range_pods" {
   default     = []
 }
 
-variable "additional_pod_ranges_config" {
+variable "additional_ip_ranges_config" {
   type        = list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))
   description = "the configuration for individual additional subnetworks attached to the cluster"
   default = []
@@ -400,11 +400,17 @@ variable "node_pools_oauth_scopes" {
 {% endif %}
 
 variable "network_tags" {
-  description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+  description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
   type = list(string)
   default = []
 }
 
+variable "resource_manager_tags" {
+  description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+  type = map(string)
+  default = {}
+}
+
 variable "enable_k8s_beta_apis" {
   description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
   type        = list(string)
@@ -722,6 +728,12 @@ variable "in_transit_encryption_config" {
   default     = null
 }
 
+variable "anonymous_authentication_config_mode" {
+  description = "Allows users to restrict or enable anonymous access to the cluster. Valid values are `ENABLED` and `LIMITED`."
+  type        = string
+  default     = null
+}
+
 variable "total_egress_bandwidth_tier" {
   type        = string
   description = "Specifies the total network bandwidth tier for NodePools in the cluster. Valid values are `TIER_UNSPECIFIED` and `TIER_1`. Defaults to `TIER_UNSPECIFIED`."
@@ -852,6 +864,13 @@ variable "enable_shielded_nodes" {
 }
 
 {% endif %}
+
+variable "default_compute_class_enabled" {
+  type        = bool
+  description = "Enable Spot VMs as the default compute class for Node Auto-Provisioning"
+  default     = null
+}
+
 variable "enable_binary_authorization" {
   type        = bool
   description = "Enable BinAuthZ Admission controller"

autogen/main/versions.tf.tmpl

@@ -24,33 +24,33 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.47.0, < 8"
+      version = ">= 7.0.0, < 8"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.47.0, < 8"
+      version = ">= 7.0.0, < 8"
     }
 {% elif beta_cluster and autopilot_cluster %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.47.0, < 8"
+      version = ">= 7.0.0, < 8"
     }
     google-beta = {
       source = "hashicorp/google-beta"
-      version = ">= 6.47.0, < 8"
+      version = ">= 7.0.0, < 8"
     }
 {% elif autopilot_cluster  %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.47.0, < 8"
+      version = ">= 7.0.0, < 8"
     }
 {% else %}
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.47.0, < 8"
+      version = ">= 7.0.0, < 8"
     }
 {% endif %}
     kubernetes = {
@@ -63,6 +63,6 @@ terraform {
     }
   }
   provider_meta "{% if beta_cluster %}google-beta{% else %}google{% endif %}" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v39.0.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v41.0.1"
   }
 }

autogen/safer-cluster/versions.tf.tmpl

@@ -23,6 +23,6 @@ terraform {
   required_version = ">=1.3"
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v39.0.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v41.0.1"
   }
 }