Merge branch 'main' into feature/enable_k8s_beta_apis

Author: apeabody

.github/conventional-commit-lint.yaml

@@ -20,8 +20,11 @@ name: 'lint'
 on:
   workflow_dispatch:
   pull_request:
-    branches:
-      - main
+    types: [opened, edited, reopened, synchronize]
+    branches: [main]
+
+permissions:
+  contents: read
 
 concurrency:
   group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
@@ -52,3 +55,21 @@ jobs:
         env:
           ENABLE_BPMETADATA: 1
 
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+      - name: Install commitlint
+        run: |
+          npm install -D @commitlint/[email protected] @commitlint/[email protected]
+          echo "module.exports = { extends: ['@commitlint/config-conventional'], rules: {'subject-case': [0]} };" > commitlint.config.js
+          npx commitlint --version
+      - name: Validate PR commits with commitlint
+        if: github.event_name == 'pull_request'
+        run: 'echo "${{ github.event.pull_request.title }}" | npx commitlint --verbose'

.github/workflows/lint.yaml

@@ -6,6 +6,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [38.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.0.1...v38.1.0) (2025-08-29)
+
+
+### Features
+
+* **deps:** Update Terraform Google Provider to v7 (major) ([#2425](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2425)) ([6967a8f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6967a8f2658073959a866b4b638c4e950802eb04))
+
+
+### Bug Fixes
+
+* note org support of Identity Service for GKE ([#2422](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2422)) ([893ba59](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/893ba597d38bef0bc6a47a5d2a37c802f7ce749d))
+
+## [38.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.0.0...v38.0.1) (2025-08-22)
+
+
+### Bug Fixes
+
+* **metadata:** update ADC roles and services per module ([#2414](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2414)) ([2a78f09](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/2a78f0967ca2442cd69934d6aa1149b09088d94b))
+
+## [38.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v37.1.0...v38.0.0) (2025-08-13)
+
+
+### ⚠ BREAKING CHANGES
+
+* add data cache count ([#2404](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2404))
+* **TPG>=6.42:** add support for gke_auto_upgrade_config ([#2395](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2395))
+* add support for flex start ([#2386](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2386))
+* **TPG>=6.41:** add support performance_monitoring_unit ([#2391](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2391))
+* **TPG>=6.39:** Fleet app operator permissions custom roles ([#2377](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2377))
+
+### Features
+
+* add data cache count ([#2404](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2404)) ([85c0487](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/85c0487a8e96d9f77bab5108329c6d7582b392d3))
+* add support for cluster level total_egress_bandwidth_tier ([#2394](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2394)) ([1b69e34](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/1b69e34f83511f4e63d342439102acda59128c8f))
+* add support for flex start ([#2386](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2386)) ([c0c80e6](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c0c80e6c5b97e235d76285ab49d2c5808f2d42af))
+* Simple GKE modules for ADC ([#2397](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2397)) ([1859b17](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/1859b172249ec604b0e6edc8bce3cb003f9f6603))
+* **TPG>=6.39:** Fleet app operator permissions custom roles ([#2377](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2377)) ([c008237](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c008237839c4a29779f893f51baabdc92846b07a))
+* **TPG>=6.41:** add support performance_monitoring_unit ([#2391](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2391)) ([e5ade9c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e5ade9c674e5cc32022f51062ec5952eb3c2f5cb))
+* **TPG>=6.42:** add support for gke_auto_upgrade_config ([#2395](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2395)) ([19a0929](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/19a09296015c512794f13f4f6b821a4e67459870))
+
+
+### Bug Fixes
+
+* wrap cgroup_mode coalesce with try() to handle empty values ([#2396](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2396)) ([6148cb7](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6148cb7c9f15dbcffbb895bae44a9c0cad6ad660))
+
 ## [37.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v37.0.0...v37.1.0) (2025-07-17)
 
 

CHANGELOG.md

@@ -82,7 +82,7 @@ docker_generate_docs:
 		-e ENABLE_BPMETADATA=1 \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs -d --per-module-requirements'
 
 # Generate files from autogen
 .PHONY: docker_generate_modules

Makefile

@@ -173,7 +173,7 @@ Then perform the following commands on the root folder:
 | enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no |
 | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
 | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no |
-| enable\_identity\_service | (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
+| enable\_identity\_service | (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. NOTE: Starting on July 1, 2025, new Google Cloud organizations that you create won't support Identity Service for GKE. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
@@ -195,6 +195,7 @@ Then perform the following commands on the root folder:
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcp\_public\_cidrs\_access\_enabled | Allow access through Google Cloud public IP addresses | `bool` | `null` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
+| gke\_auto\_upgrade\_config\_patch\_mode | The selected auto-upgrade patch type. Accepted values are: `ACCELERATED`: Upgrades to the latest available patch version in a given minor and release channel. | `string` | `null` | no |
 | gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -250,6 +251,7 @@ Then perform the following commands on the root folder:
 | parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
 | ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br>    enabled            = bool<br>    logging_enabled    = optional(bool, false)<br>    monitoring_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "logging_enabled": false,<br>  "monitoring_enabled": false<br>}</pre> | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br>    enable_insecure_binding_system_unauthenticated = optional(bool, null)<br>    enable_insecure_binding_system_authenticated   = optional(bool, null)<br>  })</pre> | <pre>{<br>  "enable_insecure_binding_system_authenticated": null,<br>  "enable_insecure_binding_system_unauthenticated": null<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -268,6 +270,7 @@ Then perform the following commands on the root folder:
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
 | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
+| total\_egress\_bandwidth\_tier | Specifies the total network bandwidth tier for NodePools in the cluster. Valid values are `TIER_UNSPECIFIED` and `TIER_1`. Defaults to `TIER_UNSPECIFIED`. | `string` | `null` | no |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
 | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
@@ -352,9 +355,10 @@ The node_pools variable takes the following parameters:
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional |
 | key | The key required for the taint | | Required |
-| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT.  | DEFAULT | Optional |
-| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume.  | 0 | Optional |
+| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional |
+| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional |
 | local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional |
+| ephemeral_storage_local_ssd_data_cache_count | Number of raw-block local NVMe SSD disks to be attached to the node utilized for GKE Data Cache. | 0 | Optional |
 | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional |
 | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional |
 | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional |

README.md

@@ -228,9 +228,10 @@ The node_pools variable takes the following parameters:
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional |
 | key | The key required for the taint | | Required |
-| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT.  | DEFAULT | Optional |
-| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume.  | 0 | Optional |
+| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional |
+| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional |
 | local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional |
+| ephemeral_storage_local_ssd_data_cache_count | Number of raw-block local NVMe SSD disks to be attached to the node utilized for GKE Data Cache. | 0 | Optional |
 {% if beta_cluster %}
 | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional |
 {% endif %}

autogen/main/README.md

@@ -71,6 +71,14 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "gke_auto_upgrade_config" {
+    for_each = var.gke_auto_upgrade_config_patch_mode != null ? [1] : []
+
+    content {
+      patch_mode = var.gke_auto_upgrade_config_patch_mode
+    }
+  }
+
   dynamic "cost_management_config" {
     for_each = var.enable_cost_allocation ? [1] : []
     content {
@@ -236,7 +244,7 @@ resource "google_container_cluster" "primary" {
   {% if autopilot_cluster != true %}
 
   dynamic "identity_service_config" {
-    for_each = var.enable_identity_service !=null ? [var.enable_identity_service] : []
+    for_each = var.enable_identity_service != null ? [var.enable_identity_service] : []
     content {
       enabled = identity_service_config.value
     }
@@ -266,6 +274,21 @@ resource "google_container_cluster" "primary" {
 
   in_transit_encryption_config = var.in_transit_encryption_config
 
+  dynamic "network_performance_config" {
+    for_each = var.total_egress_bandwidth_tier != null ? [1] : []
+    content {
+      total_egress_bandwidth_tier = var.total_egress_bandwidth_tier
+    }
+  }
+
+  dynamic "rbac_binding_config" {
+    for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+    content {
+      enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+      enable_insecure_binding_system_authenticated   = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+    }
+  }
+
   dynamic "secret_manager_config" {
     for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
     content {
@@ -855,6 +878,8 @@ locals {
     "local_ssd_encryption_mode",
     "max_run_duration",
     "flex_start",
+    "local_ssd_ephemeral_storage_count",
+    "ephemeral_storage_local_ssd_data_cache_count",
   ]
 }
 
@@ -1106,14 +1131,15 @@ resource "google_container_node_pool" "windows_pools" {
     disk_type       = lookup(each.value, "disk_type", "pd-standard")
 
     dynamic "ephemeral_storage_local_ssd_config" {
-      for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : []
+      for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 || lookup(each.value, "ephemeral_storage_local_ssd_data_cache_count", 0) > 0 ? [1] : []
       content {
-        local_ssd_count = ephemeral_storage_local_ssd_config.value
+        local_ssd_count  = lookup(each.value, "local_ssd_ephemeral_storage_count", 0)
+        data_cache_count = lookup(each.value, "ephemeral_storage_local_ssd_data_cache_count", 0)
       }
     }
     {% if beta_cluster %}
     dynamic "ephemeral_storage_config" {
-      for_each = lookup(each.value, "local_ssd_ephemeral_count",0) > 0 ? [each.value.local_ssd_ephemeral_count] : []
+      for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : []
       content {
         local_ssd_count = ephemeral_storage_config.value
       }