feat(TPG>=6.1.0): promote secret_manager_config to GA

Promote `secret_manager_config` (GA since 6.1.)
https://github.com/hashicorp/terraform-provider-google/releases/tag/v6.1.0

Fixes #2157

Author: wyardley

README.md

@@ -173,6 +173,7 @@ Then perform the following commands on the root folder:
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
+| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
 | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
@@ -282,6 +283,7 @@ Then perform the following commands on the root folder:
 | node\_pools\_versions | Node pool versions by node pool name |
 | region | Cluster region |
 | release\_channel | The release channel of this cluster |
+| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
 | type | Cluster type (regional / zonal) |

autogen/main/cluster.tf.tmpl

@@ -243,14 +243,14 @@ resource "google_container_cluster" "primary" {
 
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
-{% if beta_cluster %}
   dynamic "secret_manager_config" {
     for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
     content {
       enabled = secret_manager_config.value
     }
   }
 
+{% if beta_cluster %}
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
 {% endif %}
 {% if autopilot_cluster %}

autogen/main/main.tf.tmpl

@@ -165,12 +165,12 @@ locals {
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
+  cluster_output_secret_manager_addon_enabled       = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
 {% if beta_cluster %}
   # BETA features
-  cluster_output_istio_disabled                   = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
-  cluster_output_pod_security_policy_enabled      = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_secret_manager_addon_enabled     = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
+  cluster_output_istio_disabled              = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
+  cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
 
   # /BETA features
   {% endif %}
@@ -223,6 +223,7 @@ locals {
   confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled         = local.cluster_output_identity_service_enabled
+  cluster_secret_manager_addon_enabled     = local.cluster_output_secret_manager_addon_enabled
   {% if autopilot_cluster != true %}
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
@@ -231,12 +232,11 @@ locals {
 
 {% if beta_cluster %}
   # BETA features
-  cluster_istio_enabled                    = ! local.cluster_output_istio_disabled
+  cluster_istio_enabled               = !local.cluster_output_istio_disabled
   {% if autopilot_cluster != true %}
-  cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
+  cluster_telemetry_type_is_set       = var.cluster_telemetry_type != null
   {% endif %}
-  cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
-  cluster_secret_manager_addon_enabled     = local.cluster_output_secret_manager_addon_enabled
+  cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
 
   # /BETA features
 {% endif %}

autogen/main/outputs.tf.tmpl

@@ -223,11 +223,6 @@ output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = local.cluster_pod_security_policy_enabled
 }
-
-output "secret_manager_addon_enabled" {
-  description = "Whether Secret Manager add-on is enabled"
-  value       = local.cluster_secret_manager_addon_enabled
-}
 {% endif %}
 
 output "identity_service_enabled" {
@@ -240,6 +235,11 @@ output "intranode_visibility_enabled" {
   value       = local.cluster_intranode_visibility_enabled
 }
 
+output "secret_manager_addon_enabled" {
+  description = "Whether Secret Manager add-on is enabled"
+  value       = local.cluster_secret_manager_addon_enabled
+}
+
 output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership

autogen/main/variables.tf.tmpl

@@ -611,6 +611,12 @@ variable "enable_confidential_nodes" {
   description = "An optional flag to enable confidential node config."
   default = false
 }
+
+variable "enable_secret_manager_addon" {
+  description = "Enable the Secret Manager add-on for this cluster"
+  type        = bool
+  default     = false
+}
 {% if beta_cluster %}
 
 variable "workload_vulnerability_mode" {
@@ -630,12 +636,6 @@ variable "enable_fqdn_network_policy" {
   description = "Enable FQDN Network Policies on the cluster"
   default     = null
 }
-
-variable "enable_secret_manager_addon" {
-  description = "(Beta) Enable the Secret Manager add-on for this cluster"
-  type        = bool
-  default     = false
-}
 {% endif %}
 
 variable "enable_cilium_clusterwide_network_policy" {

cluster.tf

@@ -189,6 +189,13 @@ resource "google_container_cluster" "primary" {
 
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
+  dynamic "secret_manager_config" {
+    for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
+    content {
+      enabled = secret_manager_config.value
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : []
     content {

main.tf

@@ -125,6 +125,7 @@ locals {
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
+  cluster_output_secret_manager_addon_enabled       = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
@@ -166,6 +167,7 @@ locals {
   confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
+  cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
   }] : []

modules/beta-autopilot-private-cluster/README.md

@@ -99,7 +99,7 @@ Then perform the following commands on the root folder:
 | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
 | enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
-| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
+| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
 | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |

modules/beta-autopilot-private-cluster/main.tf

@@ -93,11 +93,11 @@ locals {
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
+  cluster_output_secret_manager_addon_enabled       = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # BETA features
-  cluster_output_istio_disabled               = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
-  cluster_output_pod_security_policy_enabled  = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
+  cluster_output_istio_disabled              = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
+  cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
 
   # /BETA features
 
@@ -127,11 +127,11 @@ locals {
   confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
   cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
+  cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 
   # BETA features
-  cluster_istio_enabled                = !local.cluster_output_istio_disabled
-  cluster_pod_security_policy_enabled  = local.cluster_output_pod_security_policy_enabled
-  cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
+  cluster_istio_enabled               = !local.cluster_output_istio_disabled
+  cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
 
   # /BETA features
 

modules/beta-autopilot-private-cluster/outputs.tf

@@ -179,11 +179,6 @@ output "pod_security_policy_enabled" {
   value       = local.cluster_pod_security_policy_enabled
 }
 
-output "secret_manager_addon_enabled" {
-  description = "Whether Secret Manager add-on is enabled"
-  value       = local.cluster_secret_manager_addon_enabled
-}
-
 output "identity_service_enabled" {
   description = "Whether Identity Service is enabled"
   value       = local.cluster_identity_service_enabled
@@ -194,6 +189,11 @@ output "intranode_visibility_enabled" {
   value       = local.cluster_intranode_visibility_enabled
 }
 
+output "secret_manager_addon_enabled" {
+  description = "Whether Secret Manager add-on is enabled"
+  value       = local.cluster_secret_manager_addon_enabled
+}
+
 output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership