terraform-google-modules
diff --git a/‎CHANGELOG.md‎
Lines changed: 23 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 4 additions & 1 deletion b/‎README.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎autogen/main/README.md‎
Lines changed: 2 additions & 2 deletions b/‎autogen/main/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎autogen/main/cluster.tf.tmpl‎
Lines changed: 16 additions & 1 deletion b/‎autogen/main/cluster.tf.tmpl‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎autogen/main/variables.tf.tmpl‎
Lines changed: 19 additions & 1 deletion b/‎autogen/main/variables.tf.tmpl‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎autogen/main/versions.tf.tmpl‎
Lines changed: 1 addition & 1 deletion b/‎autogen/main/versions.tf.tmpl‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎autogen/safer-cluster/versions.tf.tmpl‎
Lines changed: 1 addition & 1 deletion b/‎autogen/safer-cluster/versions.tf.tmpl‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cluster.tf‎
Lines changed: 15 additions & 0 deletions b/‎cluster.tf‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎docs/upgrading_to_v39.0.md‎
Lines changed: 5 additions & 0 deletions b/‎docs/upgrading_to_v39.0.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎examples/confidential_autopilot_private/network.tf‎
Lines changed: 1 addition & 1 deletion b/‎examples/confidential_autopilot_private/network.tf‎
Lines changed: 1 addition & 1 deletion
@@ -6,6 +6,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [39.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.1.0...v39.0.0) (2025-09-15)
+
+
+### ⚠ BREAKING CHANGES
+
+* **TPG >= 6.47:** add support for lustre csi driver ([#2433](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2433))
+* **TPG>=6.47:** add support for rbac_binding_config ([#2401](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2401))
+
+### Features
+
+* add enable_k8s_beta_apis support ([#2387](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2387)) ([090781d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/090781d4edc596cafe8a4241ea3d068e851ff0c6))
+* add support for additional_pod_ranges_config ([#2435](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2435)) ([8b6a803](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/8b6a803b7c56574a13797aff892357326e9df0ad))
+* **TPG >= 6.47:** add support for lustre csi driver ([#2433](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2433)) ([b56546d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b56546d24fb83a0d34952f9b5d0fd97893fd4f8b))
+* **TPG>=6.47:** add support for rbac_binding_config ([#2401](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2401)) ([2c8b78d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/2c8b78dd0acfa050fd7fdb020fce4ddc4b451c32))
+
+
+### Bug Fixes
+
+* Add the nodepool cgroup mode to the NAP config ([#2356](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2356)) ([eeaf95d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/eeaf95d511a9cf500e45c1cd9c34d0e13482b0f3))
+* Avoid flapping network_tags when insecure_kubelet_readonly_port_enabled is non-null ([#2439](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2439)) ([0ffe3f9](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0ffe3f9929f28e4d4b449fc32e67a5c30e0e12c0))
+* Make GKE components ADC compatible ([#2440](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2440)) ([74d37d8](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/74d37d8b2d489150acc839991719e0fb70f2ecdb))
+* typo in taint dynamic block in main.tf for gke-node-pools module ([#2424](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2424)) ([0848345](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0848345a65b7f5192385d79410c4a98203045f70))
+
 ## [38.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v38.0.1...v38.1.0) (2025-08-29)
 
 
 
@@ -144,6 +144,7 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
+| additional\_pod\_ranges\_config | the configuration for individual additional subnetworks attached to the cluster | `list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))` | `[]` | no |
 | additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
@@ -179,6 +180,7 @@ Then perform the following commands on the root folder:
 | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
+| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
 | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
@@ -216,6 +218,7 @@ Then perform the following commands on the root folder:
 | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no |
 | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no |
+| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no |
 | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no |
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
@@ -437,7 +440,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP][terraform-provider-google] v6.41+
+- [Terraform Provider for GCP][terraform-provider-google] v6.47+
 
 #### gcloud
 
 
@@ -319,9 +319,9 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
 {% if beta_cluster %}
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+
 {% else %}
-- [Terraform Provider for GCP][terraform-provider-google] v6.41+
+- [Terraform Provider for GCP][terraform-provider-google] v6.47+
 {% endif %}
 
 #### gcloud
 
@@ -334,7 +334,7 @@ resource "google_container_cluster" "primary" {
     for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
     content {
       dynamic "network_tags" {
-        for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
+        for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : []
         content {
           tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : length(var.network_tags) > 0 ? var.network_tags : null
         }
@@ -403,6 +403,14 @@ resource "google_container_cluster" "primary" {
       enabled = var.filestore_csi_driver
     }
 
+    dynamic "lustre_csi_driver_config" {
+      for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"]
+      content {
+        enabled                   = var.lustre_csi_driver
+        enable_legacy_lustre_port = var.enable_legacy_lustre_port
+      }
+    }
+
     {% if autopilot_cluster != true %}
     network_policy_config {
       disabled = !var.network_policy
@@ -535,6 +543,13 @@ resource "google_container_cluster" "primary" {
         pod_range_names = var.additional_ip_range_pods
       }
     }
+    dynamic "additional_pod_ranges_config" {
+      for_each = var.additional_pod_ranges_config
+      content {
+        subnetwork           = var.additional_pod_ranges_config.subnetwork
+        pod_ipv4_range_names = var.additional_pod_ranges_config.pod_ipv4_range_names
+      }
+    }
     stack_type                    = var.stack_type
   }
 
 
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -174,6 +174,12 @@ variable "additional_ip_range_pods" {
   default     = []
 }
 
+variable "additional_pod_ranges_config" {
+  type        = list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))
+  description = "the configuration for individual additional subnetworks attached to the cluster"
+  default = []
+}
+
 variable "ip_range_services" {
   type        = string
   description = "The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used."
@@ -778,6 +784,18 @@ variable "filestore_csi_driver" {
   default     = false
 }
 
+variable "lustre_csi_driver" {
+  type        = bool
+  description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes"
+  default     = null
+}
+
+variable "enable_legacy_lustre_port" {
+  type        = bool
+  description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes"
+  default     = false
+}
+
 {% if autopilot_cluster != true %}
 variable "network_policy" {
   type        = bool
 
@@ -63,6 +63,6 @@ terraform {
     }
   }
   provider_meta "{% if beta_cluster %}google-beta{% else %}google{% endif %}" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v38.1.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v39.0.0"
   }
 }
@@ -23,6 +23,6 @@ terraform {
   required_version = ">=1.3"
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v38.1.0"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v39.0.0"
   }
 }
@@ -310,6 +310,14 @@ resource "google_container_cluster" "primary" {
       enabled = var.filestore_csi_driver
     }
 
+    dynamic "lustre_csi_driver_config" {
+      for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"]
+      content {
+        enabled                   = var.lustre_csi_driver
+        enable_legacy_lustre_port = var.enable_legacy_lustre_port
+      }
+    }
+
     network_policy_config {
       disabled = !var.network_policy
     }
@@ -404,6 +412,13 @@ resource "google_container_cluster" "primary" {
         pod_range_names = var.additional_ip_range_pods
       }
     }
+    dynamic "additional_pod_ranges_config" {
+      for_each = var.additional_pod_ranges_config
+      content {
+        subnetwork           = var.additional_pod_ranges_config.subnetwork
+        pod_ipv4_range_names = var.additional_pod_ranges_config.pod_ipv4_range_names
+      }
+    }
     stack_type = var.stack_type
   }
 
 
@@ -0,0 +1,5 @@
+# Upgrading to v39.0
+The v39.0 release of *kubernetes-engine* is a backwards incompatible release.
+
+### Google Cloud Platform Provider upgrade
+The Terraform Kubernetes Engine Module now requires version 6.47 or higher of the Google Cloud Platform Providers.
@@ -16,7 +16,7 @@
 
 module "gcp-network" {
   source  = "terraform-google-modules/network/google"
-  version = "~> 11.0"
+  version = "~> 12.0"
 
   project_id   = var.project_id
   network_name = local.network_name
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,6 @@ terraform {`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`	`provider_meta "{% if beta_cluster %}google-beta{% else %}google{% endif %}" {`
`66`		`- module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v38.1.0"`
	`66`	`+ module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v39.0.0"`
`67`	`67`	`}`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,6 @@ terraform {`
`23`	`23`	`required_version = ">=1.3"`
`24`	`24`
`25`	`25`	`provider_meta "google-beta" {`
`26`		`- module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v38.1.0"`
	`26`	`+ module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v39.0.0"`
`27`	`27`	`}`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -310,6 +310,14 @@ resource "google_container_cluster" "primary" {`
`310`	`310`	`enabled = var.filestore_csi_driver`
`311`	`311`	`}`
`312`	`312`
	`313`	`+ dynamic "lustre_csi_driver_config" {`
	`314`	`+ for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"]`
	`315`	`+ content {`
	`316`	`+ enabled = var.lustre_csi_driver`
	`317`	`+ enable_legacy_lustre_port = var.enable_legacy_lustre_port`
	`318`	`+ }`
	`319`	`+ }`
	`320`	`+`
`313`	`321`	`network_policy_config {`
`314`	`322`	`disabled = !var.network_policy`
`315`	`323`	`}`
`@@ -404,6 +412,13 @@ resource "google_container_cluster" "primary" {`
`404`	`412`	`pod_range_names = var.additional_ip_range_pods`
`405`	`413`	`}`
`406`	`414`	`}`
	`415`	`+ dynamic "additional_pod_ranges_config" {`
	`416`	`+ for_each = var.additional_pod_ranges_config`
	`417`	`+ content {`
	`418`	`+ subnetwork = var.additional_pod_ranges_config.subnetwork`
	`419`	`+ pod_ipv4_range_names = var.additional_pod_ranges_config.pod_ipv4_range_names`
	`420`	`+ }`
	`421`	`+ }`
`407`	`422`	`stack_type = var.stack_type`
`408`	`423`	`}`
`409`	`424`