Merge branch 'master' into feature/node-pools-oauth-scopes

Author: lantier

.gitignore

@@ -47,3 +47,6 @@ test/integration/gcloud/config.sh
 test/integration/tmp
 
 credentials.json
+
+# File to populate env vars used by Docker test runs
+.envrc

Makefile

@@ -130,7 +130,7 @@ docker_create: docker_build_kitchen_terraform
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
-		/bin/bash -c "kitchen create"
+		/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen create"
 
 .PHONY: docker_converge
 docker_converge:
@@ -144,7 +144,7 @@ docker_converge:
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
-		/bin/bash -c "kitchen converge && kitchen converge"
+		/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen converge && kitchen converge"
 
 .PHONY: docker_verify
 docker_verify:
@@ -158,7 +158,7 @@ docker_verify:
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
-		/bin/bash -c "kitchen verify"
+		/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen verify"
 
 .PHONY: docker_destroy
 docker_destroy:
@@ -172,7 +172,7 @@ docker_destroy:
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
-		/bin/bash -c "kitchen destroy"
+		/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen destroy"
 
 .PHONY: test_integration_docker
 test_integration_docker:

README.md

@@ -100,64 +100,62 @@ Then perform the following commands on the root folder:
 
 [^]: (autogen_docs_start)
 
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| description | The description of the cluster | string | `` | no |
-| horizontal_pod_autoscaling | Enable horizontal pod autoscaling addon | string | `true` | no |
-| http_load_balancing | Enable httpload balancer addon | string | `true` | no |
-| ip_masq_link_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `false` | no |
-| ip_masq_resync_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `60s` | no |
-| ip_range_pods | The secondary ip range to use for pods | string | - | yes |
-| ip_range_services | The secondary ip range to use for pods | string | - | yes |
-| kubernetes_dashboard | Enable kubernetes dashboard addon | string | `false` | no |
-| kubernetes_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `latest` | no |
-| logging_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `logging.googleapis.com` | no |
-| maintenance_start_time | Time window specified for daily maintenance operations in RFC3339 format | string | `05:00` | no |
-| master_authorized_networks_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
-| monitoring_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `monitoring.googleapis.com` | no |
-| name | The name of the cluster (required) | string | - | yes |
-| network | The VPC network to host the cluster in (required) | string | - | yes |
-| network_policy | Enable network policy addon | string | `false` | no |
-| network_project_id | The project ID of the shared VPC's host (for shared vpc support) | string | `` | no |
-| node_pools | List of maps containing node pools | list | `<list>` | no |
-| node_pools_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
-| node_pools_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
-| node_pools_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
-| node_pools_oauth_scopes | Map of lists containing node oauth scopes by node-pool name | map | `<map>` | no |
-| node_pools_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
-| node_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `` | no |
-| non_masquerade_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| project_id | The project ID to host the cluster in (required) | string | - | yes |
-| region | The region to host the cluster in (required) | string | - | yes |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `true` | no |
-| remove_default_node_pool | Remove default node pool while setting up the cluster | string | `false` | no |
-| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `` | no |
-| stub_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | - | yes |
+| description | The description of the cluster | string | `""` | no |
+| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
+| http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
+| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |
+| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
+| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | - | yes |
+| ip\_range\_services | The _name_ of the secondary subnet ip range to use for services | string | - | yes |
+| kubernetes\_dashboard | Enable kubernetes dashboard addon | string | `"false"` | no |
+| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
+| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com"` | no |
+| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
+| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)<br><br>  ### example format ###   master_authorized_networks_config = [{     cidr_blocks = [{       cidr_block   = "10.0.0.0/8"       display_name = "example_network"     }],   }] | list | `<list>` | no |
+| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
+| name | The name of the cluster (required) | string | n/a | yes |
+| network | The VPC network to host the cluster in (required) | string | n/a | yes |
+| network\_policy | Enable network policy addon | string | `"false"` | no |
+| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_pools | List of maps containing node pools | list | `<list>` | no |
+| node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
+| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |
+| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map | `<map>` | no |
+| node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
+| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
+| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
+| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
+| region | The region to host the cluster in (required) | string | n/a | yes |
+| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
+| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | string | `"false"` | no |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `""` | no |
+| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
+| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| ca_certificate | Cluster ca certificate (base64 encoded) |
+| ca\_certificate | Cluster ca certificate (base64 encoded) |
 | endpoint | Cluster endpoint |
-| horizontal_pod_autoscaling_enabled | Whether horizontal pod autoscaling enabled |
-| http_load_balancing_enabled | Whether http load balancing enabled |
-| kubernetes_dashboard_enabled | Whether kubernetes dashboard enabled |
+| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
+| http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging_service | Logging service used |
-| master_authorized_networks_config | Networks from which access to master is permitted |
-| master_version | Current master kubernetes version |
-| min_master_version | Minimum master kubernetes version |
-| monitoring_service | Monitoring service used |
+| logging\_service | Logging service used |
+| master\_authorized\_networks\_config | Networks from which access to master is permitted |
+| master\_version | Current master kubernetes version |
+| min\_master\_version | Minimum master kubernetes version |
+| monitoring\_service | Monitoring service used |
 | name | Cluster name |
-| network_policy_enabled | Whether network policy enabled |
-| node_pools_names | List of node pools names |
-| node_pools_versions | List of node pools versions |
+| network\_policy\_enabled | Whether network policy enabled |
+| node\_pools\_names | List of node pools names |
+| node\_pools\_versions | List of node pools versions |
 | region | Cluster region |
 | type | Cluster type (regional / zonal) |
 | zones | List of zones in which the cluster resides |
@@ -190,6 +188,7 @@ following project roles:
 - roles/container.developer
 - roles/iam.serviceAccountAdmin
 - roles/iam.serviceAccountUser
+- roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`)
 
 ### Enable APIs
 In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:
@@ -248,6 +247,9 @@ The test-kitchen instances in `test/fixtures/` wrap identically-named examples i
 
 1. Configure the [test fixtures](#test-configuration)
 2. Download a Service Account key with the necessary permissions and put it in the module's root directory with the name `credentials.json`.
+    - Requires the [permissions to run the module](#configure-a-service-account)
+    - Requires `roles/compute.networkAdmin` to create the test suite's networks
+    - Requires `roles/resourcemanager.projectIamAdmin` since service account creation is tested
 3. Build the Docker container for testing:
 
   ```

auth.tf

@@ -31,4 +31,4 @@ provider "kubernetes" {
   host                   = "https://${local.cluster_endpoint}"
   token                  = "${data.google_client_config.default.access_token}"
   cluster_ca_certificate = "${base64decode(local.cluster_ca_certificate)}"
-}
+}

autogen/README.md

@@ -191,6 +191,7 @@ following project roles:
 - roles/container.developer
 - roles/iam.serviceAccountAdmin
 - roles/iam.serviceAccountUser
+- roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`)
 
 ### Enable APIs
 In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:
@@ -249,6 +250,9 @@ The test-kitchen instances in `test/fixtures/` wrap identically-named examples i
 
 1. Configure the [test fixtures](#test-configuration)
 2. Download a Service Account key with the necessary permissions and put it in the module's root directory with the name `credentials.json`.
+    - Requires the [permissions to run the module](#configure-a-service-account)
+    - Requires `roles/compute.networkAdmin` to create the test suite's networks
+    - Requires `roles/resourcemanager.projectIamAdmin` since service account creation is tested
 3. Build the Docker container for testing:
 
   ```

autogen/cluster_regional.tf

@@ -31,7 +31,7 @@ resource "google_container_cluster" "primary" {
 
   network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version}"
+  min_master_version = "${local.kubernetes_version_regional}"
 
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
@@ -104,7 +104,7 @@ resource "google_container_node_pool" "pools" {
   project            = "${var.project_id}"
   region             = "${var.region}"
   cluster            = "${var.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version)}"
+  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_regional)}"
   initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
 
   autoscaling {

autogen/cluster_zonal.tf

@@ -31,7 +31,7 @@ resource "google_container_cluster" "zonal_primary" {
 
   network            = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}"
   subnetwork         = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}"
-  min_master_version = "${local.kubernetes_version}"
+  min_master_version = "${local.kubernetes_version_zonal}"
 
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
@@ -104,7 +104,7 @@ resource "google_container_node_pool" "zonal_pools" {
   project            = "${var.project_id}"
   zone               = "${var.zones[0]}"
   cluster            = "${var.name}"
-  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version)}"
+  version            = "${lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(var.node_pools[count.index], "version", local.node_version_zonal)}"
   initial_node_count = "${lookup(var.node_pools[count.index], "initial_node_count", lookup(var.node_pools[count.index], "min_count", 1))}"
 
   autoscaling {

autogen/main.tf

@@ -31,10 +31,12 @@ resource "random_shuffle" "available_zones" {
 }
 
 locals {
-  kubernetes_version     = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_node_version}"
-  node_version           = "${var.node_version != "" ? var.node_version : local.kubernetes_version}"
-  custom_kube_dns_config = "${length(keys(var.stub_domains)) > 0 ? true : false}"
-  network_project_id     = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
+  kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}"
+  kubernetes_version_zonal    = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}"
+  node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
+  node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
+  custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
+  network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
 
   cluster_type = "${var.regional ? "regional" : "zonal"}"
 
@@ -149,7 +151,17 @@ locals {
   Get available container engine versions
  *****************************************/
 data "google_container_engine_versions" "region" {
-  provider = "{% if private_cluster %}google-beta{%else %}google{% endif %}"
-  zone     = "${data.google_compute_zones.available.names[0]}"
+  provider = "google-beta"
+  region   = "${var.region}"
+  project  = "${var.project_id}"
+}
+
+data "google_container_engine_versions" "zone" {
+  provider = "google-beta"
+  // Work around to prevent a lack of zone declaration from causing regional cluster creation from erroring out due to error
+  //
+  //     data.google_container_engine_versions.zone: Cannot determine zone: set in this resource, or set provider-level zone.
+  //
+  zone     = "${var.zones[0] == "" ? data.google_compute_zones.available.names[0] : var.zones[0]}"
   project  = "${var.project_id}"
 }

autogen/sa.tf

@@ -24,7 +24,7 @@ locals {
 resource "google_service_account" "cluster_service_account" {
   count        = "${var.service_account == "create" ? 1 : 0}"
   project      = "${var.project_id}"
-  account_id   = "tf-gke-${substr(var.name, 0, 20)}"
+  account_id   = "tf-gke-${substr(var.name, 0, min(20, length(var.name)))}"
   display_name = "Terraform-managed service account for cluster ${var.name}"
 }