Skip to content

feat: add a flag to allow access through Google Cloud public IP addresses #2078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 1, 2024
Merged

feat: add a flag to allow access through Google Cloud public IP addresses #2078

merged 13 commits into from
Oct 1, 2024

Conversation

@laurentgrangeau
Copy link
Contributor

@laurentgrangeau laurentgrangeau commented Sep 10, 2024

This PR add a flag to allow access through Google Cloud public IP addresses only. This is usefull to increase security in private cluster mode

@laurentgrangeau laurentgrangeau requested review from a team, ericyz and gtsorbo as code owners September 10, 2024 16:23
@apeabody apeabody changed the title Add a flag to allow access through Google Cloud public IP addresses feat: add a flag to allow access through Google Cloud public IP addresses Sep 10, 2024
@apeabody apeabody self-assigned this Sep 10, 2024
@apeabody
Copy link
Collaborator

apeabody commented Sep 10, 2024

/gcbrun

apeabody
apeabody previously requested changes Sep 10, 2024
View reviewed changes
Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @laurentgrangeau!

From the INT tests:

TestSimpleZonalPrivate 2024-09-10T20:24:48Z command.go:100: Running command gcloud with args [config get-value project --format json]
TestSimpleZonalPrivate 2024-09-10T20:24:49Z command.go:185: "cloud-foundation-cicd"
    golden.go:157: 
        	Error Trace:	/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/golden/golden.go:157
        	            				/workspace/test/integration/simple_zonal_private/simple_zonal_private_test.go:70
        	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:638
        	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:670
        	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/utils/stages.go:31
        	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:670
        	Error:      	Not equal: 
        	            	expected: "{\n    \"cidrBlocks\": [\n      {\n        \"cidrBlock\": \"10.0.0.0/17\",\n        \"displayName\": \"VPC\"\n      }\n    ],\n    \"enabled\": true\n  }"
        	            	actual  : "{\n    \"cidrBlocks\": [\n      {\n        \"cidrBlock\": \"10.0.0.0/17\",\n        \"displayName\": \"VPC\"\n      }\n    ],\n    \"enabled\": true,\n    \"gcpPublicCidrsAccessEnabled\": false\n  }"
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -7,3 +7,4 @@
        	            	     ],
        	            	-    "enabled": true
        	            	+    "enabled": true,
        	            	+    "gcpPublicCidrsAccessEnabled": false
        	            	   }
        	Test:       	TestSimpleZonalPrivate
        	Messages:   	expected masterAuthorizedNetworksConfig to match fixture {
        	            	    "cidrBlocks": [
        	            	      {
        	            	        "cidrBlock": "10.0.0.0/17",
        	            	        "displayName": "VPC"
        	            	      }
        	            	    ],
        	            	    "enabled": true
        	            	  }

apeabody
apeabody reviewed Sep 11, 2024
View reviewed changes
@apeabody
Copy link
Collaborator

apeabody commented Sep 11, 2024

Thanks @laurentgrangeau!

Let's also add the new gcp_public_cidrs_access_enabled variable to a relevant example and update it's test date to expect the correct cluster configuration. e.g. "gcpPublicCidrsAccessEnabled": true

@apeabody
Copy link
Collaborator

apeabody commented Sep 17, 2024

/gcbrun

apeabody
apeabody reviewed Sep 17, 2024
View reviewed changes
@apeabody
Copy link
Collaborator

apeabody commented Sep 18, 2024

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Sep 19, 2024

/gcbrun

apeabody
apeabody requested changes Sep 19, 2024
View reviewed changes
@apeabody
Copy link
Collaborator

apeabody commented Sep 20, 2024

/gcbrun

1 similar comment
@apeabody
Copy link
Collaborator

apeabody commented Sep 23, 2024

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Sep 23, 2024

From the test:

TestSimpleZonalPrivate 2024-09-23T16:52:22Z command.go:185: module.example.module.gke.google_container_cluster.primary: Creating...
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: 
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: Error: googleapi: Error 400: Invalid value for "cluster.master_authorized_networks_config": "cluster.master_authorized_networks_config.gcp_public_cidrs_access_enabled" cannot be enabled if private endpoint is enabled.
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: Details:
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: [
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:   {
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:     "@type": "type.googleapis.com/google.rpc.RequestInfo",
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:     "requestId": "0x3fd58076f9492418"
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:   }
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: ]
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: , badRequest
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185: 
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:   with module.example.module.gke.google_container_cluster.primary,
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:   on ../../../modules/private-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:   22: resource "google_container_cluster" "primary" {
TestSimpleZonalPrivate 2024-09-23T16:52:24Z command.go:185:

@apeabody
Copy link
Collaborator

apeabody commented Sep 23, 2024

/gcbrun

@laurentgrangeau
Copy link
Contributor Author

laurentgrangeau commented Oct 1, 2024

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 1, 2024

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 1, 2024

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 1, 2024

/gcbrun

@apeabody apeabody merged commit 2f412bb into terraform-google-modules:master Oct 1, 2024
4 checks passed
@release-please release-please bot mentioned this pull request Oct 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apeabody apeabody apeabody approved these changes

@ericyz ericyz Awaiting requested review from ericyz

@gtsorbo gtsorbo Awaiting requested review from gtsorbo

Assignees

@apeabody apeabody

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@laurentgrangeau @apeabody