From fb9a682c4a7c55cbf3b8a9e56f0b07fe02b900bd Mon Sep 17 00:00:00 2001 From: Edward Rousseau Date: Mon, 30 Dec 2024 09:39:42 +0000 Subject: [PATCH 1/2] Add enable_secret_manager_addon variable to safer-cluster and safer-cluster-update-variant --- modules/safer-cluster-update-variant/main.tf | 2 ++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/main.tf | 2 ++ modules/safer-cluster/variables.tf | 6 ++++++ 4 files changed, 16 insertions(+) diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index a13fafe5fe..de39b29d84 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -214,4 +214,6 @@ module "gke" { // Enabling security posture security_posture_mode = var.security_posture_mode security_posture_vulnerability_mode = var.security_posture_vulnerability_mode + + enable_secret_manager_addon = var.enable_secret_manager_addon } diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 02d6f8e526..a8f31ae0f7 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -521,6 +521,12 @@ variable "enable_gcfs" { default = false } +variable "enable_secret_manager_addon" { + description = "Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "enable_mesh_certificates" { type = bool default = false diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index e113c09a6a..76f308a589 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -214,4 +214,6 @@ module "gke" { // Enabling security posture security_posture_mode = var.security_posture_mode security_posture_vulnerability_mode = var.security_posture_vulnerability_mode + + enable_secret_manager_addon = var.enable_secret_manager_addon } diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 02d6f8e526..a8f31ae0f7 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -521,6 +521,12 @@ variable "enable_gcfs" { default = false } +variable "enable_secret_manager_addon" { + description = "Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "enable_mesh_certificates" { type = bool default = false From 018a31607c0b5b2e9a86636a071c18a7e14d8cf8 Mon Sep 17 00:00:00 2001 From: Edward Rousseau Date: Mon, 30 Dec 2024 09:52:53 +0000 Subject: [PATCH 2/2] Update docs --- modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster/README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index ee0e3c39e8..0919a6043c 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -226,6 +226,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | +| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index ee0e3c39e8..0919a6043c 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -226,6 +226,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | +| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |