From 2c0f37f31273a8f6af4a61e6432476965ddaddc8 Mon Sep 17 00:00:00 2001
From: Andrew Peabody <andrewpeabody@google.com>
Date: Sat, 16 May 2026 01:29:30 +0000
Subject: [PATCH 1/2] feat(env_baseline): dynamic zone selection for GKE T4 GPU
 and ARM nodes

Restricted GKE Standard clusters and ARM node pools to zones supporting nvidia-tesla-t4 and t2a-standard-4 hardware. Replaced hardcoded us-central1 zones with dynamic discovery using google_compute_zones and google_compute_machine_types data sources.
---
 2-multitenant/modules/env_baseline/main.tf | 50 ++++++++++++++++++++--
 1 file changed, 47 insertions(+), 3 deletions(-)

diff --git a/2-multitenant/modules/env_baseline/main.tf b/2-multitenant/modules/env_baseline/main.tf
index 0badaf93b..0427c4fba 100644
--- a/2-multitenant/modules/env_baseline/main.tf
+++ b/2-multitenant/modules/env_baseline/main.tf
@@ -18,7 +18,6 @@ locals {
   networks_re           = "/networks/([^/]*)$"
   subnetworks_re        = "/subnetworks/([^/]*)$"
   projects_re           = "projects/([^/]*)/"
-  regions_re            = "regions/([^/]+)"
   cluster_project_id    = data.google_project.eab_cluster_project.project_id
   available_cidr_ranges = var.master_ipv4_cidr_blocks
 
@@ -30,12 +29,33 @@ locals {
 
   cluster_sa = [for i in merge(module.gke-standard, module.gke-autopilot) : i.service_account][0]
 
-  arm_node_pool = { for k, v in local.subnets : k => (regex(local.regions_re, v)[0]) == "us-central1" ?
+  # Map each region to zones that support nvidia-tesla-t4
+  gpu_t4_zones = {
+    for r_idx, r in data.google_compute_zones.available : r_idx => [
+      for z in r.names : z if contains([for a in data.google_compute_accelerator_types.t4[z].accelerator_types : a.name], "nvidia-tesla-t4")
+    ]
+  }
+
+  # Map each region to zones that support t2a-standard-4
+  arm_zones = {
+    for r_idx, r in data.google_compute_zones.available : r_idx => [
+      for z in r.names : z if length(data.google_compute_machine_types.arm[z].machine_types) > 0
+    ]
+  }
+
+  # ARM node pool locations must be a subset of cluster zones (which are restricted to T4 zones)
+  arm_node_pool_zones = {
+    for k, v in local.subnets : k => [
+      for z in local.arm_zones[k] : z if contains(local.gpu_t4_zones[k], z)
+    ]
+  }
+
+  arm_node_pool = { for k, v in local.subnets : k => length(local.arm_node_pool_zones[k]) > 0 ?
     [
       {
         name            = "regional-arm64-pool"
         machine_type    = "t2a-standard-4"
-        node_locations  = "us-central1-a,us-central1-b,us-central1-f"
+        node_locations  = join(",", local.arm_node_pool_zones[k])
         strategy        = "SURGE"
         max_surge       = 1
         max_unavailable = 0
@@ -169,6 +189,29 @@ data "google_compute_subnetwork" "default" {
   self_link = each.value
 }
 
+data "google_compute_zones" "available" {
+  for_each = local.subnets
+  region   = data.google_compute_subnetwork.default[each.key].region
+  project  = local.cluster_project_id
+}
+
+locals {
+  all_zones = distinct(flatten([for z in data.google_compute_zones.available : z.names]))
+}
+
+data "google_compute_accelerator_types" "t4" {
+  for_each = toset(local.all_zones)
+  zone     = each.value
+  project  = local.cluster_project_id
+}
+
+data "google_compute_machine_types" "arm" {
+  for_each = toset(local.all_zones)
+  zone     = each.value
+  project  = local.cluster_project_id
+  filter   = "name = \"t2a-standard-4\""
+}
+
 resource "google_access_context_manager_access_level_condition" "access-level-conditions" {
   count        = var.access_level_name != null ? 1 : 0
   access_level = var.access_level_name
@@ -256,6 +299,7 @@ module "gke-standard" {
   project_id             = local.cluster_project_id
   regional               = true
   region                 = data.google_compute_subnetwork.default[each.key].region
+  zones                  = local.gpu_t4_zones[each.key]
   network_project_id     = regex(local.projects_re, data.google_compute_subnetwork.default[each.key].id)[0]
   network                = regex(local.networks_re, data.google_compute_subnetwork.default[each.key].network)[0]
   subnetwork             = regex(local.subnetworks_re, local.subnets[each.key])[0]

From 9dd6c3f6c27b9aa9178c94db113a7d17b5695ce3 Mon Sep 17 00:00:00 2001
From: Mend Renovate <bot@renovateapp.com>
Date: Sat, 16 May 2026 01:31:56 +0000
Subject: [PATCH 2/2] fix(deps): Update dependency protobuf to v6.33.5
 [SECURITY]

---
 .../american-option/requirements.txt          | 23 +++++++++----------
 .../requirements.txt                          |  2 +-
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/5-appinfra/modules/htc-infra/american-option/requirements.txt b/5-appinfra/modules/htc-infra/american-option/requirements.txt
index 3cb3e67ba..a76e5a57e 100644
--- a/5-appinfra/modules/htc-infra/american-option/requirements.txt
+++ b/5-appinfra/modules/htc-infra/american-option/requirements.txt
@@ -116,18 +116,17 @@ grpcio-tools==1.66.1 \
     --hash=sha256:f94d5193b2f2a9595795b83e7978b2bee1c0399da66f2f24d179c388f81fb99c \
     --hash=sha256:fa4f95a79a34afc3b5464895d091cd1911227fc3ab0441b9a37cd1817cf7db86
     # via -r ./requirements.in
-protobuf==5.27.2 \
-    --hash=sha256:0e341109c609749d501986b835f667c6e1e24531096cff9d34ae411595e26505 \
-    --hash=sha256:176c12b1f1c880bf7a76d9f7c75822b6a2bc3db2d28baa4d300e8ce4cde7409b \
-    --hash=sha256:354d84fac2b0d76062e9b3221f4abbbacdfd2a4d8af36bab0474f3a0bb30ab38 \
-    --hash=sha256:4fadd8d83e1992eed0248bc50a4a6361dc31bcccc84388c54c86e530b7f58863 \
-    --hash=sha256:54330f07e4949d09614707c48b06d1a22f8ffb5763c159efd5c0928326a91470 \
-    --hash=sha256:610e700f02469c4a997e58e328cac6f305f649826853813177e6290416e846c6 \
-    --hash=sha256:7fc3add9e6003e026da5fc9e59b131b8f22b428b991ccd53e2af8071687b4fce \
-    --hash=sha256:9e8f199bf7f97bd7ecebffcae45ebf9527603549b2b562df0fbc6d4d688f14ca \
-    --hash=sha256:a109916aaac42bff84702fb5187f3edadbc7c97fc2c99c5ff81dd15dcce0d1e5 \
-    --hash=sha256:b848dbe1d57ed7c191dfc4ea64b8b004a3f9ece4bf4d0d80a367b76df20bf36e \
-    --hash=sha256:f3ecdef226b9af856075f28227ff2c90ce3a594d092c39bee5513573f25e2714
+protobuf==6.33.5 \
+    --hash=sha256:3093804752167bcab3998bec9f1048baae6e29505adaf1afd14a37bddede533c \
+    --hash=sha256:69915a973dd0f60f31a08b8318b73eab2bd6a392c79184b3612226b0a3f8ec02 \
+    --hash=sha256:6ddcac2a081f8b7b9642c09406bc6a4290128fce5f471cddd165960bb9119e5c \
+    --hash=sha256:8afa18e1d6d20af15b417e728e9f60f3aa108ee76f23c3b2c07a2c3b546d3afd \
+    --hash=sha256:8f04fa32763dcdb4973d537d6b54e615cc61108c7cb38fe59310c3192d29510a \
+    --hash=sha256:9b71e0281f36f179d00cbcb119cb19dec4d14a81393e5ea220f64b286173e190 \
+    --hash=sha256:a3157e62729aafb8df6da2c03aa5c0937c7266c626ce11a278b6eb7963c4e37c \
+    --hash=sha256:a5cb85982d95d906df1e2210e58f8e4f1e3cdc088e52c921a041f9c9a0386de5 \
+    --hash=sha256:cbf16ba3350fb7b889fca858fb215967792dc125b35c7976ca4818bee3521cf0 \
+    --hash=sha256:d71b040839446bac0f4d162e758bea99c8251161dae9d0983a3b88dee345153b
     # via
     #   -r ./requirements.in
     #   grpcio-reflection
diff --git a/5-appinfra/modules/htc-infra/kubernetes/storage/parallelstore-transfer-tool/requirements.txt b/5-appinfra/modules/htc-infra/kubernetes/storage/parallelstore-transfer-tool/requirements.txt
index f731a4d1e..e91f195b3 100644
--- a/5-appinfra/modules/htc-infra/kubernetes/storage/parallelstore-transfer-tool/requirements.txt
+++ b/5-appinfra/modules/htc-infra/kubernetes/storage/parallelstore-transfer-tool/requirements.txt
@@ -30,7 +30,7 @@ proto-plus==1.26.0
     # via
     #   google-api-core
     #   google-cloud-parallelstore
-protobuf==6.30.0
+protobuf==6.33.5
     # via
     #   google-api-core
     #   google-cloud-parallelstore