feat: Add private endpoint subnetwork variable for safer cluster modules (#2540)

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>

Author: christiangonre

autogen/safer-cluster/main.tf.tmpl

@@ -140,6 +140,7 @@ module "gke" {
   // We enable private endpoints to limit exposure.
   enable_private_endpoint       = var.enable_private_endpoint
   deploy_using_private_endpoint = true
+  private_endpoint_subnetwork   = var.private_endpoint_subnetwork
 
   // Private nodes better control public exposure, and reduce
   // the ability of nodes to reach to the Internet without
@@ -148,7 +149,7 @@ module "gke" {
 
   master_global_access_enabled = true
 
-  master_ipv4_cidr_block = var.master_ipv4_cidr_block
+  master_ipv4_cidr_block = var.private_endpoint_subnetwork != null ? null : var.master_ipv4_cidr_block
 
   cloudrun = var.cloudrun
 

autogen/safer-cluster/variables.tf.tmpl

@@ -323,6 +323,12 @@ variable "master_ipv4_cidr_block" {
   default     = "10.0.0.0/28"
 }
 
+variable "private_endpoint_subnetwork" {
+  type        = string
+  description = "The subnetwork to use for the hosted master network. If specified, `master_ipv4_cidr_block` is ignored."
+  default     = null
+}
+
 variable "dns_cache" {
   type        = bool
   description = "(Beta) The status of the NodeLocal DNSCache addon."

modules/safer-cluster-update-variant/README.md

@@ -266,6 +266,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
+| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. If specified, `master_ipv4_cidr_block` is ignored. | `string` | `null` | no |
 | project\_id | The project ID to host the cluster in | `string` | n/a | yes |
 | region | The region to host the cluster in | `string` | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |

modules/safer-cluster-update-variant/main.tf

@@ -136,6 +136,7 @@ module "gke" {
   // We enable private endpoints to limit exposure.
   enable_private_endpoint       = var.enable_private_endpoint
   deploy_using_private_endpoint = true
+  private_endpoint_subnetwork   = var.private_endpoint_subnetwork
 
   // Private nodes better control public exposure, and reduce
   // the ability of nodes to reach to the Internet without
@@ -144,7 +145,7 @@ module "gke" {
 
   master_global_access_enabled = true
 
-  master_ipv4_cidr_block = var.master_ipv4_cidr_block
+  master_ipv4_cidr_block = var.private_endpoint_subnetwork != null ? null : var.master_ipv4_cidr_block
 
   cloudrun = var.cloudrun
 

modules/safer-cluster-update-variant/metadata.display.yaml

@@ -223,6 +223,9 @@ spec:
         notification_config_topic:
           name: notification_config_topic
           title: Notification Config Topic
+        private_endpoint_subnetwork:
+          name: private_endpoint_subnetwork
+          title: Private Endpoint Subnetwork
         project_id:
           name: project_id
           title: Project Id

modules/safer-cluster-update-variant/metadata.yaml

@@ -337,6 +337,9 @@ spec:
         description: The IP range in CIDR notation to use for the hosted master network
         varType: string
         defaultValue: 10.0.0.0/28
+      - name: private_endpoint_subnetwork
+        description: The subnetwork to use for the hosted master network. If specified, `master_ipv4_cidr_block` is ignored.
+        varType: string
       - name: dns_cache
         description: (Beta) The status of the NodeLocal DNSCache addon.
         varType: bool

modules/safer-cluster-update-variant/variables.tf

@@ -323,6 +323,12 @@ variable "master_ipv4_cidr_block" {
   default     = "10.0.0.0/28"
 }
 
+variable "private_endpoint_subnetwork" {
+  type        = string
+  description = "The subnetwork to use for the hosted master network. If specified, `master_ipv4_cidr_block` is ignored."
+  default     = null
+}
+
 variable "dns_cache" {
   type        = bool
   description = "(Beta) The status of the NodeLocal DNSCache addon."

modules/safer-cluster/README.md

@@ -266,6 +266,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
+| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. If specified, `master_ipv4_cidr_block` is ignored. | `string` | `null` | no |
 | project\_id | The project ID to host the cluster in | `string` | n/a | yes |
 | region | The region to host the cluster in | `string` | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |

modules/safer-cluster/main.tf

@@ -136,6 +136,7 @@ module "gke" {
   // We enable private endpoints to limit exposure.
   enable_private_endpoint       = var.enable_private_endpoint
   deploy_using_private_endpoint = true
+  private_endpoint_subnetwork   = var.private_endpoint_subnetwork
 
   // Private nodes better control public exposure, and reduce
   // the ability of nodes to reach to the Internet without
@@ -144,7 +145,7 @@ module "gke" {
 
   master_global_access_enabled = true
 
-  master_ipv4_cidr_block = var.master_ipv4_cidr_block
+  master_ipv4_cidr_block = var.private_endpoint_subnetwork != null ? null : var.master_ipv4_cidr_block
 
   cloudrun = var.cloudrun
 

modules/safer-cluster/metadata.display.yaml

@@ -223,6 +223,9 @@ spec:
         notification_config_topic:
           name: notification_config_topic
           title: Notification Config Topic
+        private_endpoint_subnetwork:
+          name: private_endpoint_subnetwork
+          title: Private Endpoint Subnetwork
         project_id:
           name: project_id
           title: Project Id