From 4aad5e9e72d2d48706c0244395adab69602119d7 Mon Sep 17 00:00:00 2001 From: Samuel Arogbonlo <47984109+samuelarogbonlo@users.noreply.github.com> Date: Fri, 17 Jan 2025 19:28:43 +0100 Subject: [PATCH] feat: add support for custom monitoring metrics writer role (#2239) Signed-off-by: samuelarogbonlo Co-authored-by: Andrew Peabody --- README.md | 1 + autogen/main/sa.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 10 ++++++++++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/sa.tf | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 10 ++++++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/sa.tf | 2 +- modules/beta-autopilot-public-cluster/variables.tf | 10 ++++++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/sa.tf | 2 +- .../beta-private-cluster-update-variant/variables.tf | 10 ++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/sa.tf | 2 +- modules/beta-private-cluster/variables.tf | 10 ++++++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/sa.tf | 2 +- .../beta-public-cluster-update-variant/variables.tf | 10 ++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/sa.tf | 2 +- modules/beta-public-cluster/variables.tf | 10 ++++++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/sa.tf | 2 +- modules/private-cluster-update-variant/variables.tf | 10 ++++++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/sa.tf | 2 +- modules/private-cluster/variables.tf | 10 ++++++++++ sa.tf | 2 +- terraform-google-kubernetes-engine | 1 + variables.tf | 10 ++++++++++ 30 files changed, 120 insertions(+), 10 deletions(-) create mode 160000 terraform-google-kubernetes-engine diff --git a/README.md b/README.md index 14097a8e46..fa1b8179b2 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index bf1beb8f69..a43d31957d 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 888466a768..9a2462408a 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -1032,3 +1032,13 @@ variable "logging_variant" { default = null } {% endif %} + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index acd8f48d86..962ab2dd8a 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -129,6 +129,7 @@ Then perform the following commands on the root folder: | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index 8082a60312..9e932179ff 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 1673498087..bc3957f3a3 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -597,3 +597,13 @@ variable "logging_variant" { type = string default = null } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index d2bc7c0806..7d48084d7d 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -119,6 +119,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index 8082a60312..9e932179ff 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index ed82dc3f09..e50ac78ee1 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -561,3 +561,13 @@ variable "logging_variant" { type = string default = null } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ced7bfc6d5..d2fef2078f 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -255,6 +255,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 8082a60312..9e932179ff 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 160af23f15..34e129e27f 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -968,3 +968,13 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f281dfb5b9..540a4da441 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -233,6 +233,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 8082a60312..9e932179ff 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 160af23f15..34e129e27f 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -968,3 +968,13 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a9462dee5b..360d08ebf8 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -245,6 +245,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 8082a60312..9e932179ff 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 540e0fbad3..122e24ba83 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -932,3 +932,13 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index dbbf75fd13..d54c292318 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -223,6 +223,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 8082a60312..9e932179ff 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 540e0fbad3..122e24ba83 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -932,3 +932,13 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 8f36ed9ec3..36807f549b 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -244,6 +244,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index a8923ce1db..7002dcce9f 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c691a887ac..56a5f35b85 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -902,3 +902,13 @@ variable "fleet_project" { type = string default = null } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 131f07aeac..88048498dc 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -222,6 +222,7 @@ Then perform the following commands on the root folder: | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_metric\_writer\_role | The monitoring metrics writer role to assign to the GKE node service account | `string` | `"roles/monitoring.metricWriter"` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index a8923ce1db..7002dcce9f 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c691a887ac..56a5f35b85 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -902,3 +902,13 @@ variable "fleet_project" { type = string default = null } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +} diff --git a/sa.tf b/sa.tf index a8923ce1db..7002dcce9f 100644 --- a/sa.tf +++ b/sa.tf @@ -56,7 +56,7 @@ resource "google_project_iam_member" "cluster_service_account_node_service_accou resource "google_project_iam_member" "cluster_service_account_metric_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/monitoring.metricWriter" + role = var.monitoring_metric_writer_role member = google_service_account.cluster_service_account[0].member } diff --git a/terraform-google-kubernetes-engine b/terraform-google-kubernetes-engine new file mode 160000 index 0000000000..70a28a04e8 --- /dev/null +++ b/terraform-google-kubernetes-engine @@ -0,0 +1 @@ +Subproject commit 70a28a04e870f2cbc2c6bc3f20ff2bd6ae0b15a9 diff --git a/variables.tf b/variables.tf index 989b8d89f9..339005ff11 100644 --- a/variables.tf +++ b/variables.tf @@ -866,3 +866,13 @@ variable "fleet_project" { type = string default = null } + +variable "monitoring_metric_writer_role" { + description = "The monitoring metrics writer role to assign to the GKE node service account" + type = string + default = "roles/monitoring.metricWriter" + validation { + condition = can(regex("^(roles/[a-zA-Z0-9_.]+|projects/[a-zA-Z0-9-]+/roles/[a-zA-Z0-9_.]+)$", var.monitoring_metric_writer_role)) + error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)." + } +}