feat: support database encryption and google group rbac for autopilot (#1265)

* feat: database encryption and google rbac for autopilot

* chore: cleanup ordering

* chore: cleanup ordering vars

* chore: more cleanup

Author: jmymy

Diff for: autogen/main/cluster.tf.tmpl

@@ -382,6 +382,7 @@ resource "google_container_cluster" "primary" {
 
   {% if autopilot_cluster != true %}
   remove_default_node_pool = var.remove_default_node_pool
+  {% endif %}
 
   dynamic "database_encryption" {
     for_each = var.database_encryption
@@ -392,6 +393,7 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  {% if autopilot_cluster != true %}
   dynamic "workload_identity_config" {
     for_each = local.cluster_workload_identity_config
 
@@ -401,14 +403,13 @@ resource "google_container_cluster" "primary" {
   }
   {% endif %}
 
-  {% if autopilot_cluster != true %}
   dynamic "authenticator_groups_config" {
     for_each = local.cluster_authenticator_security_group
     content {
       security_group = authenticator_groups_config.value.security_group
     }
   }
-  {% endif %}
+
   {% if beta_cluster %}
   notification_config {
     pubsub {

Diff for: autogen/main/variables.tf.tmpl

@@ -540,6 +540,7 @@ variable "default_max_pods_per_node" {
   default     = 110
 }
 
+{% endif %}
 variable "database_encryption" {
   description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
   type        = list(object({ state = string, key_name = string }))
@@ -550,6 +551,7 @@ variable "database_encryption" {
   }]
 }
 
+{% if autopilot_cluster != true %}
 variable "enable_shielded_nodes" {
   type        = bool
   description = "Enable Shielded Nodes features on all nodes in this cluster"

Diff for: cluster.tf

@@ -222,6 +222,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
 }
 /******************************************
   Create Container Cluster node pools

Diff for: modules/beta-autopilot-private-cluster/README.md

@@ -77,6 +77,7 @@ Then perform the following commands on the root folder:
 | cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no |
 | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no |
 | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br>  {<br>    "key_name": "",<br>    "state": "DECRYPTED"<br>  }<br>]</pre> | no |
 | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |

Diff for: modules/beta-autopilot-private-cluster/cluster.tf

@@ -168,6 +168,23 @@ resource "google_container_cluster" "primary" {
   }
 
 
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
+
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
+  }
+
   notification_config {
     pubsub {
       enabled = var.notification_config_topic != "" ? true : false

Diff for: modules/beta-autopilot-private-cluster/variables.tf

@@ -372,3 +372,13 @@ variable "enable_tpu" {
   description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!"
   default     = false
 }
+variable "database_encryption" {
+  description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
+  type        = list(object({ state = string, key_name = string }))
+
+  default = [{
+    state    = "DECRYPTED"
+    key_name = ""
+  }]
+}
+

Diff for: modules/beta-autopilot-public-cluster/README.md

@@ -71,6 +71,7 @@ Then perform the following commands on the root folder:
 | cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no |
 | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no |
 | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br>  {<br>    "key_name": "",<br>    "state": "DECRYPTED"<br>  }<br>]</pre> | no |
 | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |

Diff for: modules/beta-autopilot-public-cluster/cluster.tf

@@ -149,6 +149,23 @@ resource "google_container_cluster" "primary" {
 
 
 
+  dynamic "database_encryption" {
+    for_each = var.database_encryption
+
+    content {
+      key_name = database_encryption.value.key_name
+      state    = database_encryption.value.state
+    }
+  }
+
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
+  }
+
   notification_config {
     pubsub {
       enabled = var.notification_config_topic != "" ? true : false

Diff for: modules/beta-autopilot-public-cluster/variables.tf

@@ -341,3 +341,13 @@ variable "enable_tpu" {
   description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!"
   default     = false
 }
+variable "database_encryption" {
+  description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
+  type        = list(object({ state = string, key_name = string }))
+
+  default = [{
+    state    = "DECRYPTED"
+    key_name = ""
+  }]
+}
+

Diff for: modules/beta-private-cluster-update-variant/cluster.tf

@@ -355,6 +355,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
   notification_config {
     pubsub {
       enabled = var.notification_config_topic != "" ? true : false

Diff for: modules/beta-private-cluster/cluster.tf

@@ -355,6 +355,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
   notification_config {
     pubsub {
       enabled = var.notification_config_topic != "" ? true : false

Diff for: modules/beta-public-cluster-update-variant/cluster.tf

@@ -336,6 +336,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
   notification_config {
     pubsub {
       enabled = var.notification_config_topic != "" ? true : false

Diff for: modules/beta-public-cluster/cluster.tf

@@ -336,6 +336,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
   notification_config {
     pubsub {
       enabled = var.notification_config_topic != "" ? true : false

Diff for: modules/private-cluster-update-variant/cluster.tf

@@ -235,6 +235,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
 }
 /******************************************
   Create Container Cluster node pools

Diff for: modules/private-cluster/cluster.tf

@@ -235,6 +235,7 @@ resource "google_container_cluster" "primary" {
       security_group = authenticator_groups_config.value.security_group
     }
   }
+
 }
 /******************************************
   Create Container Cluster node pools