feat: update GKE module

CHANGELOG.md

@@ -10,6 +10,8 @@ Added
 * Configure and authorize Artifact Registry service account, Kubernetes service account, Cloud Storage service account and
   Memorystore for Redis service account to use Cloud KMS key.
 * Add parameters `adapter_class_name` and `adapter_absolute_path` in ActiveMQ module.
+* Add variable in modules of Redis and AWS Elasticache for Redis `max_memory_samples` which the number of samples to check
+  for every eviction.
 
 ## [0.2.1](https://github.com/aneoconsulting/ArmoniK.Infra/releases/tag/0.2.1) (2023-10-09)
 

kubernetes/gcp/gke/README.md

@@ -32,10 +32,10 @@ This module deploy:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_autopilot"></a> [autopilot](#module\_autopilot) | terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster | 27.0.0 |
-| <a name="module_gke"></a> [gke](#module\_gke) | terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster | 27.0.0 |
-| <a name="module_private_autopilot"></a> [private\_autopilot](#module\_private\_autopilot) | terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster | 27.0.0 |
-| <a name="module_private_gke"></a> [private\_gke](#module\_private\_gke) | terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster | 27.0.0 |
+| <a name="module_autopilot"></a> [autopilot](#module\_autopilot) | terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster | 28.0.0 |
+| <a name="module_gke"></a> [gke](#module\_gke) | terraform-google-modules/kubernetes-engine/google | 28.0.0 |
+| <a name="module_private_autopilot"></a> [private\_autopilot](#module\_private\_autopilot) | terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster | 28.0.0 |
+| <a name="module_private_gke"></a> [private\_gke](#module\_private\_gke) | terraform-google-modules/kubernetes-engine/google//modules/private-cluster | 28.0.0 |
 
 ## Resources
 
@@ -55,16 +55,13 @@ This module deploy:
 | <a name="input_add_master_webhook_firewall_rules"></a> [add\_master\_webhook\_firewall\_rules](#input\_add\_master\_webhook\_firewall\_rules) | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports`. | `bool` | `false` | no |
 | <a name="input_add_shadow_firewall_rules"></a> [add\_shadow\_firewall\_rules](#input\_add\_shadow\_firewall\_rules) | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | <a name="input_authenticator_security_group"></a> [authenticator\_security\_group](#input\_authenticator\_security\_group) | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format `[email protected]`. | `string` | `null` | no |
-| <a name="input_autopilot"></a> [autopilot](#input\_autopilot) | Create autopilot GKE cluster. | `bool` | `true` | no |
-| <a name="input_cloudrun"></a> [cloudrun](#input\_cloudrun) | (Beta) Enable CloudRun addon. | `bool` | `false` | no |
-| <a name="input_cloudrun_load_balancer_type"></a> [cloudrun\_load\_balancer\_type](#input\_cloudrun\_load\_balancer\_type) | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no |
+| <a name="input_autopilot"></a> [autopilot](#input\_autopilot) | Create autopilot GKE cluster. | `bool` | `false` | no |
 | <a name="input_cluster_autoscaling"></a> [cluster\_autoscaling](#input\_cluster\_autoscaling) | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling). For `disk_tye` see [Persistent Disk types](https://cloud.google.com/compute/docs/disks#disk-types). | <pre>object({<br>    enabled             = bool<br>    autoscaling_profile = string<br>    auto_repair         = bool<br>    auto_upgrade        = bool<br>    disk_size           = number<br>    disk_type           = string<br>    gpu_resources = list(object({<br>      resource_type = string<br>      minimum       = number<br>      maximum       = number<br>    }))<br>    min_cpu_cores = number<br>    max_cpu_cores = number<br>    min_memory_gb = number<br>    max_memory_gb = number<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | <a name="input_cluster_dns_domain"></a> [cluster\_dns\_domain](#input\_cluster\_dns\_domain) | The suffix used for all cluster service records. | `string` | `""` | no |
 | <a name="input_cluster_dns_provider"></a> [cluster\_dns\_provider](#input\_cluster\_dns\_provider) | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no |
 | <a name="input_cluster_dns_scope"></a> [cluster\_dns\_scope](#input\_cluster\_dns\_scope) | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no |
 | <a name="input_cluster_ipv4_cidr"></a> [cluster\_ipv4\_cidr](#input\_cluster\_ipv4\_cidr) | The IP address range of the Kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | <a name="input_cluster_resource_labels"></a> [cluster\_resource\_labels](#input\_cluster\_resource\_labels) | The GCE resource labels (a map of key/value pairs) to be applied to the cluster. | `map(string)` | `{}` | no |
-| <a name="input_cluster_telemetry_type"></a> [cluster\_telemetry\_type](#input\_cluster\_telemetry\_type) | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY. | `string` | `null` | no |
 | <a name="input_config_connector"></a> [config\_connector](#input\_config\_connector) | (Beta) Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no |
 | <a name="input_configure_ip_masq"></a> [configure\_ip\_masq](#input\_configure\_ip\_masq) | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no |
 | <a name="input_database_encryption"></a> [database\_encryption](#input\_database\_encryption) | Application-layer Secrets Encryption settings. Valid values of state are: "ENCRYPTED"; "DECRYPTED". | <pre>list(object({<br>    state    = string<br>    key_name = string<br>  }))</pre> | <pre>[<br>  {<br>    "key_name": "",<br>    "state": "DECRYPTED"<br>  }<br>]</pre> | no |
@@ -76,14 +73,9 @@ This module deploy:
 | <a name="input_disable_legacy_metadata_endpoints"></a> [disable\_legacy\_metadata\_endpoints](#input\_disable\_legacy\_metadata\_endpoints) | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | <a name="input_dns_cache"></a> [dns\_cache](#input\_dns\_cache) | The status of the NodeLocal DNSCache addon. | `bool` | `null` | no |
 | <a name="input_enable_binary_authorization"></a> [enable\_binary\_authorization](#input\_enable\_binary\_authorization) | Enable BinAuthZ Admission controller. | `bool` | `false` | no |
-| <a name="input_enable_confidential_nodes"></a> [enable\_confidential\_nodes](#input\_enable\_confidential\_nodes) | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | <a name="input_enable_cost_allocation"></a> [enable\_cost\_allocation](#input\_enable\_cost\_allocation) | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery. | `bool` | `true` | no |
-| <a name="input_enable_identity_service"></a> [enable\_identity\_service](#input\_enable\_identity\_service) | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
-| <a name="input_enable_intranode_visibility"></a> [enable\_intranode\_visibility](#input\_enable\_intranode\_visibility) | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network. | `bool` | `false` | no |
 | <a name="input_enable_kubernetes_alpha"></a> [enable\_kubernetes\_alpha](#input\_enable\_kubernetes\_alpha) | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
-| <a name="input_enable_l4_ilb_subsetting"></a> [enable\_l4\_ilb\_subsetting](#input\_enable\_l4\_ilb\_subsetting) | Enable L4 ILB Subsetting on the cluster.  Used when `beta` set to `true`. | `bool` | `false` | no |
 | <a name="input_enable_network_egress_export"></a> [enable\_network\_egress\_export](#input\_enable\_network\_egress\_export) | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
-| <a name="input_enable_pod_security_policy"></a> [enable\_pod\_security\_policy](#input\_enable\_pod\_security\_policy) | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0.Used when `beta` set to `true`. | `bool` | `false` | no |
 | <a name="input_enable_resource_consumption_export"></a> [enable\_resource\_consumption\_export](#input\_enable\_resource\_consumption\_export) | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
 | <a name="input_enable_shielded_nodes"></a> [enable\_shielded\_nodes](#input\_enable\_shielded\_nodes) | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no |
 | <a name="input_enable_tpu"></a> [enable\_tpu](#input\_enable\_tpu) | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! Used when `beta` set to `true`. | `bool` | `false` | no |
@@ -104,9 +96,6 @@ This module deploy:
 | <a name="input_ip_range_pods"></a> [ip\_range\_pods](#input\_ip\_range\_pods) | The name of the secondary subnet ip range to use for Kubernetes pods. | `string` | n/a | yes |
 | <a name="input_ip_range_services"></a> [ip\_range\_services](#input\_ip\_range\_services) | The name of the secondary subnet range to use for Kubernetes services. | `string` | n/a | yes |
 | <a name="input_issue_client_certificate"></a> [issue\_client\_certificate](#input\_issue\_client\_certificate) | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
-| <a name="input_istio"></a> [istio](#input\_istio) | (Beta) Enable Istio addon. | `bool` | `false` | no |
-| <a name="input_istio_auth"></a> [istio\_auth](#input\_istio\_auth) | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no |
-| <a name="input_kalm_config"></a> [kalm\_config](#input\_kalm\_config) | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no |
 | <a name="input_kubeconfig_path"></a> [kubeconfig\_path](#input\_kubeconfig\_path) | Path to save the kubeconfig file. | `string` | `null` | no |
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no |
 | <a name="input_logging_enabled_components"></a> [logging\_enabled\_components](#input\_logging\_enabled\_components) | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no |
@@ -145,7 +134,6 @@ This module deploy:
 | <a name="input_release_channel"></a> [release\_channel](#input\_release\_channel) | The release channel of this cluster. This allows you to opt for the alpha releases as part of the `RAPID` option, `REGULAR` for standard release needs and `STABLE` when the tried-and-tested version becomes available. | `string` | `"REGULAR"` | no |
 | <a name="input_remove_default_node_pool"></a> [remove\_default\_node\_pool](#input\_remove\_default\_node\_pool) | Remove default node pool while setting up the cluster. | `bool` | `true` | no |
 | <a name="input_resource_usage_export_dataset_id"></a> [resource\_usage\_export\_dataset\_id](#input\_resource\_usage\_export\_dataset\_id) | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
-| <a name="input_sandbox_enabled"></a> [sandbox\_enabled](#input\_sandbox\_enabled) | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
 | <a name="input_service_external_ips"></a> [service\_external\_ips](#input\_service\_external\_ips) | Whether external ips specified by a service will be allowed in this cluster. | `bool` | `false` | no |

kubernetes/gcp/gke/examples/complete/autopilot/README.md

@@ -21,7 +21,7 @@ terraform destroy
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | ~> 2.3.1 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.75.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.75.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.4.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.1 |
 
@@ -30,7 +30,7 @@ terraform destroy
 | Name | Version |
 |------|---------|
 | <a name="provider_external"></a> [external](#provider\_external) | ~> 2.3.1 |
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.75.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | >= 4.75.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | ~> 2.4.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | ~> 3.2.1 |
 

kubernetes/gcp/gke/examples/complete/autopilot/main.tf

@@ -66,8 +66,8 @@ module "gke" {
       key_name = ""
     }
   ]
-  description                = "Test GKE Autopilot with beta functionalities."
-  enable_confidential_nodes  = true
+  description = "Test GKE Autopilot with beta functionalities."
+  #  enable_confidential_nodes  = true
   grant_registry_access      = true # default value
   horizontal_pod_autoscaling = true
   http_load_balancing        = true # default value
@@ -77,6 +77,7 @@ module "gke" {
       display_name = "External"
     }
   ]
-  private                    = false # public autopilot GKE
+  private                    = false # public
+  autopilot                  = true  # autopilot GKE
   workload_config_audit_mode = "BASIC"
 }

kubernetes/gcp/gke/examples/complete/autopilot/versions.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.75.0"
+      version = ">= 4.75.0"
     }
     local = {
       source  = "hashicorp/local"

kubernetes/gcp/gke/examples/complete/standard/README.md

@@ -21,7 +21,7 @@ terraform destroy
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | ~> 2.3.1 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.75.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.75.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.4.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.1 |
 
@@ -30,7 +30,7 @@ terraform destroy
 | Name | Version |
 |------|---------|
 | <a name="provider_external"></a> [external](#provider\_external) | ~> 2.3.1 |
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.75.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | >= 4.75.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | ~> 2.4.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | ~> 3.2.1 |
 

kubernetes/gcp/gke/examples/complete/standard/main.tf

@@ -64,7 +64,6 @@ module "gke" {
   subnetwork        = module.vpc.gke_subnet_name
   subnetwork_cidr   = module.vpc.gke_subnet_cidr_block
   kubeconfig_path   = abspath("${path.root}/generated/kubeconfig")
-  autopilot         = false
   cluster_autoscaling = {
     # default value
     enabled             = false
@@ -88,21 +87,21 @@ module "gke" {
       key_name = ""
     }
   ]
-  default_max_pods_per_node   = 256
-  description                 = "Test GKE Standard with beta functionalities."
-  enable_confidential_nodes   = true
-  enable_identity_service     = true
-  enable_intranode_visibility = true
-  enable_shielded_nodes       = true # default value
-  filestore_csi_driver        = true
-  gce_pd_csi_driver           = true
-  gke_backup_agent_config     = true
-  grant_registry_access       = true # default value
-  horizontal_pod_autoscaling  = true
-  http_load_balancing         = true # default value
-  initial_node_count          = 0    # default value
-  istio                       = true
-  logging_enabled_components  = ["SYSTEM_COMPONENTS"]
+  default_max_pods_per_node = 256
+  description               = "Test GKE Standard with beta functionalities."
+  #  enable_confidential_nodes   = true
+  #  enable_identity_service     = true
+  #  enable_intranode_visibility = true
+  enable_shielded_nodes      = true # default value
+  filestore_csi_driver       = true
+  gce_pd_csi_driver          = true
+  gke_backup_agent_config    = true
+  grant_registry_access      = true # default value
+  horizontal_pod_autoscaling = true
+  http_load_balancing        = true # default value
+  initial_node_count         = 0    # default value
+  #  istio                       = true
+  logging_enabled_components = ["SYSTEM_COMPONENTS"]
   master_authorized_networks = [
     {
       cidr_block   = "0.0.0.0/0"
@@ -144,9 +143,9 @@ module "gke" {
       "tag-${null_resource.timestamp.triggers["date"]}"
     ]
   }
-  private                    = false # public Standard GKE
-  remove_default_node_pool   = true  # default value
-  sandbox_enabled            = true
+  private                  = false # public Standard GKE
+  remove_default_node_pool = true  # default value
+  #  sandbox_enabled            = true
   windows_node_pools         = [] # default value
   workload_config_audit_mode = "BASIC"
 }

kubernetes/gcp/gke/examples/complete/standard/versions.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.75.0"
+      version = ">= 4.75.0"
     }
     local = {
       source  = "hashicorp/local"