feat: Enable enable_l4_ilb_subsetting Feature and Cost Allocation in …

…GKE Module | DEVOP-4599 (#123)

* feat: Enable enable_l4_ilb_subsetting feature

* fix: update workflow name

.github/workflows/semantic-pr.yaml

@@ -1,4 +1,4 @@
-name: "Semantic Pull Request"
+name: "semantic-pull-request"
 permissions: read-all
 
 on:
@@ -10,10 +10,10 @@ on:
 
 jobs:
   main:
-    name: Semantic Pull Request
+    name: semantic-pull-request
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v4
+      - uses: amannn/action-semantic-pull-request@v5
         name: Semantic Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.pre-commit-config.yaml

@@ -2,14 +2,14 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   -   repo: https://github.com/pre-commit/pre-commit-hooks
-      rev: v4.4.0 # Get the latest version from: https://github.com/pre-commit/pre-commit-hooks/releases
+      rev: v4.6.0 # Get the latest version from: https://github.com/pre-commit/pre-commit-hooks/releases
       hooks:
         -   id: trailing-whitespace
         -   id: end-of-file-fixer
         -   id: check-yaml
         -   id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

README.md

@@ -50,7 +50,7 @@ role in the shared VPC host project.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
 
 ## Modules
 
@@ -71,6 +71,8 @@ role in the shared VPC host project.
 | <a name="input_create_gcp_nat"></a> [create\_gcp\_nat](#input\_create\_gcp\_nat) | Set to `true` to create an Internet NAT for ALL\_SUBNETWORKS\_ALL\_IP\_RANGES in the VPC network. | `bool` | n/a | yes |
 | <a name="input_create_gcp_router"></a> [create\_gcp\_router](#input\_create\_gcp\_router) | Set to `true` to create a router in the VPC network. | `bool` | n/a | yes |
 | <a name="input_create_public_https_firewall_rule"></a> [create\_public\_https\_firewall\_rule](#input\_create\_public\_https\_firewall\_rule) | Set to `true` to create a firewall rule allowing 0.0.0.0/0:443 on TCP to all worker nodes. | `bool` | n/a | yes |
+| <a name="input_enable_cost_allocation_feature"></a> [enable\_cost\_allocation\_feature](#input\_enable\_cost\_allocation\_feature) | Whether to enable the cost allocation feature. | `bool` | `false` | no |
+| <a name="input_enable_l4_ilb_subsetting"></a> [enable\_l4\_ilb\_subsetting](#input\_enable\_l4\_ilb\_subsetting) | Enable L4 ILB Subsetting | `bool` | `false` | no |
 | <a name="input_enable_network_policy"></a> [enable\_network\_policy](#input\_enable\_network\_policy) | This value is passed to network\_policy.enabled and the negative is passed to addons\_config.network\_policy\_config.disabled. This might conflict with Workload Identity - make sure to read https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#limitations_and_requirements. | `bool` | n/a | yes |
 | <a name="input_gke_authenticator_groups_config_domain"></a> [gke\_authenticator\_groups\_config\_domain](#input\_gke\_authenticator\_groups\_config\_domain) | Domain to append to `gke-security-groups` to pass to authenticator\_groups\_config so members of that Google Group can authenticate to the cluster. Pass an empty string to disable. Domain passed here should be in the format of TLD.EXTENSION. | `string` | n/a | yes |
 | <a name="input_google_credentials"></a> [google\_credentials](#input\_google\_credentials) | Contents of a JSON keyfile of an account with write access to the project | `any` | n/a | yes |

inputs.tf

@@ -127,3 +127,15 @@ variable "subnetwork_self_link" {
   type        = string
   description = "self_link of the google_compute_subnetwork to place the GKE cluster in."
 }
+
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting"
+  default     = false
+}
+
+variable "enable_cost_allocation_feature" {
+  type        = bool
+  description = "Whether to enable the cost allocation feature."
+  default     = false
+}

main.tf

@@ -41,6 +41,8 @@ module "gke" {
   subnetwork_self_link           = var.subnetwork_self_link
   pods_ip_range_name             = var.pods_ip_range_name
   services_ip_range_name         = var.services_ip_range_name
+  enable_cost_allocation_feature = var.enable_cost_allocation_feature
+  enable_l4_ilb_subsetting       = var.enable_l4_ilb_subsetting
 
   skip_create_built_in_node_pool = true
   additional_node_pools = [

modules/gcp-gke/README.md

@@ -15,19 +15,19 @@ To run E2E tests, navigate to the [test folder](../test) and run `go test -v -ti
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.9 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.0 |
-| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 4.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.8, < 2 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.0, < 6.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 4.0, < 6.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0, < 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google.compute"></a> [google.compute](#provider\_google.compute) | >= 4.0 |
-| <a name="provider_google.vpc"></a> [google.vpc](#provider\_google.vpc) | >= 4.0 |
-| <a name="provider_google-beta.compute-beta"></a> [google-beta.compute-beta](#provider\_google-beta.compute-beta) | >= 4.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
+| <a name="provider_google.compute"></a> [google.compute](#provider\_google.compute) | >= 4.0, < 6.0 |
+| <a name="provider_google.vpc"></a> [google.vpc](#provider\_google.vpc) | >= 4.0, < 6.0 |
+| <a name="provider_google-beta.compute-beta"></a> [google-beta.compute-beta](#provider\_google-beta.compute-beta) | >= 4.0, < 6.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0, < 4.0 |
 
 ## Modules
 
@@ -66,7 +66,9 @@ To run E2E tests, navigate to the [test folder](../test) and run `go test -v -ti
 | <a name="input_create_gcp_nat"></a> [create\_gcp\_nat](#input\_create\_gcp\_nat) | Set to `true` to create an Internet NAT for ALL\_SUBNETWORKS\_ALL\_IP\_RANGES in the VPC network. | `bool` | n/a | yes |
 | <a name="input_create_gcp_router"></a> [create\_gcp\_router](#input\_create\_gcp\_router) | Set to `true` to create a router in the VPC network. | `bool` | n/a | yes |
 | <a name="input_create_public_https_firewall_rule"></a> [create\_public\_https\_firewall\_rule](#input\_create\_public\_https\_firewall\_rule) | Set to `true` to create a firewall rule allowing 0.0.0.0/0:443 on TCP to all worker nodes. | `bool` | n/a | yes |
+| <a name="input_enable_cost_allocation_feature"></a> [enable\_cost\_allocation\_feature](#input\_enable\_cost\_allocation\_feature) | Whether to enable the cost allocation feature. | `bool` | `false` | no |
 | <a name="input_enable_dataplane_v2"></a> [enable\_dataplane\_v2](#input\_enable\_dataplane\_v2) | Enable GKE DataPlane V2 for control plane.Set this value true if need to enable this feature. | `bool` | `false` | no |
+| <a name="input_enable_l4_ilb_subsetting"></a> [enable\_l4\_ilb\_subsetting](#input\_enable\_l4\_ilb\_subsetting) | Enable L4 ILB Subsetting | `bool` | `false` | no |
 | <a name="input_enable_network_policy"></a> [enable\_network\_policy](#input\_enable\_network\_policy) | This value is passed to network\_policy.enabled and the negative is passed to addons\_config.network\_policy\_config.disabled. | `bool` | n/a | yes |
 | <a name="input_gke_authenticator_groups_config_domain"></a> [gke\_authenticator\_groups\_config\_domain](#input\_gke\_authenticator\_groups\_config\_domain) | Domain to append to `gke-security-groups` to pass to authenticator\_groups\_config so members of that Google Group can authenticate to the cluster. Pass an empty string to disable. Domain passed here should be in the format of TLD.EXTENSION. | `string` | n/a | yes |
 | <a name="input_google_project"></a> [google\_project](#input\_google\_project) | The GCP project to use for this run | `any` | n/a | yes |

modules/gcp-gke/inputs.tf

@@ -184,3 +184,15 @@ variable "nat_ip_address_self_links" {
   description = "List of self links IP addresses to use for NAT"
   default     = []
 }
+
+variable "enable_l4_ilb_subsetting" {
+  type        = bool
+  description = "Enable L4 ILB Subsetting"
+  default     = false
+}
+
+variable "enable_cost_allocation_feature" {
+  type        = bool
+  description = "Whether to enable the cost allocation feature."
+  default     = false
+}

modules/gcp-gke/main.tf

@@ -1,20 +1,21 @@
 terraform {
-  required_version = ">= 1.2.9"
+  required_version = ">= 1.8, < 2"
 
   required_providers {
     google = {
-      version               = ">= 4.0"
+      version               = ">= 4.0, < 6.0"
+      source                = "hashicorp/google"
       configuration_aliases = [google.compute, google.vpc]
     }
 
     google-beta = {
-      version               = ">= 4.0"
+      version               = ">= 4.0, < 6.0"
       source                = "hashicorp/google-beta"
       configuration_aliases = [google-beta.compute-beta]
     }
 
     random = {
-      version = "~> 3.0"
+      version = ">= 3.0, < 4.0"
     }
   }
 }
@@ -58,6 +59,11 @@ resource "google_container_cluster" "primary" {
   initial_node_count       = 1
   enable_shielded_nodes    = true
   min_master_version       = var.kubernetes_version
+  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
+
+  cost_management_config {
+    enabled = var.enable_cost_allocation_feature
+  }
 
   #checkov:skip=CKV_GCP_66:Property renamed from 'enable_binary_authorization' to 'binary_authorization' but Checkov not updated.
   binary_authorization {

test/gcp_gke_providers.tf

@@ -11,35 +11,13 @@ provider "google" {
   project     = var.google_project
   region      = var.google_region
   credentials = var.google_credentials
-
-  #  scopes = [
-  #    # Default scopes
-  #    "https://www.googleapis.com/auth/compute",
-  #    "https://www.googleapis.com/auth/cloud-platform",
-  #    "https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-  #    "https://www.googleapis.com/auth/devstorage.full_control",
-  #
-  #    # Required for google_client_openid_userinfo
-  #    "https://www.googleapis.com/auth/userinfo.email",
-  #  ]
 }
 
 provider "google" {
   alias       = "compute"
   project     = var.google_project
   region      = var.google_region
   credentials = var.google_credentials
-
-  #  scopes = [
-  #    # Default scopes
-  #    "https://www.googleapis.com/auth/compute",
-  #    "https://www.googleapis.com/auth/cloud-platform",
-  #    "https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-  #    "https://www.googleapis.com/auth/devstorage.full_control",
-  #
-  #    # Required for google_client_openid_userinfo
-  #    "https://www.googleapis.com/auth/userinfo.email",
-  #  ]
 }
 
 provider "google-beta" {

test/wrapper.auto.tfvars

@@ -38,9 +38,12 @@ maintenance_policy_config = [
     maintenance_recurrence = "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH"
   }
 ]
+enable_cost_allocation_feature = true
+enable_l4_ilb_subsetting       = true
+
+release_channel    = "RAPID"
+kubernetes_version = "1.30.1-gke.1156000"
 
-release_channel    = "REGULAR"
-kubernetes_version = "1.28.3-gke.1203001"
 additional_node_pools = [
   {
     name               = "highmem",
@@ -51,19 +54,5 @@ additional_node_pools = [
     taints             = []
     tags               = ["terratest"]
     zones              = ["asia-southeast2-a", "asia-southeast2-b", "asia-southeast2-c"]
-  },
-  {
-    name               = "compute",
-    machine_type       = "e2-highcpu-8"
-    minimum_node_count = 1
-    maximum_node_count = 3
-    enable_secure_boot = true
-    taints = [{
-      key    = "terratest"
-      value  = "true"
-      effect = "NO_SCHEDULE"
-    }]
-    tags  = ["terratest"]
-    zones = ["asia-southeast2-b"]
-  },
+  }
 ]