fix: use instance-groups managed tags in firewall

README.md

@@ -50,7 +50,7 @@ role in the shared VPC host project.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.2.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.3.1 |
 
 ## Modules
 
@@ -105,6 +105,7 @@ role in the shared VPC host project.
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The GKE cluster name that was built |
 | <a name="output_cluster_project"></a> [cluster\_project](#output\_cluster\_project) | The project hosting the GKE cluster. |
 | <a name="output_gke_cluster_istio_gatekeeper_firewall_rule_self_link"></a> [gke\_cluster\_istio\_gatekeeper\_firewall\_rule\_self\_link](#output\_gke\_cluster\_istio\_gatekeeper\_firewall\_rule\_self\_link) | The tags applied to the primary node pool of the GKE cluster. |
+| <a name="output_gke_cluster_all_primary_node_pool_tags"></a> [gke\_cluster\_primary\_node\_pool\_all\_tags](#output\_gke\_cluster\_primary\_node\_pool\_all\_tags) | List of tags applied to the node pool instances. This included the managed-by-GCP tags. |
 | <a name="output_gke_cluster_primary_node_pool_tag"></a> [gke\_cluster\_primary\_node\_pool\_tag](#output\_gke\_cluster\_primary\_node\_pool\_tag) | Tag applied to the node pool instances - used for network/firewall rules. |
 | <a name="output_kubernetes_endpoint"></a> [kubernetes\_endpoint](#output\_kubernetes\_endpoint) | n/a |
 | <a name="output_service_account"></a> [service\_account](#output\_service\_account) | The default service account used for running nodes. |

modules/gcp-gke/README.md

@@ -24,11 +24,11 @@ To run E2E tests, navigate to the [test folder](../test) and run `go test -v -ti
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.23.0 |
-| <a name="provider_google.compute"></a> [google.compute](#provider\_google.compute) | 4.23.0 |
-| <a name="provider_google.vpc"></a> [google.vpc](#provider\_google.vpc) | 4.23.0 |
-| <a name="provider_google-beta.compute-beta"></a> [google-beta.compute-beta](#provider\_google-beta.compute-beta) | 4.23.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.2.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.0 |
+| <a name="provider_google.compute"></a> [google.compute](#provider\_google.compute) | ~> 4.0 |
+| <a name="provider_google.vpc"></a> [google.vpc](#provider\_google.vpc) | ~> 4.0 |
+| <a name="provider_google-beta.compute-beta"></a> [google-beta.compute-beta](#provider\_google-beta.compute-beta) | ~> 4.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
 
 ## Modules
 
@@ -48,6 +48,8 @@ No modules.
 | [random_id.node_pool_tag](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [google-beta_google_client_config.default](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/data-sources/google_client_config) | data source |
 | [google-beta_google_container_cluster.current_cluster](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/data-sources/google_container_cluster) | data source |
+| [google_compute_instance.primary_node_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance) | data source |
+| [google_compute_instance_group.primary_node_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance_group) | data source |
 | [google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_cluster) | data source |
 | [google_project.host_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [google_project.service_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
@@ -88,6 +90,7 @@ No modules.
 | <a name="output_ca_certificate"></a> [ca\_certificate](#output\_ca\_certificate) | n/a |
 | <a name="output_client_token"></a> [client\_token](#output\_client\_token) | n/a |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The GKE cluster name that was built |
+| <a name="output_cluster_all_primary_node_pool_tags"></a> [cluster\_primary\_node\_pool\_all\_tags](#output\_cluster\_primary\_node\_pool\_all\_tags) | List of tags applied to the node pool instances. This included the managed-by-GCP tags. |
 | <a name="output_cluster_primary_node_pool_tag"></a> [cluster\_primary\_node\_pool\_tag](#output\_cluster\_primary\_node\_pool\_tag) | Tag applied to the node pool instances - used for network/firewall rules. |
 | <a name="output_cluster_project"></a> [cluster\_project](#output\_cluster\_project) | The project hosting the GKE cluster. |
 | <a name="output_istio_gatekeeper_firewall_rule_self_link"></a> [istio\_gatekeeper\_firewall\_rule\_self\_link](#output\_istio\_gatekeeper\_firewall\_rule\_self\_link) | The self\_link attribute of the firewall rule created to allow Gatekeeper and Istio to function. |

modules/gcp-gke/network.tf

@@ -21,7 +21,7 @@ resource "google_compute_firewall" "gke_private_cluster_istio_gatekeeper_rules"
   }
 
   source_ranges = [var.master_ipv4_cidr_block]
-  target_tags   = [local.gke_node_pool_tag]
+  target_tags   = local.all_primary_node_pool_tags
 }
 
 resource "google_compute_router" "router" {

modules/gcp-gke/node_pool_tags.tf

@@ -0,0 +1,18 @@
+###
+# This file contains no business logic.
+# It's sole goal is to provide a way to read out the tags of the node pool, which include the ones we apply with this component + the ones Generated by Google.
+###
+
+locals {
+  # includes the by GCP-managed tags
+  all_primary_node_pool_tags = sort(data.google_compute_instance.primary_node_pool.tags)
+}
+
+data "google_compute_instance_group" "primary_node_pool" {
+  depends_on = [google_container_node_pool.primary_node_pool]
+  self_link  = element(google_container_node_pool.primary_node_pool.managed_instance_group_urls, 0)
+}
+
+data "google_compute_instance" "primary_node_pool" {
+  self_link = tolist(data.google_compute_instance_group.primary_node_pool.instances)[0]
+}

modules/gcp-gke/outputs.tf

@@ -33,6 +33,11 @@ output "cluster_primary_node_pool_tag" {
   value       = local.gke_node_pool_tag
 }
 
+output "cluster_all_primary_node_pool_tags" {
+  description = "List of tags applied to the node pool instances. This included the managed-by-GCP tags."
+  value       = local.all_primary_node_pool_tags
+}
+
 output "istio_gatekeeper_firewall_rule_self_link" {
   description = "The self_link attribute of the firewall rule created to allow Gatekeeper and Istio to function."
   value       = google_compute_firewall.gke_private_cluster_istio_gatekeeper_rules.self_link

test/gke_test.go

@@ -251,6 +251,11 @@ func TestTerraformGcpGkeTemplate(t *testing.T) {
 				//assert.Equal(t, 0, resourceCount.Add)
 				//assert.Equal(t, 0, resourceCount.Destroy)
 			}
+
+			tags := terraform.OutputList(t, gkeClusterTerratestOptions, "cluster_all_primary_node_pool_tags")
+
+			assert.NotNil(t, tags)
+			assert.GreaterOrEqual(t, len(tags), 2)
 		})
 	})
 }