diff --git a/README.md b/README.md
index af8984491a..fdadb47def 100644
--- a/README.md
+++ b/README.md
@@ -234,7 +234,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -260,6 +260,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index bf1a122b7f..d27c0a7a2a 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -329,7 +329,7 @@ resource "google_container_cluster" "primary" {
}
{% if autopilot_cluster %}
dynamic "node_pool_auto_config" {
- for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
+ for_each = length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
content {
dynamic "network_tags" {
for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : []
@@ -338,6 +338,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "node_kubelet_config" {
for_each = var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
content {
@@ -356,7 +358,7 @@ resource "google_container_cluster" "primary" {
{% if autopilot_cluster != true %}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -365,6 +367,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index fc3d46872d..eeb5c8b6e1 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -400,11 +400,17 @@ variable "node_pools_oauth_scopes" {
{% endif %}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/cluster.tf b/cluster.tf
index 5b50c931b2..f549971bdd 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -265,7 +265,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -274,6 +274,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
index 5b42ba1b0e..20932d96c8 100644
--- a/examples/node_pool/main.tf
+++ b/examples/node_pool/main.tf
@@ -26,6 +26,20 @@ provider "kubernetes" {
cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}
+resource "google_tags_tag_key" "key" {
+ parent = "projects/${var.project_id}"
+ short_name = "key${var.cluster_name_suffix}"
+ purpose = "GCE_FIREWALL"
+ purpose_data = {
+ network = "${var.project_id}/${var.network}"
+ }
+}
+
+resource "google_tags_tag_value" "value" {
+ parent = google_tags_tag_key.key.id
+ short_name = "value${var.cluster_name_suffix}"
+}
+
module "gke" {
source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster"
version = "~> 39.0"
@@ -47,6 +61,10 @@ module "gke" {
logging_variant = "MAX_THROUGHPUT"
dns_allow_external_traffic = true
+ resource_manager_tags = {
+ "${var.project_id}/${google_tags_tag_key.key.short_name}" = google_tags_tag_value.value.short_name
+ }
+
node_pools = [
{
name = "pool-01"
diff --git a/metadata.display.yaml b/metadata.display.yaml
index 6e159409da..350ef83430 100644
--- a/metadata.display.yaml
+++ b/metadata.display.yaml
@@ -390,6 +390,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/metadata.yaml b/metadata.yaml
index 8e1e742b4c..62c64a002e 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -404,9 +404,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index 0fa8c4fb21..ad3e8badae 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -144,7 +144,7 @@ Then perform the following commands on the root folder:
| name | The name of the cluster (required) | `string` | n/a | yes |
| network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
@@ -156,6 +156,7 @@ Then perform the following commands on the root folder:
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
index ff02ec4a63..d8610fc519 100644
--- a/modules/beta-autopilot-private-cluster/cluster.tf
+++ b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -185,7 +185,7 @@ resource "google_container_cluster" "primary" {
}
}
dynamic "node_pool_auto_config" {
- for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
+ for_each = length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
content {
dynamic "network_tags" {
for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : []
@@ -194,6 +194,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "node_kubelet_config" {
for_each = var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
content {
diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml
index 887c30302d..1dfa239d94 100644
--- a/modules/beta-autopilot-private-cluster/metadata.display.yaml
+++ b/modules/beta-autopilot-private-cluster/metadata.display.yaml
@@ -292,6 +292,9 @@ spec:
release_channel:
name: release_channel
title: Release Channel
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml
index b447e0824e..39188bca1c 100644
--- a/modules/beta-autopilot-private-cluster/metadata.yaml
+++ b/modules/beta-autopilot-private-cluster/metadata.yaml
@@ -246,9 +246,13 @@ spec:
varType: bool
defaultValue: true
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index 56bcaecc59..afc035f7a3 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -209,11 +209,17 @@ variable "enable_resource_consumption_export" {
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index 61fb872e75..f7fd25064e 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -133,7 +133,7 @@ Then perform the following commands on the root folder:
| name | The name of the cluster (required) | `string` | n/a | yes |
| network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
@@ -144,6 +144,7 @@ Then perform the following commands on the root folder:
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
index 4c91fc3f9a..3fca7ac4d0 100644
--- a/modules/beta-autopilot-public-cluster/cluster.tf
+++ b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -185,7 +185,7 @@ resource "google_container_cluster" "primary" {
}
}
dynamic "node_pool_auto_config" {
- for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
+ for_each = length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
content {
dynamic "network_tags" {
for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : []
@@ -194,6 +194,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "node_kubelet_config" {
for_each = var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
content {
diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml
index 35d5407df4..1cd82e2660 100644
--- a/modules/beta-autopilot-public-cluster/metadata.display.yaml
+++ b/modules/beta-autopilot-public-cluster/metadata.display.yaml
@@ -274,6 +274,9 @@ spec:
release_channel:
name: release_channel
title: Release Channel
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml
index 7069586d81..8d341bd936 100644
--- a/modules/beta-autopilot-public-cluster/metadata.yaml
+++ b/modules/beta-autopilot-public-cluster/metadata.yaml
@@ -246,9 +246,13 @@ spec:
varType: bool
defaultValue: true
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index 23e533842b..b1bf6469df 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -209,11 +209,17 @@ variable "enable_resource_consumption_export" {
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index fa63f65477..76d30e639e 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -278,7 +278,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -305,6 +305,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index d53fd4ea09..3649b01359 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -278,7 +278,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -287,6 +287,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml
index d9bf9511f1..6836f934d8 100644
--- a/modules/beta-private-cluster-update-variant/metadata.display.yaml
+++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml
@@ -433,6 +433,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml
index 7839218b70..25204b4288 100644
--- a/modules/beta-private-cluster-update-variant/metadata.yaml
+++ b/modules/beta-private-cluster-update-variant/metadata.yaml
@@ -364,9 +364,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index d169e9e221..dd14be9ae1 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index f280d6f57b..7c575d9c16 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -256,7 +256,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -283,6 +283,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 16f8a58693..630e7fb1e6 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -278,7 +278,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -287,6 +287,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml
index 0ba1ed91ac..0ce6f8bed2 100644
--- a/modules/beta-private-cluster/metadata.display.yaml
+++ b/modules/beta-private-cluster/metadata.display.yaml
@@ -433,6 +433,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml
index 30cf30f7d7..aa3bcdd46c 100644
--- a/modules/beta-private-cluster/metadata.yaml
+++ b/modules/beta-private-cluster/metadata.yaml
@@ -364,9 +364,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index d169e9e221..dd14be9ae1 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index 285b2bdc7d..286a4dc80f 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -267,7 +267,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -293,6 +293,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index 03c4953cc1..dc56b65035 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -278,7 +278,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -287,6 +287,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml
index ee5f7c2d18..39ad9972ac 100644
--- a/modules/beta-public-cluster-update-variant/metadata.display.yaml
+++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml
@@ -415,6 +415,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml
index 6f5bd965eb..8f1c30d45f 100644
--- a/modules/beta-public-cluster-update-variant/metadata.yaml
+++ b/modules/beta-public-cluster-update-variant/metadata.yaml
@@ -364,9 +364,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index 640205ec71..299b269568 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index d7231e89b6..81f2686793 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -245,7 +245,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -271,6 +271,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index 962ac3857d..f5f5011763 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -278,7 +278,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -287,6 +287,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml
index a587dc300b..117dfb553b 100644
--- a/modules/beta-public-cluster/metadata.display.yaml
+++ b/modules/beta-public-cluster/metadata.display.yaml
@@ -415,6 +415,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml
index 75d1eb4b2b..db9c168acd 100644
--- a/modules/beta-public-cluster/metadata.yaml
+++ b/modules/beta-public-cluster/metadata.yaml
@@ -364,9 +364,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index 640205ec71..299b269568 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/gke-autopilot-cluster/metadata.yaml b/modules/gke-autopilot-cluster/metadata.yaml
index e0849fc52a..9efc7b038c 100644
--- a/modules/gke-autopilot-cluster/metadata.yaml
+++ b/modules/gke-autopilot-cluster/metadata.yaml
@@ -569,9 +569,9 @@ spec:
roles:
- level: Project
roles:
- - roles/container.admin
- roles/iam.serviceAccountUser
- roles/compute.admin
+ - roles/container.admin
services:
- compute.googleapis.com
- container.googleapis.com
diff --git a/modules/gke-node-pool/metadata.yaml b/modules/gke-node-pool/metadata.yaml
index d30fccde12..ebc5802170 100644
--- a/modules/gke-node-pool/metadata.yaml
+++ b/modules/gke-node-pool/metadata.yaml
@@ -409,9 +409,9 @@ spec:
roles:
- level: Project
roles:
- - roles/compute.admin
- roles/container.admin
- roles/iam.serviceAccountUser
+ - roles/compute.admin
services:
- compute.googleapis.com
- container.googleapis.com
diff --git a/modules/gke-standard-cluster/metadata.yaml b/modules/gke-standard-cluster/metadata.yaml
index 1b09bae2a3..9e15c34c00 100644
--- a/modules/gke-standard-cluster/metadata.yaml
+++ b/modules/gke-standard-cluster/metadata.yaml
@@ -1008,9 +1008,9 @@ spec:
roles:
- level: Project
roles:
+ - roles/iam.serviceAccountUser
- roles/compute.admin
- roles/container.admin
- - roles/iam.serviceAccountUser
services:
- compute.googleapis.com
- container.googleapis.com
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index 17b47cd78c..4c33b602ea 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -267,7 +267,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -294,6 +294,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
index a3a6c90036..aaf42cdcae 100644
--- a/modules/private-cluster-update-variant/cluster.tf
+++ b/modules/private-cluster-update-variant/cluster.tf
@@ -265,7 +265,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -274,6 +274,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml
index 0e162614f4..0b9d444270 100644
--- a/modules/private-cluster-update-variant/metadata.display.yaml
+++ b/modules/private-cluster-update-variant/metadata.display.yaml
@@ -409,6 +409,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml
index a09b3e3180..ca27acd298 100644
--- a/modules/private-cluster-update-variant/metadata.yaml
+++ b/modules/private-cluster-update-variant/metadata.yaml
@@ -364,9 +364,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index 151ac9e6ee..ee0ccbafff 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 4ed430268a..5ba1519c08 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -245,7 +245,7 @@ Then perform the following commands on the root folder:
| network\_policy | Enable network policy addon | `bool` | `false` | no |
| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
-| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
| node\_pools | List of maps containing node pools | `list(map(any))` | [
{
"name": "default-node-pool"
}
]
| no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | {
"all": "",
"default-node-pool": ""
} | no |
@@ -272,6 +272,7 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
+| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
index 04e3a72000..12cfa96e87 100644
--- a/modules/private-cluster/cluster.tf
+++ b/modules/private-cluster/cluster.tf
@@ -265,7 +265,7 @@ resource "google_container_cluster" "primary" {
}
dynamic "node_pool_auto_config" {
- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || length(var.resource_manager_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
content {
dynamic "network_tags" {
for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
@@ -274,6 +274,8 @@ resource "google_container_cluster" "primary" {
}
}
+ resource_manager_tags = length(var.resource_manager_tags) > 0 ? var.resource_manager_tags : null
+
dynamic "linux_node_config" {
for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
content {
diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml
index aa4afe00be..1abd280ecf 100644
--- a/modules/private-cluster/metadata.display.yaml
+++ b/modules/private-cluster/metadata.display.yaml
@@ -409,6 +409,9 @@ spec:
remove_default_node_pool:
name: remove_default_node_pool
title: Remove Default Node Pool
+ resource_manager_tags:
+ name: resource_manager_tags
+ title: Resource Manager Tags
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml
index 463e2cef2b..9135a0da66 100644
--- a/modules/private-cluster/metadata.yaml
+++ b/modules/private-cluster/metadata.yaml
@@ -364,9 +364,13 @@ spec:
- https://www.googleapis.com/auth/cloud-platform
default-node-pool: []
- name: network_tags
- description: (Optional) - List of network tags applied to auto-provisioned node pools.
+ description: (Optional) - List of network tags applied to autopilot and auto-provisioned node pools.
varType: list(string)
defaultValue: []
+ - name: resource_manager_tags
+ description: "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ varType: map(string)
+ defaultValue: {}
- name: enable_k8s_beta_apis
description: (Optional) - List of Kubernetes Beta APIs to enable in cluster.
varType: list(string)
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 151ac9e6ee..ee0ccbafff 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)
diff --git a/test/integration/node_pool/node_pool_test.go b/test/integration/node_pool/node_pool_test.go
index f030ad0bd9..8b4140d5a1 100644
--- a/test/integration/node_pool/node_pool_test.go
+++ b/test/integration/node_pool/node_pool_test.go
@@ -63,6 +63,11 @@ func TestNodePool(t *testing.T) {
testutils.TGKEAssertGolden(assert, g, &cluster, []string{"pool-01", "pool-02", "pool-03", "pool-04", "pool-05"}, []string{"monitoringConfig.componentConfig.enableComponents"}) // TODO: enableComponents is UL
assert.Contains([]string{"RUNNING", "RECONCILING"}, cluster.Get("status").String())
+ // Resource Manager Tag Assertions
+ // TGKEAssertGolden doesn't work work with sanitized keys
+ tagKeyPath := fmt.Sprintf("nodePoolAutoConfig.resourceManagerTags.tags.%s/key-%s", projectId, randomString)
+ assert.Equal("value-"+randomString, cluster.Get(tagKeyPath).String())
+
// K8s Assertions
assert.JSONEq(`[
{
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index f48e8b8a32..ca073a7721 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -35,7 +35,8 @@ locals {
"roles/iap.admin",
"roles/gkehub.admin",
"roles/cloudasset.viewer",
- "roles/serviceusage.serviceUsageConsumer"
+ "roles/serviceusage.serviceUsageConsumer",
+ "roles/resourcemanager.tagAdmin",
]
# roles as documented https://cloud.google.com/service-mesh/docs/installation-permissions
diff --git a/test/setup/main.tf b/test/setup/main.tf
index bff9990be8..85c3fa114c 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -80,7 +80,7 @@ module "gke-project-1" {
activate_api_identities = [
{
api = "container.googleapis.com"
- roles = ["roles/cloudkms.cryptoKeyEncrypterDecrypter", "roles/container.serviceAgent"]
+ roles = ["roles/cloudkms.cryptoKeyEncrypterDecrypter", "roles/container.serviceAgent", "roles/resourcemanager.tagUser", "roles/resourcemanager.tagHoldAdmin"]
},
]
}
diff --git a/variables.tf b/variables.tf
index 3a4aec4576..e06c1b5d18 100644
--- a/variables.tf
+++ b/variables.tf
@@ -377,11 +377,17 @@ variable "node_pools_oauth_scopes" {
}
variable "network_tags" {
- description = "(Optional) - List of network tags applied to auto-provisioned node pools."
+ description = "(Optional) - List of network tags applied to autopilot and auto-provisioned node pools."
type = list(string)
default = []
}
+variable "resource_manager_tags" {
+ description = "(Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: \"tagKeys/{tag_key_id}\"=\"tagValues/{tag_value_id}\", \"{org_id}/{tag_key_name}\"=\"{tag_value_name}\", \"{project_id}/{tag_key_name}\"=\"{tag_value_name}\"."
+ type = map(string)
+ default = {}
+}
+
variable "enable_k8s_beta_apis" {
description = "(Optional) - List of Kubernetes Beta APIs to enable in cluster."
type = list(string)