feat(safer-cluster): add some missing variables

- node_pools_resource_manager_tags
- node_pools_cgroup_mode
- node_pools_hugepage_size_2m
- enable_secret_manager_addon

Author: bergemalm

autogen/safer-cluster/main.tf.tmpl

@@ -89,13 +89,16 @@ module "gke" {
   // If removing the default node pool, initial_node_count should be at least 1.
   initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count
 
-  node_pools                 = var.node_pools
-  windows_node_pools         = var.windows_node_pools
-  node_pools_labels          = var.node_pools_labels
-  node_pools_resource_labels = var.node_pools_resource_labels
-  node_pools_metadata        = var.node_pools_metadata
-  node_pools_taints          = var.node_pools_taints
-  node_pools_tags            = var.node_pools_tags
+  node_pools                       = var.node_pools
+  windows_node_pools               = var.windows_node_pools
+  node_pools_labels                = var.node_pools_labels
+  node_pools_resource_labels       = var.node_pools_resource_labels
+  node_pools_resource_manager_tags = var.node_pools_resource_manager_tags
+  node_pools_metadata              = var.node_pools_metadata
+  node_pools_cgroup_mode           = var.node_pools_cgroup_mode
+  node_pools_hugepage_size_2m      = var.node_pools_hugepage_size_2m
+  node_pools_taints                = var.node_pools_taints
+  node_pools_tags                  = var.node_pools_tags
 
   node_pools_oauth_scopes = var.node_pools_oauth_scopes
 
@@ -216,6 +219,8 @@ module "gke" {
 
   enable_gcfs = var.enable_gcfs
 
+  enable_secret_manager_addon = var.enable_secret_manager_addon
+
   // Enabling vulnerability and audit for workloads
   workload_vulnerability_mode = var.workload_vulnerability_mode
   workload_config_audit_mode  = var.workload_config_audit_mode

autogen/safer-cluster/variables.tf.tmpl

@@ -185,6 +185,16 @@ variable "node_pools_resource_labels" {
   }
 }
 
+variable "node_pools_resource_manager_tags" {
+  type        = map(map(string))
+  description = "Map of maps containing resource manager tags by node-pool name"
+
+  default = {
+    all               = {}
+    default-node-pool = {}
+  }
+}
+
 variable "node_pools_metadata" {
   type        = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
@@ -195,6 +205,28 @@ variable "node_pools_metadata" {
   }
 }
 
+variable "node_pools_cgroup_mode" {
+  type        = map(string)
+  description = "Map of strings containing cgroup node config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
+variable "node_pools_hugepage_size_2m" {
+  type        = map(string)
+  description = "Map of strings containing hugepage size 2m node config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
 variable "node_pools_taints" {
   type        = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
@@ -540,6 +572,12 @@ variable "enable_gcfs" {
   default     = false
 }
 
+variable "enable_secret_manager_addon" {
+  description = "Enable the Secret Manager add-on for this cluster"
+  type        = bool
+  default     = false
+}
+
 variable "enable_mesh_certificates" {
   type = bool
   default = false

metadata.display.yaml

@@ -285,6 +285,9 @@ spec:
         master_authorized_networks:
           name: master_authorized_networks
           title: Master Authorized Networks
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/beta-private-cluster-update-variant/metadata.display.yaml

@@ -325,6 +325,9 @@ spec:
         master_ipv4_cidr_block:
           name: master_ipv4_cidr_block
           title: Master Ipv4 Cidr Block
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/beta-private-cluster/metadata.display.yaml

@@ -325,6 +325,9 @@ spec:
         master_ipv4_cidr_block:
           name: master_ipv4_cidr_block
           title: Master Ipv4 Cidr Block
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/beta-public-cluster-update-variant/metadata.display.yaml

@@ -310,6 +310,9 @@ spec:
         master_authorized_networks:
           name: master_authorized_networks
           title: Master Authorized Networks
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/beta-public-cluster/metadata.display.yaml

@@ -310,6 +310,9 @@ spec:
         master_authorized_networks:
           name: master_authorized_networks
           title: Master Authorized Networks
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/private-cluster-update-variant/metadata.display.yaml

@@ -301,6 +301,9 @@ spec:
         master_ipv4_cidr_block:
           name: master_ipv4_cidr_block
           title: Master Ipv4 Cidr Block
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/private-cluster/metadata.display.yaml

@@ -301,6 +301,9 @@ spec:
         master_ipv4_cidr_block:
           name: master_ipv4_cidr_block
           title: Master Ipv4 Cidr Block
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus

modules/safer-cluster-update-variant/README.md

@@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no |
+| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
 | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
@@ -261,10 +262,13 @@ For simplicity, we suggest using `roles/container.admin` and
 | network | The VPC network to host the cluster in | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_pools | List of maps containing node pools | `list(map(string))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
+| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
+| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | <pre>{<br>  "all": [<br>    "https://www.googleapis.com/auth/cloud-platform"<br>  ],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
+| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |