GCP Kubernetes Cluster

$1,200

BUY

325

License

The module creates a managed Kubernetes cluster (GKE) in GCP.
Supported Kubernetes versions are 1.27 and newer.

NOTE: This module is meant to be used with an already created VPC.

NOTE: By default cluster is configured to work in a single zone of region but it's also possible to use multi-zonal cluster.
See location parameter reference

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_gcp_k8s_gke" {
  source  = "solutions.corewide.com/google-cloud/tf-gcp-k8s-gke/google"
  version = "~> 2.1.2"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 2.1 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "2.1.2"

v2.1.2 released 8 months, 2 weeks ago

New version approx. every 9 weeks

Upgrade Notes

Changelog

All notable changes to this project are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

v4.1.0 - 2025-04-14

Added

gateway_api_config_channel variable, which defines the configuration options for API Gateway channel

Fixed

formatting in error messages for variable validations

v4.0.0 - 2025-03-26

BREAKING CHANGE: all the node pools will have the unique suffix appended to their name. To incorporate the suffixes for the node pool names, node pool redeployment is needed. Please, see the Upgrade notes section.

Added

default_node_pool variable which defines the configurational options for the maintenance node pool that is created unconditionally
<cluster_name>/node_pool_name label to all node pools
create_before_destroy lifecycle option to node pools

Fixed

node pools will not be redeployed due to reordering of configuration parameters

Changed

node pool property name by adding a random suffix
vpc_native and cluster_private_nodes_enabled property values to true

v3.3.1 - 2025-03-21

Fixed

an incorrect node pool mode when GKE Workload Identity is enabled

v3.3.0 - 2025-02-07

Added

observability variable which allows the user to configure Google-managed cluster monitoring and deploy Google Cloud Managed Service for Prometheus (GMP) as GKE add-on

v3.2.0 - 2024-12-11

Added

deletion_protection_enabled variable which allows the user to destroy the cluster, by default, is true. Set to false to destroy the cluster

v3.1.0 - 2024-11-26

Added

nullable parameter to all variables

Changed

minimal cluster_version to 1.29

v3.0.0 - 2024-09-26

Changed

minimal google and google-beta providers' version to 6.2
node pool auto_upgrade option to true if STABLE release channel is selected (required by provider)

v2.1.2 - 2024-08-09

(Last version compatible with Terraform Google v4)

Added

min_master_version parameter to google_container_cluster resource

Changed

minimal cluster_version to 1.27
default node_pools.image to COS_CONTAINERD

v2.1.1 - 2023-12-07

Changed

minimal cluster_version to 1.23

v2.1.0 - 2023-03-22

Added

resource labels for GKE cluster
vpc_native variable, to fix absence of IP aliasing
cluster_master_cidr variable, to fix unrestricted inter-cluster communication
allowed_mgmt_networks, cluster_private_nodes_enabled variables, to fix unrestricted access to cluster

v2.0.0 - 2023-03-07

BREAKING CHANGE: now all node pools have corresponding names in the state instead of abstract indexes which aren't compatible with a new version. Upgrade from an older version is possible with manual changes, see Upgrade Notes section

Changed

processing of Node Pool resources to use the for_each meta-argument instead of count. With this change, it is now possible to store and reference Node Pool resources using their corresponding names instead of abstract indexes

v1.2.0 - 2023-02-23

Added

option to enable GKE cluster workload identity
option to create a workload identity pool

v1.1.0 - 2022-10-13

Added

node pools tags parameter to identify valid sources or targets for network firewalls

v1.0.0 - 2022-10-11

Added

create GKE cluster 1.20+
create a set of node pools according to the input list
create a service account for the cluster
IAM monitoring and logging roles for GKE metrics agents

From `v1.x` to `v2.x`

Module from v2.0 has changed handling of node pool copies from count meta-argument to for_each, which isn't compatible with an old version. After the module version is upgraded, re-init module and update naming in Terraform state of managed indexed resources:

As an example, node_pools variable contains two node pools, where:

node_pools[0].name = "maintenance"
node_pools[1].name = "app"

Then, you need to move their state this way:

 bashterraform state mv 'module.gke.google_container_node_pool.gke[0]' 'module.gke.google_container_node_pool.gke["maintenance"]'
terraform state mv 'module.gke.google_container_node_pool.gke[1]' 'module.gke.google_container_node_pool.gke["app"]'

From `v2.x` to `v3.x`

Module from v3.0 has changed Google providers version which isn't compatible with an old version. After the module version is upgraded, re-init module to upgrade Google providers version.

Upgrade Google providers version on project level to ~> 6.2:

 hclrequired_providers {
  google = {
    source  = "hashicorp/google"
    version = "~> 6.2"
  }

  google-beta = {
    source  = "hashicorp/google-beta"
    version = "~> 6.2"
  }
}

Upgrade project dependencies:

 bashterraform init --upgrade

From `v3.x` to `v4.x`

Module from v4.0 introduced the maintenance node pool, which is created unconditionally. If the maintenance node pool was configured using the previous module version, move the supported parameters of the maintenance node pool from the node_pools parameter to the default_node_pool parameter.

Module from v4.0 enabled the cluster_private_nodes_enabled parameter by default. To avoid cluster re-creation, set the cluster_private_nodes_enabled parameter to false. Alternatively, if the cluster_private_nodes_enabled parameter will be set to true, the cluster must be re-created using terraform destroy --target module.<module-name> and terraform apply --target module.<module-name>

Module from v4.0 has changed the node pool property name by adding a random suffix. For the changes to take effect node pools must be redeployed.

Replace the <module-name> with the name, assigned to the name of module resource, that utilizes this module in the following command and execute it to replace the node pools:

 bashterraform apply $(tf state list | grep module.<module-name>.google_container_node_pool | xargs -I{} echo "-replace={} " | sed -E 's/\[/["/g; s/\]/"]/g')

If the cloud.google.com/gke-nodepool label was used in the application configuration, it has to be replaced with <name_prefix>/node-pool-name

For example, if the application pod used the following configuration on the cluster with name_prefix = production:

 bashnodeSelector:
 cloud.google.com/gke-nodepool: application

It should be replaced with the following configuration, to ensure that the pods will be scheduled both before and after the module version migration:

 bashnodeSelector:
 production/node-pool-name: application

GKE with two node pools: the first pool with autoscaling enabled and the second one disabled:

 hclmodule "gke" {
  source  = "solutions.corewide.com/google-cloud/tf-gcp-k8s-gke/google"
  version = "~> 2.1"

  name_prefix     = "foo"
  vpc             = google_compute_network.main.self_link
  release_chanel  = "STABLE"
  cluster_version = "1.27"

  node_pools = [
    {
      name        = "application"
      min_size    = 2
      max_size    = 5
      preemptible = true

      tags = [
        "application",
      ]
    },
    {
      name      = "maintenance"
      node_size = "e2-standard-4"

      tags = [
        "fixed",
        "maintenance",
      ]
    },
  ]
}

GKE cluster with workload identity enabled, one node pool with autoscaling enabled, workload identity pool created:

 hclmodule "gke" {
  source  = "solutions.corewide.com/google-cloud/tf-gcp-k8s-gke/google"
  version = "~> 2.1"

  name_prefix                   = "foo"
  vpc                           = google_compute_network.main.self_link
  release_channel               = "STABLE"
  cluster_version               = "1.27"
  workload_identity_enabled     = true
  create_workload_identity_pool = true

  node_pools = [
    {
      name        = "application"
      min_size    = 2
      max_size    = 5
      preemptible = true
      image       = "cos_containerd"
      tags        = ["application"]
    },
  ]
}

GKE with IP aliasing enabled and restricted connection to cluster API:

 hclmodule "gke" {
  source  = "solutions.corewide.com/google-cloud/tf-gcp-k8s-gke/google"
  version = "~> 2.1"

  name_prefix     = "foo"
  vpc             = google_compute_network.main.self_link
  release_channel = "STABLE"
  cluster_version = "1.27"

  allowed_mgmt_networks = {
    office = "104.22.0.0/24"
  }

  vpc_native = true

  node_pools = [
    {
      name = "application"
      tags = ["application"]
    }
  ]
}

Variable	Description	Type	Default	Required	Sensitive
`name_prefix`	Name prefix for Google service account and GKE cluster	`string`		yes	no
`node_pools`	List of node pools to create	`list(object)`		yes	no
`vpc`	VPC network self_link which will be attached to the Kubernetes cluster	`string`		yes	no
`allowed_mgmt_networks`	Map of CIDR blocks allowed to connect to cluster API	`map(string)`		no	no
`cluster_master_cidr`	CIDR block to be used for control plane components	`string`	`172.16.0.0/28`	no	no
`cluster_private_nodes_enabled`	Indicates whether cluster private nodes should be enabled	`bool`	`false`	no	no
`cluster_version`	Kubernetes version (`Major.Minor`)	`string`	`1.27`	no	no
`create_workload_identity_pool`	Indicates whether to create a GKE workload identity pool or use the existing one (one pool per project)	`bool`	`true`	no	no
`node_pools[*].disk_size`	Disk size of a node	`number`	`20`	no	no
`node_pools[*].image`	Image type of node pools	`string`	`COS_CONTAINERD`	no	no
`node_pools[*].max_size`	Maximum number of nodes in the pool	`number`		no	no
`node_pools[*].min_size`	Minimum number of nodes in the pool	`number`	`1`	no	no
`node_pools[*].name`	Name of the node pool	`string`		yes	no
`node_pools[*].node_size`	Instance type to use for node creation	`string`	`e2-standard-2`	no	no
`node_pools[*].preemptible`	Whether the nodes should be preemptible	`bool`	`false`	no	no
`node_pools[*].tags`	The list of instance tags to identify valid sources or targets for network firewalls (When is not set, the default rule set is applied)	`list(string)`	`[]`	no	no
`region`	Specific zone which exists within the region or a single region	`string`		no	no
`release_channel`	Configuration options for the Release channel feature	`string`	`UNSPECIFIED`	no	no
`subnet_id`	The name or self_link of the Google Compute Engine subnetwork in which the cluster's instances are launched	`string`		no	no
`vpc_native`	Indicates whether IP alliasing should be enabled	`bool`	`false`	no	no
`workload_identity_enabled`	Indicates whether workload identity is enabled and whether nodes should store their metadata on the GKE metadata server	`bool`	`false`	no	no

Output	Description	Type	Sensitive
`cluster`	GKE cluster resource	`resource`	no
`node_pools`	List of created node pools	`resource`	no
`workload_identity_pool`	GKE workload identity pool data	`computed`	no

Dependency	Version	Kind
`terraform`	`>= 1.3`	CLI
`hashicorp/google`	`~> 4.13`	provider
`hashicorp/google-beta`	`~> 4.13`	provider

References

Artifact Registry management in Google Cloud

6 months, 2 weeks ago 313

Google Cloud DNS RBAC for integration with Cert Manager in a Kubernetes cluster

unreleased 0

External Secrets Operator integration with Secret Manager in Google Cloud

3 months ago 259

GCP Kubernetes Cluster

v4.1.0 - 2025-04-14

Added

Fixed

v4.0.0 - 2025-03-26

Added

Fixed

Changed

v3.3.1 - 2025-03-21

Fixed

v3.3.0 - 2025-02-07

Added

v3.2.0 - 2024-12-11

Added

v3.1.0 - 2024-11-26

Added

Changed

v3.0.0 - 2024-09-26

Changed

v2.1.2 - 2024-08-09

Added

Changed

v2.1.1 - 2023-12-07

Changed

v2.1.0 - 2023-03-22

Added

v2.0.0 - 2023-03-07

Changed

v1.2.0 - 2023-02-23

Added

v1.1.0 - 2022-10-13

Added

v1.0.0 - 2022-10-11

Added

From v1.x to v2.x

From v2.x to v3.x

From v3.x to v4.x

References

Not sure where to start?Let's find your perfect match.

From `v1.x` to `v2.x`

From `v2.x` to `v3.x`

From `v3.x` to `v4.x`

Not sure where to start?
Let's find your perfect match.