feat: Add fully configurable resource usage export block in GA and upgrade GCP provider (#491)

BREAKING CHANGE: Minimum Google provider version increased to 3.16.

Author: gcamus59

README.md

@@ -110,6 +110,8 @@ Then perform the following commands on the root folder:
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
+| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |
+| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
 | firewall\_priority | Priority rule for firewall rules | number | `"1000"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
@@ -142,6 +144,7 @@ Then perform the following commands on the root folder:
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
 | registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | string | `""` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |

autogen/main/cluster.tf.tmpl

@@ -99,16 +99,6 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value.enabled
     }
   }
-
-  dynamic "resource_usage_export_config" {
-    for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : []
-    content {
-      enable_network_egress_metering = true
-      bigquery_destination {
-        dataset_id = resource_usage_export_config.value
-      }
-    }
-  }
 {% endif %}
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
@@ -223,6 +213,22 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "resource_usage_export_config" {
+    for_each = var.resource_usage_export_dataset_id != "" ? [{
+      enable_network_egress_metering       = var.enable_network_egress_export
+      enable_resource_consumption_metering = var.enable_resource_consumption_export
+      dataset_id                           = var.resource_usage_export_dataset_id
+    }] : []
+
+    content {
+      enable_network_egress_metering       = resource_usage_export_config.value.enable_network_egress_metering
+      enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
+      bigquery_destination {
+        dataset_id = resource_usage_export_config.value.dataset_id
+      }
+    }
+  }
+
 {% if private_cluster %}
   dynamic "private_cluster_config" {
     for_each = var.enable_private_nodes ? [{

autogen/main/variables.tf.tmpl

@@ -182,6 +182,24 @@ variable "node_pools_metadata" {
     default-node-pool = {}
   }
 }
+
+variable "resource_usage_export_dataset_id" {
+  type        = string
+  description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export."
+  default     = ""
+}
+
+variable "enable_network_egress_export" {
+  type        = bool
+  description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic."
+  default     = false
+}
+
+variable "enable_resource_consumption_export" {
+  type        = bool
+  description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export."
+  default     = true
+}
 {% if beta_cluster %}
 
 variable "enable_kubernetes_alpha" {
@@ -428,12 +446,6 @@ variable "pod_security_policy_config" {
   }]
 }
 
-variable "resource_usage_export_dataset_id" {
-  type        = string
-  description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic."
-  default     = ""
-}
-
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
   default     = "SECURE"

autogen/main/versions.tf.tmpl

@@ -19,9 +19,9 @@ terraform {
 
   required_providers {
 {% if beta_cluster %}
-    google-beta = ">= 3.1, <4.0.0"
+    google-beta = ">= 3.16, <4.0.0"
 {% else %}
-    google = ">= 2.18, <4.0.0"
+    google = ">= 3.16, <4.0.0"
 {% endif %}
   }
 }

autogen/safer-cluster/variables.tf.tmpl

@@ -268,6 +268,18 @@ variable "resource_usage_export_dataset_id" {
   default     = ""
 }
 
+variable "enable_network_egress_export" {
+  type        = bool
+  description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic."
+  default     = false
+}
+
+variable "enable_resource_consumption_export" {
+  type        = bool
+  description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export."
+  default     = true
+}
+
 variable "sandbox_enabled" {
   type        = bool
   description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."

cluster.tf

@@ -118,6 +118,22 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "resource_usage_export_config" {
+    for_each = var.resource_usage_export_dataset_id != "" ? [{
+      enable_network_egress_metering       = var.enable_network_egress_export
+      enable_resource_consumption_metering = var.enable_resource_consumption_export
+      dataset_id                           = var.resource_usage_export_dataset_id
+    }] : []
+
+    content {
+      enable_network_egress_metering       = resource_usage_export_config.value.enable_network_egress_metering
+      enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
+      bigquery_destination {
+        dataset_id = resource_usage_export_config.value.dataset_id
+      }
+    }
+  }
+
 
   remove_default_node_pool = var.remove_default_node_pool
 }

examples/deploy_service/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/disable_client_cert/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/node_pool/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/node_pool_update_variant/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/node_pool_update_variant_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 3.14.0"
+  version     = "~> 3.16.0"
   credentials = file(var.credentials_path)
   region      = var.region
 }

examples/regional_private_node_pool_oauth_scopes/provider.tf

@@ -15,9 +15,9 @@
  */
 
 provider "google" {
-  version = "3.14.0"
+  version = "3.16.0"
 }
 
 provider "google-beta" {
-  version = "3.14.0"
+  version = "3.16.0"
 }

examples/safer_cluster/main.tf

@@ -30,11 +30,11 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
 }
 
 provider "google-beta" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
 }
 
 module "gke" {

examples/shared_vpc/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_regional/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_regional_beta/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_regional_private/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_regional_private_beta/main.tf

@@ -19,12 +19,12 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 
 provider "google-beta" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_regional_with_kubeconfig/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.3.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_regional_with_networking/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
 }
 
 module "gcp-network" {

examples/simple_zonal_private/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/simple_zonal_with_acm/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/stub_domains/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/stub_domains_private/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/stub_domains_upstream_nameservers/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/upstream_nameservers/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/workload_identity/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

examples/workload_metadata_config/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google-beta" {
-  version = "~> 3.14.0"
+  version = "~> 3.16.0"
   region  = var.region
 }
 

modules/beta-private-cluster-update-variant/README.md

@@ -175,8 +175,10 @@ Then perform the following commands on the root folder:
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
+| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
+| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | list(string) | `<list>` | no |
@@ -221,7 +223,7 @@ Then perform the following commands on the root folder:
 | registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
 | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
-| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
+| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | string | `""` | no |
 | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |