An Anthos cluster running on customer owned infrastructure.
To get more information about Cluster, see:
data "google_project" "project" {
}
data "google_container_attached_versions" "versions" {
location = "us-west1"
project = data.google_project.project.project_id
}
resource "google_container_attached_cluster" "primary" {
name = "basic"
location = "us-west1"
project = data.google_project.project.project_id
description = "Test cluster"
distribution = "aks"
oidc_config {
issuer_url = "https://oidc.issuer.url"
}
platform_version = data.google_container_attached_versions.versions.valid_versions[0]
fleet {
project = "projects/${data.google_project.project.number}"
}
}
data "google_project" "project" {
}
data "google_container_attached_versions" "versions" {
location = "us-west1"
project = data.google_project.project.project_id
}
resource "google_container_attached_cluster" "primary" {
name = "basic"
project = data.google_project.project.project_id
location = "us-west1"
description = "Test cluster"
distribution = "aks"
annotations = {
label-one = "value-one"
}
authorization {
admin_users = [ "user1@example.com", "user2@example.com"]
admin_groups = [ "group1@example.com", "group2@example.com"]
}
oidc_config {
issuer_url = "https://oidc.issuer.url"
jwks = base64encode("{\"keys\":[{\"use\":\"sig\",\"kty\":\"RSA\",\"kid\":\"testid\",\"alg\":\"RS256\",\"n\":\"somedata\",\"e\":\"AQAB\"}]}")
}
platform_version = data.google_container_attached_versions.versions.valid_versions[0]
fleet {
project = "projects/${data.google_project.project.number}"
}
logging_config {
component_config {
enable_components = ["SYSTEM_COMPONENTS", "WORKLOADS"]
}
}
monitoring_config {
managed_prometheus_config {
enabled = true
}
}
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
proxy_config {
kubernetes_secret {
name = "proxy-config"
namespace = "default"
}
}
}
data "google_project" "project" {
}
data "google_container_attached_versions" "versions" {
location = "us-west1"
project = data.google_project.project.project_id
}
resource "google_container_attached_cluster" "primary" {
name = "basic"
location = "us-west1"
project = data.google_project.project.project_id
description = "Test cluster"
distribution = "aks"
oidc_config {
issuer_url = "https://oidc.issuer.url"
}
platform_version = data.google_container_attached_versions.versions.valid_versions[0]
fleet {
project = "projects/${data.google_project.project.number}"
}
deletion_policy = "DELETE_IGNORE_ERRORS"
}
The following arguments are supported:
location
-
(Required)
The location for the resource
name
-
(Required)
The name of this resource.
oidc_config
-
(Required)
OIDC discovery information of the target cluster.
Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster
API server. This fields indicates how GCP services
validate KSA tokens in order to allow system workloads (such as GKE Connect
and telemetry agents) to authenticate back to GCP.
Both clusters with public and private issuer URLs are supported.
Clusters with public issuers only need to specify the issuer_url
field
while clusters with private issuers need to provide both
issuer_url
and jwks
.
Structure is documented below.
platform_version
-
(Required)
The platform version for the cluster (e.g. 1.23.0-gke.1
).
distribution
-
(Required)
The Kubernetes distribution of the underlying attached cluster. Supported values:
"eks", "aks".
fleet
-
(Required)
Fleet configuration.
Structure is documented below.
The oidc_config
block supports:
issuer_url
-
(Required)
A JSON Web Token (JWT) issuer URI. issuer
must start with https://
jwks
-
(Optional)
OIDC verification keys in JWKS format (RFC 7517).
membership
-
(Output)
The name of the managed Hub Membership resource associated to this
cluster. Membership names are formatted as
projects/
project
-
(Required)
The number of the Fleet host project where this cluster will be registered.
description
-
(Optional)
A human readable description of this attached cluster. Cannot be longer
than 255 UTF-8 encoded bytes.
annotations
-
(Optional)
Optional. Annotations on the cluster. This field has the same
restrictions as Kubernetes annotations. The total size of all keys and
values combined is limited to 256k. Key can have 2 segments: prefix (optional)
and name (required), separated by a slash (/). Prefix must be a DNS subdomain.
Name must be 63 characters or less, begin and end with alphanumerics,
with dashes (-), underscores (_), dots (.), and alphanumerics between.
Note: This field is non-authoritative, and will only manage the annotations present in your configuration.
Please refer to the field effective_annotations
for all of the annotations present on the resource.
logging_config
-
(Optional)
Logging configuration.
Structure is documented below.
authorization
-
(Optional)
Configuration related to the cluster RBAC settings.
Structure is documented below.
monitoring_config
-
(Optional)
Monitoring configuration.
Structure is documented below.
binary_authorization
-
(Optional)
Binary Authorization configuration.
Structure is documented below.
proxy_config
-
(Optional)
Support for proxy configuration.
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
deletion_policy
- (Optional) Policy to determine what flags to send on delete.
The logging_config
block supports:
component_config
-
(Optional)
The configuration of the logging components
Structure is documented below.The component_config
block supports:
enable_components
-
(Optional)
The components to be enabled.
Each value may be one of: SYSTEM_COMPONENTS
, WORKLOADS
.The authorization
block supports:
admin_users
-
(Optional)
Users that can perform operations as a cluster admin. A managed
ClusterRoleBinding will be created to grant the cluster-admin
ClusterRole
to the users. Up to ten admin users can be provided.
For more info on RBAC, see
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
admin_groups
-
(Optional)
Groups that can perform operations as a cluster admin. A managed
ClusterRoleBinding will be created to grant the cluster-admin
ClusterRole
to the groups. Up to ten admin groups can be provided.
For more info on RBAC, see
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
The monitoring_config
block supports:
managed_prometheus_config
-
(Optional)
Enable Google Cloud Managed Service for Prometheus in the cluster.
Structure is documented below.The managed_prometheus_config
block supports:
enabled
-
(Optional)
Enable Managed Collection.The binary_authorization
block supports:
evaluation_mode
-
(Optional)
Configure Binary Authorization evaluation mode.
Possible values are: DISABLED
, PROJECT_SINGLETON_POLICY_ENFORCE
.The proxy_config
block supports:
kubernetes_secret
-
(Optional)
The Kubernetes Secret resource that contains the HTTP(S) proxy configuration.
Structure is documented below.The kubernetes_secret
block supports:
name
-
(Required)
Name of the kubernetes secret containing the proxy config.
namespace
-
(Required)
Namespace of the kubernetes secret containing the proxy config.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}
cluster_region
-
Output only. The region where this cluster runs.
For EKS clusters, this is an AWS region. For AKS clusters,
this is an Azure region.
state
-
The current state of the cluster. Possible values:
STATE_UNSPECIFIED, PROVISIONING, RUNNING, RECONCILING, STOPPING, ERROR,
DEGRADED
uid
-
A globally unique identifier for the cluster.
reconciling
-
If set, there are currently changes in flight to the cluster.
create_time
-
Output only. The time at which this cluster was created.
update_time
-
The time at which this cluster was last updated.
kubernetes_version
-
The Kubernetes version of the cluster.
workload_identity_config
-
Workload Identity settings.
Structure is documented below.
errors
-
A set of errors found in the cluster.
Structure is documented below.
effective_annotations
-
All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.
The workload_identity_config
block contains:
identity_provider
-
(Optional)
The ID of the OIDC Identity Provider (IdP) associated to
the Workload Identity Pool.
issuer_uri
-
(Optional)
The OIDC issuer URL for this cluster.
workload_pool
-
(Optional)
The Workload Identity Pool associated to the cluster.
message
-
(Optional)
Human-friendly description of the error.This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Cluster can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import Cluster using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}"
to = google_container_attached_cluster.default
}
When using the terraform import
command, Cluster can be imported using one of the formats above. For example:
$ terraform import google_container_attached_cluster.default projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}
$ terraform import google_container_attached_cluster.default {{project}}/{{location}}/{{name}}
$ terraform import google_container_attached_cluster.default {{location}}/{{name}}
This resource supports User Project Overrides.