Feature represents the settings and status of any Hub Feature.
To get more information about Feature, see:
resource "google_container_cluster" "cluster" {
name = "my-cluster"
location = "us-central1-a"
initial_node_count = 1
}
resource "google_gke_hub_membership" "membership" {
membership_id = "my-membership"
endpoint {
gke_cluster {
resource_link = "//container.googleapis.com/${google_container_cluster.cluster.id}"
}
}
description = "Membership"
}
resource "google_gke_hub_feature" "feature" {
name = "multiclusteringress"
location = "global"
spec {
multiclusteringress {
config_membership = google_gke_hub_membership.membership.id
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "multiclusterservicediscovery"
location = "global"
labels = {
foo = "bar"
}
}
resource "google_gke_hub_feature" "feature" {
name = "servicemesh"
location = "global"
}
resource "google_gke_hub_feature" "feature" {
name = "fleetobservability"
location = "global"
spec {
fleetobservability {
logging_config {
default_config {
mode = "COPY"
}
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "fleetobservability"
location = "global"
spec {
fleetobservability {
logging_config {
fleet_scope_logs_config {
mode = "MOVE"
}
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "fleetobservability"
location = "global"
spec {
fleetobservability {
logging_config {
default_config {
mode = "COPY"
}
fleet_scope_logs_config {
mode = "MOVE"
}
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "servicemesh"
location = "global"
fleet_default_member_config {
mesh {
management = "MANAGEMENT_AUTOMATIC"
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "configmanagement"
location = "global"
fleet_default_member_config {
configmanagement {
config_sync {
git {
sync_repo = "https://github.com/hashicorp/terraform"
}
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "policycontroller"
location = "global"
fleet_default_member_config {
policycontroller {
policy_controller_hub_config {
install_spec = "INSTALL_SPEC_ENABLED"
exemptable_namespaces = ["foo"]
policy_content {
bundles {
bundle = "policy-essentials-v2022"
exempted_namespaces = ["foo", "bar"]
}
template_library {
installation = "ALL"
}
}
audit_interval_seconds = 30
referential_rules_enabled = true
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "policycontroller"
location = "global"
fleet_default_member_config {
policycontroller {
policy_controller_hub_config {
install_spec = "INSTALL_SPEC_SUSPENDED"
policy_content {
bundles {
bundle = "pci-dss-v3.2.1"
exempted_namespaces = ["baz", "bar"]
}
bundles {
bundle = "nist-sp-800-190"
exempted_namespaces = []
}
template_library {
installation = "ALL"
}
}
constraint_violation_limit = 50
referential_rules_enabled = true
log_denies_enabled = true
mutation_enabled = true
deployment_configs {
component = "admission"
replica_count = 2
pod_affinity = "ANTI_AFFINITY"
}
deployment_configs {
component = "audit"
container_resources {
limits {
memory = "1Gi"
cpu = "1.5"
}
requests {
memory = "500Mi"
cpu = "150m"
}
}
pod_toleration {
key = "key1"
operator = "Equal"
value = "value1"
effect = "NoSchedule"
}
}
monitoring {
backends = [
"PROMETHEUS"
]
}
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "policycontroller"
location = "global"
fleet_default_member_config {
policycontroller {
policy_controller_hub_config {
install_spec = "INSTALL_SPEC_ENABLED"
policy_content {}
constraint_violation_limit = 50
referential_rules_enabled = true
log_denies_enabled = true
mutation_enabled = true
deployment_configs {
component = "admission"
}
monitoring {}
}
}
}
}
resource "google_gke_hub_feature" "feature" {
name = "clusterupgrade"
location = "global"
spec {
clusterupgrade {
upstream_fleets = []
post_conditions {
soaking = "60s"
}
}
}
}
The following arguments are supported:
location
-
(Required)
The location for the resourcename
-
(Optional)
The full, unique name of this Feature resource
labels
-
(Optional)
GCP labels for this Feature.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
spec
-
(Optional)
Optional. Hub-wide Feature configuration. If this Feature does not support any Hub-wide configuration, this field may be unused.
Structure is documented below.
fleet_default_member_config
-
(Optional)
Optional. Fleet Default Membership Configuration.
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
multiclusteringress
-
(Optional)
Multicluster Ingress-specific spec.
Structure is documented below.
fleetobservability
-
(Optional)
Fleet Observability feature spec.
Structure is documented below.
clusterupgrade
-
(Optional)
Clusterupgrade feature spec.
Structure is documented below.
The multiclusteringress
block supports:
config_membership
-
(Required)
Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: projects/foo-proj/locations/global/memberships/bar
The fleetobservability
block supports:
logging_config
-
(Optional)
Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet.
Structure is documented below.The logging_config
block supports:
default_config
-
(Optional)
Specified if applying the default routing config to logs not specified in other configs.
Structure is documented below.
fleet_scope_logs_config
-
(Optional)
Specified if applying the routing config to all logs for all fleet scopes.
Structure is documented below.
The default_config
block supports:
mode
-
(Optional)
Specified if fleet logging feature is enabled.
Possible values are: MODE_UNSPECIFIED
, COPY
, MOVE
.The fleet_scope_logs_config
block supports:
mode
-
(Optional)
Specified if fleet logging feature is enabled.
Possible values are: MODE_UNSPECIFIED
, COPY
, MOVE
.The clusterupgrade
block supports:
upstream_fleets
-
(Required)
Specified if other fleet should be considered as a source of upgrades. Currently, at most one upstream fleet is allowed. The fleet name should be either fleet project number or id.
post_conditions
-
(Required)
Post conditions to override for the specified upgrade.
Structure is documented below.
gke_upgrade_overrides
-
(Optional)
Configuration overrides for individual upgrades.
Structure is documented below.
The post_conditions
block supports:
soaking
-
(Required)
Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days.The gke_upgrade_overrides
block supports:
upgrade
-
(Required)
Which upgrade to override.
Structure is documented below.
post_conditions
-
(Required)
Post conditions to override for the specified upgrade.
Structure is documented below.
name
-
(Required)
Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters.
version
-
(Required)
Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters.
The post_conditions
block supports:
soaking
-
(Required)
Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days.The fleet_default_member_config
block supports:
mesh
-
(Optional)
Service Mesh spec
Structure is documented below.
configmanagement
-
(Optional)
Config Management spec
Structure is documented below.
policycontroller
-
(Optional)
Policy Controller spec
Structure is documented below.
management
-
(Required)
Whether to automatically manage Service Mesh
Possible values are: MANAGEMENT_UNSPECIFIED
, MANAGEMENT_AUTOMATIC
, MANAGEMENT_MANUAL
.The configmanagement
block supports:
version
-
(Optional)
Version of ACM installed
config_sync
-
(Optional)
ConfigSync configuration for the cluster
Structure is documented below.
The config_sync
block supports:
source_format
-
(Optional)
Specifies whether the Config Sync Repo is in hierarchical or unstructured mode
git
-
(Optional)
Git repo configuration for the cluster
Structure is documented below.
oci
-
(Optional)
OCI repo configuration for the cluster
Structure is documented below.
sync_repo
-
(Optional)
The URL of the Git repository to use as the source of truth
sync_branch
-
(Optional)
The branch of the repository to sync from. Default: master
policy_dir
-
(Optional)
The path within the Git repository that represents the top level of the repo to sync
sync_rev
-
(Optional)
Git revision (tag or hash) to check out. Default HEAD
secret_type
-
(Required)
Type of secret configured for access to the Git repo
https_proxy
-
(Optional)
URL for the HTTPS Proxy to be used when communicating with the Git repo
gcp_service_account_email
-
(Optional)
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount
sync_wait_secs
-
(Optional)
Period in seconds between consecutive syncs. Default: 15
sync_repo
-
(Optional)
The OCI image repository URL for the package to sync from
policy_dir
-
(Optional)
The absolute path of the directory that contains the local resources. Default: the root directory of the image
secret_type
-
(Required)
Type of secret configured for access to the Git repo
gcp_service_account_email
-
(Optional)
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount
sync_wait_secs
-
(Optional)
Period in seconds between consecutive syncs. Default: 15
version
-
(Optional, Deprecated)
Version of ACM installed
~> Warning: The configmanagement.config_sync.oci.version
field is deprecated and will be removed in a future major release. Please use configmanagement.version
field to specify the version of ACM installed instead.
The policycontroller
block supports:
version
-
(Optional)
Configures the version of Policy Controller
policy_controller_hub_config
-
(Required)
Configuration of Policy Controller
Structure is documented below.
The policy_controller_hub_config
block supports:
install_spec
-
(Required)
Configures the mode of the Policy Controller installation
Possible values are: INSTALL_SPEC_UNSPECIFIED
, INSTALL_SPEC_NOT_INSTALLED
, INSTALL_SPEC_ENABLED
, INSTALL_SPEC_SUSPENDED
, INSTALL_SPEC_DETACHED
.
audit_interval_seconds
-
(Optional)
Interval for Policy Controller Audit scans (in seconds). When set to 0, this disables audit functionality altogether.
exemptable_namespaces
-
(Optional)
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
log_denies_enabled
-
(Optional)
Logs all denies and dry run failures.
mutation_enabled
-
(Optional)
Enables the ability to mutate resources using Policy Controller.
referential_rules_enabled
-
(Optional)
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
monitoring
-
(Optional)
Monitoring specifies the configuration of monitoring Policy Controller.
Structure is documented below.
constraint_violation_limit
-
(Optional)
The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used.
deployment_configs
-
(Optional)
Map of deployment configs to deployments ("admission", "audit", "mutation").
Structure is documented below.
policy_content
-
(Optional)
Specifies the desired policy content on the cluster.
Structure is documented below.
The monitoring
block supports:
backends
-
(Optional)
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.
Each value may be one of: MONITORING_BACKEND_UNSPECIFIED
, PROMETHEUS
, CLOUD_MONITORING
.The deployment_configs
block supports:
component
- (Required) The identifier for this object. Format specified above.
replica_count
-
(Optional)
Pod replica count.
container_resources
-
(Optional)
Container resource requirements.
Structure is documented below.
pod_affinity
-
(Optional)
Pod affinity configuration.
Possible values are: AFFINITY_UNSPECIFIED
, NO_AFFINITY
, ANTI_AFFINITY
.
pod_toleration
-
(Optional)
Pod tolerations of node taints.
Structure is documented below.
The container_resources
block supports:
limits
-
(Optional)
Limits describes the maximum amount of compute resources allowed for use by the running container.
Structure is documented below.
requests
-
(Optional)
Requests describes the amount of compute resources reserved for the container by the kube-scheduler.
Structure is documented below.
memory
-
(Optional)
Memory requirement expressed in Kubernetes resource units.
cpu
-
(Optional)
CPU requirement expressed in Kubernetes resource units.
memory
-
(Optional)
Memory requirement expressed in Kubernetes resource units.
cpu
-
(Optional)
CPU requirement expressed in Kubernetes resource units.
The pod_toleration
block supports:
key
-
(Optional)
Matches a taint key (not necessarily unique).
operator
-
(Optional)
Matches a taint operator.
value
-
(Optional)
Matches a taint value.
effect
-
(Optional)
Matches a taint effect.
The policy_content
block supports:
template_library
-
(Optional)
Configures the installation of the Template Library.
Structure is documented below.
bundles
-
(Optional)
Configures which bundles to install and their corresponding install specs.
Structure is documented below.
The template_library
block supports:
installation
-
(Optional)
Configures the manner in which the template library is installed on the cluster.
Possible values are: INSTALATION_UNSPECIFIED
, NOT_INSTALLED
, ALL
.bundle
- (Required) The identifier for this object. Format specified above.
exempted_namespaces
-
(Optional)
The set of namespaces to be exempted from the bundle.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/features/{{name}}
resource_state
-
State of the Feature resource itself.
Structure is documented below.
state
-
Output only. The Hub-wide Feature state
Structure is documented below.
create_time
-
Output only. When the Feature resource was created.
update_time
-
Output only. When the Feature resource was last updated.
delete_time
-
Output only. When the Feature resource was deleted.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
The resource_state
block contains:
state
-
(Output)
The current state of the Feature resource in the Hub API.
has_resources
-
(Output)
Whether this Feature has outstanding resources that need to be cleaned up before it can be disabled.
state
-
(Output)
Output only. The "running state" of the Feature in this Hub.
Structure is documented below.code
-
(Output)
The high-level, machine-readable status of this Feature.
description
-
(Output)
A human-readable description of the current status.
update_time
-
(Output)
The time this status and any related Feature-specific details were updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Feature can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/features/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import Feature using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/features/{{name}}"
to = google_gke_hub_feature.default
}
When using the terraform import
command, Feature can be imported using one of the formats above. For example:
$ terraform import google_gke_hub_feature.default projects/{{project}}/locations/{{location}}/features/{{name}}
$ terraform import google_gke_hub_feature.default {{project}}/{{location}}/{{name}}
$ terraform import google_gke_hub_feature.default {{location}}/{{name}}
This resource supports User Project Overrides.