google_container_cluster

Manages a Google Kubernetes Engine (GKE) cluster.

To get more information about GKE clusters, see:

resource "google_service_account" "default" {
  account_id   = "service-account-id"
  display_name = "Service Account"
}

resource "google_container_cluster" "primary" {
  name     = "my-gke-cluster"
  location = "us-central1"

  # We can't create a cluster with no node pool defined, but we want to only use
  # separately managed node pools. So we create the smallest possible default
  # node pool and immediately delete it.
  remove_default_node_pool = true
  initial_node_count       = 1
}

resource "google_container_node_pool" "primary_preemptible_nodes" {
  name       = "my-node-pool"
  location   = "us-central1"
  cluster    = google_container_cluster.primary.name
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "e2-medium"

    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    service_account = google_service_account.default.email
    oauth_scopes    = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
  }
}

Example Usage - with the default node pool

resource "google_service_account" "default" {
  account_id   = "service-account-id"
  display_name = "Service Account"
}

resource "google_container_cluster" "primary" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  node_config {
    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    service_account = google_service_account.default.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
    labels = {
      foo = "bar"
    }
    tags = ["foo", "bar"]
  }
  timeouts {
    create = "30m"
    update = "40m"
  }
}

Argument Reference


The default_snat_status block supports

The cluster_telemetry block supports

The addons_config block supports:

This example addons_config disables two addons:

addons_config {
  http_load_balancing {
    disabled = true
  }

  horizontal_pod_autoscaling {
    disabled = true
  }
}

The binary_authorization block supports:

The service_external_ips_config block supports:

The mesh_certificates block supports:

The database_encryption block supports:

The enable_k8s_beta_apis block supports:

The cloudrun_config block supports:

The identity_service_config block supports:

The istio_config block supports:

The cluster_autoscaling block supports:

The resource_limits block supports:

The auto_provisioning_defaults block supports:

The management block supports:

This block also contains several computed attributes, documented below.

The upgrade_settings block supports:

The blue_green_settings block supports:

The standard_rollout_policy block supports:

The authenticator_groups_config block supports:

The logging_config block supports:

The monitoring_config block supports:

The managed_prometheus block supports:

The advanced_datapath_observability_config block supports:

The maintenance_policy block supports:

In beta, one or the other of recurring_window and daily_maintenance_window is required if a maintenance_policy block is supplied.

Examples:

maintenance_policy {
  daily_maintenance_window {
    start_time = "03:00"
  }
}

Specify start_time and end_time in RFC3339 "Zulu" date format. The start time's date is the initial date that the window starts, and the end time is used for calculating duration. Specify recurrence in RFC5545 RRULE format, to specify when this recurs. Note that GKE may accept other formats, but will return values in UTC, causing a permanent diff.

Examples:

maintenance_policy {
  recurring_window {
    start_time = "2019-08-01T02:00:00Z"
    end_time = "2019-08-01T06:00:00Z"
    recurrence = "FREQ=DAILY"
  }
}
maintenance_policy {
  recurring_window {
    start_time = "2019-01-01T09:00:00Z"
    end_time = "2019-01-01T17:00:00Z"
    recurrence = "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR"
  }
}

The maintenance_exclusion block supports:

The exclusion_options block supports:

Specify start_time and end_time in RFC3339 "Zulu" date format. The start time's date is the initial date that the window starts, and the end time is used for calculating duration.Specify recurrence in RFC5545 RRULE format, to specify when this recurs. Note that GKE may accept other formats, but will return values in UTC, causing a permanent diff.

Examples:

maintenance_policy {
  recurring_window {
    start_time = "2019-01-01T00:00:00Z"
    end_time = "2019-01-02T00:00:00Z"
    recurrence = "FREQ=DAILY"
  }
  maintenance_exclusion{
    exclusion_name = "batch job"
    start_time = "2019-01-01T00:00:00Z"
    end_time = "2019-01-02T00:00:00Z"
    exclusion_options {
      scope = "NO_UPGRADES"
    }
  }
  maintenance_exclusion{
    exclusion_name = "holiday data load"
    start_time = "2019-05-01T00:00:00Z"
    end_time = "2019-05-02T00:00:00Z"
    exclusion_options {
      scope = "NO_MINOR_UPGRADES"
    }
  }
}

The ip_allocation_policy block supports:

The additional_pod_ranges_config block supports:

The master_auth block supports:

master_auth {
  client_certificate_config {
    issue_client_certificate = false
  }
}

This block also contains several computed attributes, documented below.

The master_authorized_networks_config block supports:

The master_authorized_networks_config.cidr_blocks block supports:

The network_policy block supports:

The node_config block supports:

ephemeral_storage_config {
  local_ssd_count = 2
}
ephemeral_storage_local_ssd_config {
  local_ssd_count = 2
}
gcfs_config {
  enabled = true
}
gvnic {
  enabled = true
}
kubelet_config {
  cpu_manager_policy   = "static"
  cpu_cfs_quota        = true
  cpu_cfs_quota_period = "100us"
  pod_pids_limit       = 1024
}
sole_tenant_config {
  node_affinity {
    key = "compute.googleapis.com/node-group-name"
    operator = "IN"
    values = ["node-group-name"]
  }
}

The node_affinity block supports:

The advanced_machine_features block supports:

The network_performance_config block supports:

The ephemeral_storage_config block supports:

The ephemeral_storage_local_ssd_config block supports:

The fast_socket block supports:

The local_nvme_ssd_block_config block supports:

The secondary_boot_disks block supports:

The gcfs_config block supports:

The gvnic block supports:

The guest_accelerator block supports:

The gpu_driver_installation_config block supports:

The gpu_sharing_config block supports:

The workload_identity_config block supports:

workload_identity_config {
  workload_pool = "${data.google_project.project.project_id}.svc.id.goog"
}

The node_pool_auto_config block supports:

The network_tags block supports:

node_pool_auto_config {
  network_tags {
    tags = ["foo", "bar"]
  }
}

The node_pool_defaults block supports:

The node_config_defaults block supports:

The notification_config block supports:

The pubsub block supports:

notification_config {
  pubsub {
    enabled = true
    topic = google_pubsub_topic.notifications.id
  }
}

The filter block supports:

The confidential_nodes block supports:

The pod_security_policy_config block supports:

The private_cluster_config block supports:

In addition, the private_cluster_config allows access to the following read-only fields:

The private_cluster_config.master_global_access_config block supports:

The reservation_affinity block supports:

The sandbox_config block supports:

The release_channel block supports:

The cost_management_config block supports:

The resource_usage_export_config block supports:

resource_usage_export_config {
  enable_network_egress_metering = false
  enable_resource_consumption_metering = true

  bigquery_destination {
    dataset_id = "cluster_resource_usage"
  }
}

The shielded_instance_config block supports:

Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. Defaults to false.

Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. Defaults to true.

The taint block supports:

The workload_metadata_config block supports:

The kubelet_config block supports:

The linux_node_config block supports:

linux_node_config {
  sysctls = {
    "net.core.netdev_max_backlog" = "10000"
    "net.core.rmem_max"           = "10000"
  }
}

The vertical_pod_autoscaling block supports:

The dns_config block supports:

The gateway_api_config block supports:

The protect_config block supports:

The protect_config.workload_config block supports:

The security_posture_config block supports:

The fleet block supports:

The workload_alts_config block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options: configuration options:

Import

GKE clusters can be imported using the project , location, and name. If the project is omitted, the default provider value will be used. Examples:

In Terraform v1.5.0 and later, use an import block to import GKE clusters using one of the formats above. For example:

import {
  id = "projects/{{project_id}}/locations/{{location}}/clusters/{{cluster_id}}"
  to = google_container_cluster.default
}

When using the terraform import command, GKE clusters can be imported using one of the formats above. For example:

$ terraform import google_container_cluster.default projects/{{project_id}}/locations/{{location}}/clusters/{{cluster_id}}

$ terraform import google_container_cluster.default {{project_id}}/{{location}}/{{cluster_id}}

$ terraform import google_container_cluster.default {{location}}/{{cluster_id}}

For example, the following fields will show diffs if set in config:

User Project Overrides

This resource supports User Project Overrides.