diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index 1e61965ca2..fbf04dcd78 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -24,9 +24,26 @@ Required for clusters when VPCs enforce a default-deny egress rule *****************************************/ + +locals { + rule_name_base = ( + var.add_firewall_rule_name_unique_suffix ? + "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" : + substr(var.name, 0, min(36, length(var.name))) + ) +} + +resource "random_string" "google_compute_firewall_suffix" { + count = var.add_firewall_rule_name_unique_suffix ? 1 : 0 + upper = false + lower = true + special = false + length = 4 +} + resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" + name = "gke-${local.rule_name_base}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -67,7 +84,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" + name = "gke-${local.rule_name_base}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -99,7 +116,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" + name = "gke-${local.rule_name_base}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -129,7 +146,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" + name = "gke-shadow-${local.rule_name_base}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -158,7 +175,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" + name = "gke-shadow-${local.rule_name_base}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -184,7 +201,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" + name = "gke-shadow-${local.rule_name_base}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -219,7 +236,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" + name = "gke-shadow-${local.rule_name_base}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -246,7 +263,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" + name = "gke-shadow-${local.rule_name_base}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e6f3eab0e4..d068164904 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -780,3 +780,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "add_firewall_rule_name_unique_suffix" { + type = bool + description = "Create additional firewall rule unique suffix" + default = false +} diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index a5d89cefe0..989591524b 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -24,9 +24,25 @@ Required for clusters when VPCs enforce a default-deny egress rule *****************************************/ +locals { + rule_name_base = ( + var.add_firewall_rule_name_unique_suffix ? + "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" : + substr(var.name, 0, min(36, length(var.name))) + ) +} + +resource "random_string" "google_compute_firewall_suffix" { + count = var.add_firewall_rule_name_unique_suffix ? 1 : 0 + upper = false + lower = true + special = false + length = 4 +} + resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" + name = "gke-${local.rule_name_base}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -60,7 +76,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" + name = "gke-${local.rule_name_base}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -87,7 +103,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" + name = "gke-shadow-${local.rule_name_base}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -116,7 +132,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" + name = "gke-shadow-${local.rule_name_base}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -142,7 +158,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" + name = "gke-shadow-${local.rule_name_base}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -177,7 +193,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" + name = "gke-shadow-${local.rule_name_base}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -204,7 +220,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" + name = "gke-shadow-${local.rule_name_base}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2f3de8bc6d..30baafecd3 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -473,6 +473,12 @@ variable "add_master_webhook_firewall_rules" { default = false } +variable "add_firewall_rule_name_unique_suffix" { + type = bool + description = "Create additional firewall rule unique suffix" + default = false +} + variable "firewall_priority" { type = number description = "Priority rule for firewall rules"