googleContainerAttachedCluster

An Anthos cluster running on customer owned infrastructure.

To get more information about Cluster, see:

Example Usage - Container Attached Cluster Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleProjectProject = new google.dataGoogleProject.DataGoogleProject(
  this,
  "project",
  {}
);
const dataGoogleContainerAttachedVersionsVersions =
  new google.dataGoogleContainerAttachedVersions.DataGoogleContainerAttachedVersions(
    this,
    "versions",
    {
      location: "us-west1",
      project: dataGoogleProjectProject.projectId,
    }
  );
new google.containerAttachedCluster.ContainerAttachedCluster(this, "primary", {
  description: "Test cluster",
  distribution: "aks",
  fleet: [
    {
      project: `projects/\${${dataGoogleProjectProject.number}}`,
    },
  ],
  location: "us-west1",
  name: "basic",
  oidc_config: [
    {
      issuer_url: "https://oidc.issuer.url",
    },
  ],
  platform_version: `\${${dataGoogleContainerAttachedVersionsVersions.validVersions.fqn}[0]}`,
  project: dataGoogleProjectProject.projectId,
});

Example Usage - Container Attached Cluster Full

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleProjectProject = new google.dataGoogleProject.DataGoogleProject(
  this,
  "project",
  {}
);
const dataGoogleContainerAttachedVersionsVersions =
  new google.dataGoogleContainerAttachedVersions.DataGoogleContainerAttachedVersions(
    this,
    "versions",
    {
      location: "us-west1",
      project: dataGoogleProjectProject.projectId,
    }
  );
new google.containerAttachedCluster.ContainerAttachedCluster(this, "primary", {
  annotations: [
    {
      "label-one": "value-one",
    },
  ],
  authorization: [
    {
      admin_users: ["user1@example.com", "user2@example.com"],
    },
  ],
  description: "Test cluster",
  distribution: "aks",
  fleet: [
    {
      project: `projects/\${${dataGoogleProjectProject.number}}`,
    },
  ],
  location: "us-west1",
  logging_config: [
    {
      component_config: [
        {
          enable_components: ["SYSTEM_COMPONENTS", "WORKLOADS"],
        },
      ],
    },
  ],
  monitoring_config: [
    {
      managed_prometheus_config: [
        {
          enabled: true,
        },
      ],
    },
  ],
  name: "basic",
  oidc_config: [
    {
      issuer_url: "https://oidc.issuer.url",
      jwks: '${base64encode("{\\"keys\\":[{\\"use\\":\\"sig\\",\\"kty\\":\\"RSA\\",\\"kid\\":\\"testid\\",\\"alg\\":\\"RS256\\",\\"n\\":\\"somedata\\",\\"e\\":\\"AQAB\\"}]}")}',
    },
  ],
  platform_version: `\${${dataGoogleContainerAttachedVersionsVersions.validVersions.fqn}[0]}`,
  project: dataGoogleProjectProject.projectId,
});

Example Usage - Container Attached Cluster Ignore Errors

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleProjectProject = new google.dataGoogleProject.DataGoogleProject(
  this,
  "project",
  {}
);
const dataGoogleContainerAttachedVersionsVersions =
  new google.dataGoogleContainerAttachedVersions.DataGoogleContainerAttachedVersions(
    this,
    "versions",
    {
      location: "us-west1",
      project: dataGoogleProjectProject.projectId,
    }
  );
new google.containerAttachedCluster.ContainerAttachedCluster(this, "primary", {
  deletion_policy: "DELETE_IGNORE_ERRORS",
  description: "Test cluster",
  distribution: "aks",
  fleet: [
    {
      project: `projects/\${${dataGoogleProjectProject.number}}`,
    },
  ],
  location: "us-west1",
  name: "basic",
  oidc_config: [
    {
      issuer_url: "https://oidc.issuer.url",
    },
  ],
  platform_version: `\${${dataGoogleContainerAttachedVersionsVersions.validVersions.fqn}[0]}`,
  project: dataGoogleProjectProject.projectId,
});

Argument Reference

The following arguments are supported:

location - (Required) The location for the resource
name - (Required) The name of this resource.
oidcConfig - (Required) OIDC discovery information of the target cluster. Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster API server. This fields indicates how GCP services validate KSA tokens in order to allow system workloads (such as GKE Connect and telemetry agents) to authenticate back to GCP. Both clusters with public and private issuer URLs are supported. Clusters with public issuers only need to specify the issuerUrl field while clusters with private issuers need to provide both issuerUrl and jwks. Structure is documented below.
platformVersion - (Required) The platform version for the cluster (e.g. 1230Gke1).
distribution - (Required) The Kubernetes distribution of the underlying attached cluster. Supported values: "eks", "aks".
fleet - (Required) Fleet configuration. Structure is documented below.

The oidcConfig block supports:

issuerUrl - (Required) A JSON Web Token (JWT) issuer URI. issuer must start with https://
jwks - (Optional) OIDC verification keys in JWKS format (RFC 7517).

The fleet block supports:

membership - (Output) The name of the managed Hub Membership resource associated to this cluster. Membership names are formatted as projects//locations/global/membership/.
project - (Required) The number of the Fleet host project where this cluster will be registered.

description - (Optional) A human readable description of this attached cluster. Cannot be longer than 255 UTF-8 encoded bytes.
annotations - (Optional) Optional. Annotations on the cluster. This field has the same restrictions as Kubernetes annotations. The total size of all keys and values combined is limited to 256k. Key can have 2 segments: prefix (optional) and name (required), separated by a slash (/). Prefix must be a DNS subdomain. Name must be 63 characters or less, begin and end with alphanumerics, with dashes (-), underscores (_), dots (.), and alphanumerics between.
loggingConfig - (Optional) Logging configuration. Structure is documented below.
authorization - (Optional) Configuration related to the cluster RBAC settings. Structure is documented below.
monitoringConfig - (Optional) Monitoring configuration. Structure is documented below.
project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
deletionPolicy - (Optional) Policy to determine what flags to send on delete.

The loggingConfig block supports:

componentConfig - (Optional) The configuration of the logging components Structure is documented below.

The componentConfig block supports:

enableComponents - (Optional) The components to be enabled. Each value may be one of systemComponents and workloads.

The authorization block supports:

adminUsers - (Optional) Users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the clusterAdmin ClusterRole to the users. Up to ten admin users can be provided. For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

The monitoringConfig block supports:

managedPrometheusConfig - (Optional) Enable Google Cloud Managed Service for Prometheus in the cluster. Structure is documented below.

The managedPrometheusConfig block supports:

enabled - (Optional) Enable Managed Collection.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

id - an identifier for the resource with format projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}
clusterRegion - Output only. The region where this cluster runs. For EKS clusters, this is an AWS region. For AKS clusters, this is an Azure region.
state - The current state of the cluster. Possible values: STATE_UNSPECIFIED, PROVISIONING, RUNNING, RECONCILING, STOPPING, ERROR, DEGRADED
uid - A globally unique identifier for the cluster.
reconciling - If set, there are currently changes in flight to the cluster.
createTime - Output only. The time at which this cluster was created.
updateTime - The time at which this cluster was last updated.
kubernetesVersion - The Kubernetes version of the cluster.
workloadIdentityConfig - Workload Identity settings. Structure is documented below.
errors - A set of errors found in the cluster. Structure is documented below.

The workloadIdentityConfig block contains:

identityProvider - (Optional) The ID of the OIDC Identity Provider (IdP) associated to the Workload Identity Pool.
issuerUri - (Optional) The OIDC issuer URL for this cluster.
workloadPool - (Optional) The Workload Identity Pool associated to the cluster.

The errors block contains:

message - (Optional) Human-friendly description of the error.

Timeouts

This resource provides the following Timeouts configuration options:

create - Default is 20 minutes.
update - Default is 20 minutes.
delete - Default is 20 minutes.

Import

Cluster can be imported using any of these accepted formats:

$ terraform import google_container_attached_cluster.default projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}
$ terraform import google_container_attached_cluster.default {{project}}/{{location}}/{{name}}
$ terraform import google_container_attached_cluster.default {{location}}/{{name}}

User Project Overrides

This resource supports User Project Overrides.