Merge pull request #109 from MaterializeInc/private-eks-gcp

Private + Public GKE Cluster Endpoints

Author: jshiwamV

gcp/examples/simple/outputs.tf

@@ -19,6 +19,12 @@ output "gke_cluster_endpoint" {
   value       = module.gke.cluster_endpoint
 }
 
+output "gke_cluster_private_endpoint" {
+  description = "GKE cluster private endpoint"
+  value       = module.gke.cluster_private_endpoint
+  sensitive   = true
+}
+
 output "gke_cluster_location" {
   description = "GKE cluster location"
   value       = module.gke.cluster_location

gcp/modules/gke/main.tf

@@ -42,6 +42,24 @@ resource "google_container_cluster" "primary" {
     services_secondary_range_name = var.services_secondary_range_name
   }
 
+  # Enable private cluster with both private and public endpoint access
+  # ref : https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#private_cluster_config-1
+  private_cluster_config {
+    # enables private cluster feature,creating a private endpoint on cluster
+    enable_private_nodes = true
+    # when enable_private_endpoint is true, it disables the access through public endpoint, hence this is set to false.
+    enable_private_endpoint = false
+    master_ipv4_cidr_block  = var.master_ipv4_cidr_block
+  }
+
+  # Allow access to the cluster endpoint from specific IP ranges
+  master_authorized_networks_config {
+    cidr_blocks {
+      cidr_block   = var.master_authorized_networks_cidr_block
+      display_name = "Authorized networks"
+    }
+  }
+
   release_channel {
     channel = var.release_channel
   }

gcp/modules/gke/outputs.tf

@@ -4,11 +4,17 @@ output "cluster_name" {
 }
 
 output "cluster_endpoint" {
-  description = "The endpoint of the GKE cluster"
+  description = "The public endpoint of the GKE cluster"
   value       = google_container_cluster.primary.endpoint
   sensitive   = true
 }
 
+output "cluster_private_endpoint" {
+  description = "The private endpoint of the GKE cluster (used by nodes and VPC resources)"
+  value       = google_container_cluster.primary.private_cluster_config != null && length(google_container_cluster.primary.private_cluster_config) > 0 ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : null
+  sensitive   = true
+}
+
 output "cluster_ca_certificate" {
   value = google_container_cluster.primary.master_auth[0].cluster_ca_certificate
 }

gcp/modules/gke/variables.tf

@@ -96,3 +96,19 @@ variable "labels" {
   type        = map(string)
   default     = {}
 }
+
+# GCP manages this CIDR block when not provided as input
+variable "master_ipv4_cidr_block" {
+  description = "The IP range in CIDR notation to use for the hosted master network. This range must not overlap with any other ranges in use within the cluster's network."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+# modify this to restrict public access to master endpoint from specific IP ranges
+variable "master_authorized_networks_cidr_block" {
+  description = "CIDR block to allow access to the Kubernetes master endpoint. Defaults to 0.0.0.0/0 to allow access from anywhere."
+  type        = string
+  default     = "0.0.0.0/0"
+  nullable    = false
+}

test/gcp/fixtures/materialize/main.tf

@@ -10,13 +10,15 @@ data "google_client_config" "default" {}
 module "gke" {
   source = "../../../../gcp/modules/gke"
 
-  project_id   = var.project_id
-  region       = var.region
-  prefix       = var.prefix
-  network_name = var.network_name
-  subnet_name  = var.subnet_name
-  namespace    = var.namespace
-  labels       = var.labels
+  project_id                            = var.project_id
+  region                                = var.region
+  prefix                                = var.prefix
+  network_name                          = var.network_name
+  subnet_name                           = var.subnet_name
+  namespace                             = var.namespace
+  master_authorized_networks_cidr_block = var.master_authorized_networks_cidr_block
+  master_ipv4_cidr_block                = var.master_ipv4_cidr_block
+  labels                                = var.labels
 }
 
 # Nodepool creation

test/gcp/fixtures/materialize/outputs.tf

@@ -12,6 +12,11 @@ output "cluster_endpoint" {
   value       = module.gke.cluster_endpoint
 }
 
+output "cluster_private_endpoint" {
+  description = "GKE cluster private endpoint"
+  value       = module.gke.cluster_private_endpoint
+}
+
 output "cluster_ca_certificate" {
   description = "GKE cluster CA certificate"
   value       = module.gke.cluster_ca_certificate

test/gcp/fixtures/materialize/variables.tf

@@ -176,3 +176,18 @@ variable "license_key" {
   default     = null
   sensitive   = true
 }
+
+# GCP manages this CIDR block when not provided as input
+variable "master_ipv4_cidr_block" {
+  description = "The IP range in CIDR notation to use for the hosted master network. This range must not overlap with any other ranges in use within the cluster's network."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+# modify this to restrict public access to master endpoint from specific IP ranges
+variable "master_authorized_networks_cidr_block" {
+  description = "CIDR block to allow access to the Kubernetes master endpoint"
+  type        = string
+  nullable    = false
+}

test/gcp/staged_deployment_test.go

@@ -340,14 +340,15 @@ func (suite *StagedDeploymentSuite) setupMaterializeConsolidatedStage(stage, sta
 		"subnet_name":  subnetNames[0],
 
 		// GKE Configuration
-		"namespace":             TestGKENamespace,
-		"materialize_node_type": machineType,
-		"min_nodes":             TestGKEMinNodes,
-		"max_nodes":             TestGKEMaxNodes,
-		"enable_private_nodes":  true,
-		"swap_enabled":          diskEnabled,
-		"disk_size":             diskSize,
-		"local_ssd_count":       localSSDCount,
+		"namespace":                             TestGKENamespace,
+		"master_authorized_networks_cidr_block": TestMasterAuthorizedNetworksCIDRBlock,
+		"materialize_node_type":                 machineType,
+		"min_nodes":                             TestGKEMinNodes,
+		"max_nodes":                             TestGKEMaxNodes,
+		"enable_private_nodes":                  true,
+		"swap_enabled":                          diskEnabled,
+		"disk_size":                             diskSize,
+		"local_ssd_count":                       localSSDCount,
 
 		// Node Labels
 		"labels": map[string]string{
@@ -429,6 +430,7 @@ func (suite *StagedDeploymentSuite) setupMaterializeConsolidatedStage(stage, sta
 	// GKE Cluster Outputs
 	clusterName := terraform.Output(t, materializeOptions, "cluster_name")
 	clusterEndpoint := terraform.Output(t, materializeOptions, "cluster_endpoint")
+	clusterPrivateEndpoint := terraform.Output(t, materializeOptions, "cluster_private_endpoint")
 	clusterCA := terraform.Output(t, materializeOptions, "cluster_ca_certificate")
 	workloadIdentitySA := terraform.Output(t, materializeOptions, "workload_identity_sa_email")
 
@@ -443,6 +445,7 @@ func (suite *StagedDeploymentSuite) setupMaterializeConsolidatedStage(stage, sta
 	t.Log("✅ Validating GKE Cluster Outputs...")
 	suite.NotEmpty(clusterName, "GKE cluster name should not be empty")
 	suite.NotEmpty(clusterEndpoint, "GKE cluster endpoint should not be empty")
+	suite.NotEmpty(clusterPrivateEndpoint, "GKE cluster private endpoint should not be empty")
 	suite.NotEmpty(clusterCA, "GKE cluster CA certificate should not be empty")
 	suite.NotEmpty(workloadIdentitySA, "Workload identity SA email should not be empty")
 

test/gcp/test_constants.go

@@ -13,6 +13,8 @@ const (
 	TestMachineTypeMedium = "n2-standard-4" // 4 vCPU, 16 GB RAM
 	TestMachineTypeMemory = "n2-highmem-2"  // 2 vCPU, 16 GB RAM
 
+	TestMasterAuthorizedNetworksCIDRBlock = "0.0.0.0/0"
+
 	// GKE-specific machine types
 	TestGKEMachineType            = "n2-standard-2" // Standard GKE node type
 	TestAlternativeGKEMachineType = "n2-standard-4" // Alternative GKE node type