Merge branch 'main' into gfix1

Author: apeabody

.github/workflows/stale.yml

@@ -20,15 +20,21 @@ on:
   schedule:
   - cron: "0 23 * * *"
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v10
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
         stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
         exempt-issue-labels: 'triaged'
         exempt-pr-labels: 'dependencies,autorelease: pending'
+        operations-per-run: 100

CHANGELOG.md

@@ -6,6 +6,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [42.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v41.0.2...v42.0.0) (2025-12-04)
+
+
+### ⚠ BREAKING CHANGES
+
+* making location field as required for standard cluster ([#2495](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2495))
+* **gke-node-pool:** module to allow List configurations for fields ([#2496](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2496))
+* support enabling default compute class in cluster autoscaler ([#2442](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2442))
+
+### Features
+
+* add auto_monitoring_config in GKE managed_prometheus ([#2420](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2420)) ([04c88e6](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/04c88e647f676f23530d6cbc43e38840592aa6d1))
+* add network tier configuration ([#2497](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2497)) ([873d39e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/873d39ec26e835b7ca2c7b63082ca786f9138df4))
+* add support for transparent huge pages configs ([#2464](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2464)) ([8297521](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/8297521f91715f262919a85d9c51d1a13af1d1d9))
+* support enabling default compute class in cluster autoscaler ([#2442](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2442)) ([3569f13](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3569f13ca21a2c2b4981cd708350962050ae330c))
+
+
+### Bug Fixes
+
+* additional_ip_ranges_config ([#2458](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2458)) ([839093c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/839093c484f34c0276240bf8a299b2dc5f5602f6))
+* **gke-node-pool:** module to allow List configurations for fields ([#2496](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2496)) ([dc798c1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/dc798c1dd7af055f1223915c949ac55cc23f89a4))
+* making location field as required for standard cluster ([#2495](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2495)) ([5f7d53c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/5f7d53cd77dd593508856fd84472b7071bd7b779))
+
 ## [41.0.2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v41.0.1...v41.0.2) (2025-11-07)
 
 

README.md

@@ -149,7 +149,7 @@ Then perform the following commands on the root folder:
 | anonymous\_authentication\_config\_mode | Allows users to restrict or enable anonymous access to the cluster. Valid values are `ENABLED` and `LIMITED`. | `string` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
-| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = optional(number)<br>    max_cpu_cores               = optional(number)<br>    min_memory_gb               = optional(number)<br>    max_memory_gb               = optional(number)<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
+| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                      = bool<br>    autoscaling_profile          = string<br>    min_cpu_cores                = optional(number)<br>    max_cpu_cores                = optional(number)<br>    min_memory_gb                = optional(number)<br>    max_memory_gb                = optional(number)<br>    gpu_resources                = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                  = bool<br>    auto_upgrade                 = bool<br>    disk_size                    = optional(number)<br>    disk_type                    = optional(string)<br>    image_type                   = optional(string)<br>    strategy                     = optional(string)<br>    max_surge                    = optional(number)<br>    max_unavailable              = optional(number)<br>    node_pool_soak_duration      = optional(string)<br>    batch_soak_duration          = optional(string)<br>    batch_percentage             = optional(number)<br>    batch_node_count             = optional(number)<br>    enable_secure_boot           = optional(bool, false)<br>    enable_integrity_monitoring  = optional(bool, true)<br>    enable_default_compute_class = optional(bool, false)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_default_compute_class": false,<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no |
 | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no |
 | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no |
@@ -160,7 +160,6 @@ Then perform the following commands on the root folder:
 | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br>  {<br>    "key_name": "",<br>    "state": "DECRYPTED"<br>  }<br>]</pre> | no |
 | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
-| default\_compute\_class\_enabled | Enable Spot VMs as the default compute class for Node Auto-Provisioning | `bool` | `null` | no |
 | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no |
 | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no |
 | description | The description of the cluster | `string` | `""` | no |
@@ -225,6 +224,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
@@ -237,6 +237,7 @@ Then perform the following commands on the root folder:
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
@@ -250,6 +251,8 @@ Then perform the following commands on the root folder:
 | node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
+| node\_pools\_transparent\_hugepage\_defrag | Map of strings containing transparent hugepage defrag node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
+| node\_pools\_transparent\_hugepage\_enabled | Map of strings containing transparent hugepage enabled node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |

autogen/main/cluster.tf.tmpl

@@ -132,6 +132,12 @@ resource "google_container_cluster" "primary" {
     {% if autopilot_cluster != true %}
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
@@ -156,7 +162,7 @@ resource "google_container_cluster" "primary" {
 
   cluster_autoscaling {
     enabled = var.cluster_autoscaling.enabled
-    default_compute_class_enabled = var.default_compute_class_enabled
+    default_compute_class_enabled = lookup(var.cluster_autoscaling, "enable_default_compute_class", false)
     dynamic "auto_provisioning_defaults" {
       for_each = var.cluster_autoscaling.enabled ? [1] : []
 
@@ -561,6 +567,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type                    = var.stack_type
   }
 
@@ -1315,6 +1327,10 @@ resource "google_container_node_pool" "windows_pools" {
         local.node_pools_linux_node_configs_sysctls[each.value["name"]],
         local.node_pools_cgroup_mode["all"] == "" ? {} : { cgroup = local.node_pools_cgroup_mode["all"] },
         local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]},
+        local.node_pools_transparent_hugepage_enabled["all"] == "" ? {} : { transparent_hugepage_enabled = local.node_pools_transparent_hugepage_enabled["all"] },
+        local.node_pools_transparent_hugepage_enabled[each.value["name"]] == "" ? {} : { transparent_hugepage_enabled = local.node_pools_transparent_hugepage_enabled[each.value["name"]] },
+        local.node_pools_transparent_hugepage_defrag["all"] == "" ? {} : { transparent_hugepage_defrag = local.node_pools_transparent_hugepage_defrag["all"] },
+        local.node_pools_transparent_hugepage_defrag[each.value["name"]] == "" ? {} : { transparent_hugepage_defrag = local.node_pools_transparent_hugepage_defrag[each.value["name"]] },
         local.node_pools_hugepage_size_2m["all"] == "" ? {} : { cgroup = local.node_pools_hugepage_size_2m["all"] },
         local.node_pools_hugepage_size_2m[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_hugepage_size_2m[each.value["name"]] },
         local.node_pools_hugepage_size_1g["all"] == "" ? {} : { cgroup = local.node_pools_hugepage_size_1g["all"] },
@@ -1326,7 +1342,9 @@ resource "google_container_node_pool" "windows_pools" {
           local.node_pools_linux_node_configs_sysctls["all"],
           local.node_pools_linux_node_configs_sysctls[each.value["name"]]
         )
-        cgroup_mode = try(coalesce(local.node_pools_cgroup_mode[each.value["name"]], local.node_pools_cgroup_mode["all"]), null)
+        cgroup_mode                  = try(coalesce(local.node_pools_cgroup_mode[each.value["name"]], local.node_pools_cgroup_mode["all"]), null)
+        transparent_hugepage_enabled = try(coalesce(local.node_pools_transparent_hugepage_enabled[each.value["name"]], local.node_pools_transparent_hugepage_enabled["all"]), null)
+        transparent_hugepage_defrag  = try(coalesce(local.node_pools_transparent_hugepage_defrag[each.value["name"]], local.node_pools_transparent_hugepage_defrag["all"]), null)
         dynamic "hugepages_config" {
           for_each = length(merge(
             local.node_pools_hugepage_size_2m["all"] == "" ? {} : { cgroup = local.node_pools_hugepage_size_2m["all"] },