feat: Support for GKE private clusters without default node pool

ciroclover · ciroclover · commit fd777ad3fdd9 · 2025-08-15T15:17:44.000-04:00
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -32,6 +32,7 @@ resource "google_container_cluster" "primary" {
   cluster_ipv4_cidr   = var.cluster_ipv4_cidr
   network             = "projects/${local.network_project_id}/global/networks/${var.network}"
   deletion_protection = var.deletion_protection
+  initial_node_count  = length(var.node_pools) == 0 ? var.initial_node_count : null
 
   dynamic "network_policy" {
     for_each = local.cluster_network_policy
@@ -439,112 +440,115 @@ resource "google_container_cluster" "primary" {
     update = lookup(var.timeouts, "update", "45m")
     delete = lookup(var.timeouts, "delete", "45m")
   }
-  node_pool {
-    name               = "default-pool"
-    initial_node_count = var.initial_node_count
-
-    management {
-      auto_repair  = lookup(var.cluster_autoscaling, "auto_repair", true)
-      auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
-    }
-
-    node_config {
-      image_type                  = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD")
-      machine_type                = lookup(var.node_pools[0], "machine_type", "e2-medium")
-      min_cpu_platform            = lookup(var.node_pools[0], "min_cpu_platform", "")
-      enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
-      disk_type                   = lookup(var.node_pools[0], "disk_type", null)
-      dynamic "gcfs_config" {
-        for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
-        content {
-          enabled = gcfs_config.value
+  dynamic "node_pool" {
+    for_each = length(var.node_pools) == 0 ? [] : [1]
+    content {
+      name               = "default-pool"
+      initial_node_count = var.initial_node_count
+
+      management {
+        auto_repair  = lookup(var.cluster_autoscaling, "auto_repair", true)
+        auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
+      }
+
+      node_config {
+        image_type                  = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD")
+        machine_type                = lookup(var.node_pools[0], "machine_type", "e2-medium")
+        min_cpu_platform            = lookup(var.node_pools[0], "min_cpu_platform", "")
+        enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
+        disk_type                   = lookup(var.node_pools[0], "disk_type", null)
+        dynamic "gcfs_config" {
+          for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
+          content {
+            enabled = gcfs_config.value
+          }
         }
-      }
 
-      dynamic "gvnic" {
-        for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : []
-        content {
-          enabled = gvnic.value
+        dynamic "gvnic" {
+          for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : []
+          content {
+            enabled = gvnic.value
+          }
         }
-      }
 
-      dynamic "fast_socket" {
-        for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : []
-        content {
-          enabled = fast_socket.value
+        dynamic "fast_socket" {
+          for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : []
+          content {
+            enabled = fast_socket.value
+          }
         }
-      }
 
-      dynamic "kubelet_config" {
-        for_each = length(setintersection(
-          keys(var.node_pools[0]),
-          ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
-        )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
+        dynamic "kubelet_config" {
+          for_each = length(setintersection(
+            keys(var.node_pools[0]),
+            ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
+          )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
 
-        content {
-          cpu_manager_policy                     = lookup(var.node_pools[0], "cpu_manager_policy", "static")
-          cpu_cfs_quota                          = lookup(var.node_pools[0], "cpu_cfs_quota", null)
-          cpu_cfs_quota_period                   = lookup(var.node_pools[0], "cpu_cfs_quota_period", null)
-          insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null
-          pod_pids_limit                         = lookup(var.node_pools[0], "pod_pids_limit", null)
-          container_log_max_size                 = lookup(var.node_pools[0], "container_log_max_size", null)
-          container_log_max_files                = lookup(var.node_pools[0], "container_log_max_files", null)
-          image_gc_low_threshold_percent         = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null)
-          image_gc_high_threshold_percent        = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null)
-          image_minimum_gc_age                   = lookup(var.node_pools[0], "image_minimum_gc_age", null)
-          image_maximum_gc_age                   = lookup(var.node_pools[0], "image_maximum_gc_age", null)
-          allowed_unsafe_sysctls                 = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)]
+          content {
+            cpu_manager_policy                     = lookup(var.node_pools[0], "cpu_manager_policy", "static")
+            cpu_cfs_quota                          = lookup(var.node_pools[0], "cpu_cfs_quota", null)
+            cpu_cfs_quota_period                   = lookup(var.node_pools[0], "cpu_cfs_quota_period", null)
+            insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null
+            pod_pids_limit                         = lookup(var.node_pools[0], "pod_pids_limit", null)
+            container_log_max_size                 = lookup(var.node_pools[0], "container_log_max_size", null)
+            container_log_max_files                = lookup(var.node_pools[0], "container_log_max_files", null)
+            image_gc_low_threshold_percent         = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null)
+            image_gc_high_threshold_percent        = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null)
+            image_minimum_gc_age                   = lookup(var.node_pools[0], "image_minimum_gc_age", null)
+            image_maximum_gc_age                   = lookup(var.node_pools[0], "image_maximum_gc_age", null)
+            allowed_unsafe_sysctls                 = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)]
+          }
         }
-      }
 
-      dynamic "sole_tenant_config" {
-        # node_affinity is currently the only member of sole_tenant_config
-        for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : []
-        content {
-          dynamic "node_affinity" {
-            for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : []
-            content {
-              key      = lookup(jsondecode(node_affinity.value), "key", null)
-              operator = lookup(jsondecode(node_affinity.value), "operator", null)
-              values   = lookup(jsondecode(node_affinity.value), "values", [])
+        dynamic "sole_tenant_config" {
+          # node_affinity is currently the only member of sole_tenant_config
+          for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : []
+          content {
+            dynamic "node_affinity" {
+              for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : []
+              content {
+                key      = lookup(jsondecode(node_affinity.value), "key", null)
+                operator = lookup(jsondecode(node_affinity.value), "operator", null)
+                values   = lookup(jsondecode(node_affinity.value), "values", [])
+              }
             }
           }
         }
-      }
 
-      service_account = lookup(var.node_pools[0], "service_account", local.service_account)
+        service_account = lookup(var.node_pools[0], "service_account", local.service_account)
 
-      tags = concat(
-        lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [],
-        lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [],
-        lookup(local.node_pools_tags, "all", []),
-        lookup(local.node_pools_tags, var.node_pools[0].name, []),
-      )
+        tags = concat(
+          lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [],
+          lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [],
+          lookup(local.node_pools_tags, "all", []),
+          lookup(local.node_pools_tags, var.node_pools[0].name, []),
+        )
 
-      logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT")
+        logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT")
 
-      dynamic "workload_metadata_config" {
-        for_each = local.cluster_node_metadata_config
+        dynamic "workload_metadata_config" {
+          for_each = local.cluster_node_metadata_config
 
-        content {
-          mode = workload_metadata_config.value.mode
+          content {
+            mode = workload_metadata_config.value.mode
+          }
         }
-      }
 
-      metadata = local.node_pools_metadata["all"]
+        metadata = local.node_pools_metadata["all"]
 
-      boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)
+        boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)
 
-      storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : []
+        storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : []
 
-      shielded_instance_config {
-        enable_secure_boot          = lookup(var.node_pools[0], "enable_secure_boot", false)
-        enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
-      }
+        shielded_instance_config {
+          enable_secure_boot          = lookup(var.node_pools[0], "enable_secure_boot", false)
+          enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
+        }
 
-      local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null)
-      max_run_duration          = lookup(var.node_pools[0], "max_run_duration", null)
-      flex_start                = lookup(var.node_pools[0], "flex_start", null)
+        local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null)
+        max_run_duration          = lookup(var.node_pools[0], "max_run_duration", null)
+        flex_start                = lookup(var.node_pools[0], "flex_start", null)
+      }
     }
   }
 
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
@@ -152,8 +152,8 @@ locals {
   cluster_zones    = sort(local.cluster_output_zones)
 
   // node pool ID is in the form projects/<project-id>/locations/<location>/clusters/<cluster-name>/nodePools/<nodepool-name>
-  cluster_name_parts_from_nodepool           = split("/", element(values(google_container_node_pool.pools)[*].id, 0))
-  cluster_name_computed                      = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3)
+  cluster_name_parts_from_nodepool           = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0))
+  cluster_name_computed                      = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3)
   cluster_network_tag                        = "gke-${var.name}"
   cluster_ca_certificate                     = local.cluster_master_auth_map["cluster_ca_certificate"]
   cluster_master_version                     = local.cluster_output_master_version
