Google GKEHub Feature Membership

This page shows how to write Terraform for GKEHub Feature Membership and write them securely.

google_gke_hub_feature_membership (Terraform)

The Feature Membership in GKEHub can be configured in Terraform with the resource name google_gke_hub_feature_membership. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_gke_hub_feature_membership" "feature_member" {
  provider   = google-beta
  location   = "global"
  feature    = "configmanagement"
  project    = var.project
  membership = var.gke_name
resource "google_gke_hub_feature_membership" "feature_member" {
  provider   = google-beta
  location   = "global"
  feature    = "configmanagement"
  membership = google_gke_hub_membership.membership.membership_id
  configmanagement {
resource "google_gke_hub_feature_membership" "feature_member" {
  provider   = google-beta
  location   = "global"
  feature    = "configmanagement"
  membership = google_gke_hub_membership.membership.membership_id
  configmanagement {

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The following arguments are supported:

  • configmanagement - (Optional) Config Management-specific spec. Structure is documented below.
  • feature - (Optional) The name of the feature
  • location - (Optional) The location of the feature
  • membership - (Optional) The name of the membership
  • project - (Optional) The project of the feature

The configmanagement block supports:

  • binauthz - (Optional) Binauthz configuration for the cluster. Structure is documented below.
  • config_sync - (Optional) Config Sync configuration for the cluster. Structure is documented below.
  • hierarchy_controller - (Optional) Hierarchy Controller configuration for the cluster. Structure is documented below.
  • policy_controller - (Optional) Policy Controller configuration for the cluster. Structure is documented below.
  • version - (Optional) Version of ACM installed.

The binauthz block supports:

  • enabled - (Optional) Whether binauthz is enabled in this cluster.

The config_sync block supports:

  • git - (Optional) Structure is documented below.
  • source_format - (Optional) Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.

The git block supports:

  • https_proxy - (Optional) URL for the HTTPS proxy to be used when communicating with the Git repo.
  • policy_dir - (Optional) The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.
  • secret_type - (Optional) Type of secret configured for access to the Git repo.
  • sync_branch - (Optional) The branch of the repository to sync from. Default: master.
  • sync_repo - (Optional) The URL of the Git repository to use as the source of truth.
  • sync_rev - (Optional) Git revision (tag or hash) to check out. Default HEAD.
  • sync_wait_secs - (Optional) Period in seconds between consecutive syncs. Default: 15.

The hierarchy_controller block supports:

  • enable_hierarchical_resource_quota - (Optional) Whether hierarchical resource quota is enabled in this cluster.
  • enable_pod_tree_labels - (Optional) Whether pod tree labels are enabled in this cluster.
  • enabled - (Optional) Whether Hierarchy Controller is enabled in this cluster.

The policy_controller block supports:

  • audit_interval_seconds - (Optional) Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.
  • enabled - (Optional) Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.
  • exemptable_namespaces - (Optional) The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
  • log_denies_enabled - (Optional) Logs all denies and dry run failures.
  • referential_rules_enabled - (Optional) Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
  • template_library_installed - (Optional) Installs the default template library along with Policy Controller.

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/[[project]]/locations/[[location]]/features/[[feature]]/membershipId/[[membership]]

Explanation in Terraform Registry

Contains information about a GKEHub Feature Memberships. Feature Memberships configure GKEHub Features that apply to specific memberships rather than the project as a whole. This currently only supports the Config Management feature. The google_gke_hub is the Fleet API.

Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

Frequently asked questions

What is Google GKEHub Feature Membership?

Google GKEHub Feature Membership is a resource for GKEHub of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google GKEHub Feature Membership?

For Terraform, the ejmadkins/config-sync-kcc-policy-demo, hyperionian/terraform-cloudbuild-configsync and hyperionian/config-sync-gke source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.