Top / Google Cloud Platform / Google GKEHub / Feature Membership

Google GKEHub Feature Membership

This page shows how to write Terraform for GKEHub Feature Membership and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_gke_hub_feature_membership (Terraform)

The Feature Membership in GKEHub can be configured in Terraform with the resource name google_gke_hub_feature_membership. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L1
resource "google_gke_hub_feature_membership" "feature_member" {
  provider   = google-beta
  location   = "global"
  feature    = "configmanagement"
  project    = var.project
  membership = var.gke_name
main.tf#L32
resource "google_gke_hub_feature_membership" "feature_member" {
  provider   = google-beta
  location   = "global"
  feature    = "configmanagement"
  membership = google_gke_hub_membership.membership.membership_id
  configmanagement {
main.tf#L32
resource "google_gke_hub_feature_membership" "feature_member" {
  provider   = google-beta
  location   = "global"
  feature    = "configmanagement"
  membership = google_gke_hub_membership.membership.membership_id
  configmanagement {

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • configmanagement - (Optional) Config Management-specific spec. Structure is documented below.
  • feature - (Optional) The name of the feature
  • location - (Optional) The location of the feature
  • membership - (Optional) The name of the membership
  • project - (Optional) The project of the feature

The configmanagement block supports:

  • binauthz - (Optional) Binauthz configuration for the cluster. Structure is documented below.
  • config_sync - (Optional) Config Sync configuration for the cluster. Structure is documented below.
  • hierarchy_controller - (Optional) Hierarchy Controller configuration for the cluster. Structure is documented below.
  • policy_controller - (Optional) Policy Controller configuration for the cluster. Structure is documented below.
  • version - (Optional) Version of ACM installed.

The binauthz block supports:

  • enabled - (Optional) Whether binauthz is enabled in this cluster.

The config_sync block supports:

  • git - (Optional) Structure is documented below.
  • source_format - (Optional) Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.

The git block supports:

  • https_proxy - (Optional) URL for the HTTPS proxy to be used when communicating with the Git repo.
  • policy_dir - (Optional) The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.
  • secret_type - (Optional) Type of secret configured for access to the Git repo.
  • sync_branch - (Optional) The branch of the repository to sync from. Default: master.
  • sync_repo - (Optional) The URL of the Git repository to use as the source of truth.
  • sync_rev - (Optional) Git revision (tag or hash) to check out. Default HEAD.
  • sync_wait_secs - (Optional) Period in seconds between consecutive syncs. Default: 15.

The hierarchy_controller block supports:

  • enable_hierarchical_resource_quota - (Optional) Whether hierarchical resource quota is enabled in this cluster.
  • enable_pod_tree_labels - (Optional) Whether pod tree labels are enabled in this cluster.
  • enabled - (Optional) Whether Hierarchy Controller is enabled in this cluster.

The policy_controller block supports:

  • audit_interval_seconds - (Optional) Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.
  • enabled - (Optional) Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.
  • exemptable_namespaces - (Optional) The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
  • log_denies_enabled - (Optional) Logs all denies and dry run failures.
  • referential_rules_enabled - (Optional) Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
  • template_library_installed - (Optional) Installs the default template library along with Policy Controller.

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/[[project]]/locations/[[location]]/features/[[feature]]/membershipId/[[membership]]

>> from Terraform Registry

Explanation in Terraform Registry

Contains information about a GKEHub Feature Memberships. Feature Memberships configure GKEHub Features that apply to specific memberships rather than the project as a whole. This currently only supports the Config Management feature. The google_gke_hub is the Fleet API.

Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

>> from Terraform Registry

The Other Related Google GKEHub Resources

Frequently asked questions

What is Google GKEHub Feature Membership?

Google GKEHub Feature Membership is a resource for GKEHub of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google GKEHub Feature Membership?

For Terraform, the ejmadkins/config-sync-kcc-policy-demo, hyperionian/terraform-cloudbuild-configsync and hyperionian/config-sync-gke source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents