feat: add auto_monitoring_config in GKE managed_prometheus

tatchiuleung · tatchiuleung · commit dafb16b411c2 · 2025-08-22T12:39:30.000-04:00
diff --git a/README.md b/README.md
@@ -219,6 +219,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -125,6 +125,12 @@ resource "google_container_cluster" "primary" {
     {% if autopilot_cluster != true %}
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -986,6 +986,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/cluster.tf b/cluster.tf
@@ -102,6 +102,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/metadata.yaml b/metadata.yaml
@@ -701,6 +701,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -263,6 +263,7 @@ Then perform the following commands on the root folder:
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no |
 | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -108,6 +108,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml
@@ -694,6 +694,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -930,6 +930,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -241,6 +241,7 @@ Then perform the following commands on the root folder:
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no |
 | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -108,6 +108,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml
@@ -694,6 +694,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -930,6 +930,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
@@ -252,6 +252,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -108,6 +108,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml
@@ -672,6 +672,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
@@ -894,6 +894,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -230,6 +230,7 @@ Then perform the following commands on the root folder:
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no |
 | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -108,6 +108,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml
@@ -672,6 +672,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -894,6 +894,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/gke-autopilot-cluster/metadata.yaml b/modules/gke-autopilot-cluster/metadata.yaml
@@ -569,9 +569,9 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountUser
           - roles/compute.admin
           - roles/container.admin
-          - roles/iam.serviceAccountUser
     services:
       - compute.googleapis.com
       - container.googleapis.com
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
@@ -252,6 +252,7 @@ Then perform the following commands on the root folder:
 | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no |
 | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no |
 | master\_ipv4\_cidr\_block | (Optional) The IP range in CIDR notation to use for the hosted master network. | `string` | `null` | no |
+| monitoring\_auto\_monitoring\_config\_scope | Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE | `string` | `"NONE"` | no |
 | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `null` | no |
 | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no |
 | monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -102,6 +102,12 @@ resource "google_container_cluster" "primary" {
       enable_components = var.monitoring_enabled_components
       managed_prometheus {
         enabled = var.monitoring_enable_managed_prometheus == null ? false : var.monitoring_enable_managed_prometheus
+        dynamic "auto_monitoring_config" {
+          for_each = var.monitoring_enable_managed_prometheus == true && var.monitoring_auto_monitoring_config_scope != null ? [1] : []
+          content {
+            scope = var.monitoring_auto_monitoring_config_scope
+          }
+        }
       }
       advanced_datapath_observability_config {
         enable_metrics = var.monitoring_enable_observability_metrics
diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml
@@ -683,6 +683,10 @@ spec:
       - name: monitoring_enable_managed_prometheus
         description: Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled.
         varType: bool
+      - name: monitoring_auto_monitoring_config_scope
+        description: "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+        varType: string
+        defaultValue: NONE
       - name: monitoring_enable_observability_metrics
         description: Whether or not the advanced datapath metrics are enabled.
         varType: bool
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
@@ -912,6 +912,23 @@ variable "monitoring_enable_managed_prometheus" {
   default     = null
 }
 
+variable "monitoring_auto_monitoring_config_scope" {
+  default     = "NONE"
+  description = "Whether or not to enable GKE Auto-Monitoring. Supported values include: ALL, NONE"
+  type        = string
+
+  validation {
+    condition = contains(
+      [
+        "ALL",
+        "NONE",
+      ],
+      var.monitoring_auto_monitoring_config_scope
+    )
+    error_message = "'monitoring_auto_monitoring_config_scope' value is invalid"
+  }
+}
+
 variable "monitoring_enable_observability_metrics" {
   type        = bool
   description = "Whether or not the advanced datapath metrics are enabled."
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
diff --git a/variables.tf b/variables.tf
