IaC Bazaar
Get started
Google CloudStatic-verified

GKE Cluster (Autopilot & Standard)

Private, Workload-Identity-enabled GKE cluster with managed node pools, release channels and maintenance windows, hardened to Google best practice.

terraformGCP#gcp

Compare Managed Kubernetes across clouds →

gcp-gke-clusterterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

gcp-gke-cluster

Private, Workload-Identity-enabled GKE cluster with managed node pools, release channels and maintenance windows, hardened to Google best practice. Runs in Autopilot or Standard mode from the same module: private nodes, Dataplane V2, shielded nodes with secure boot, a dedicated least-privilege node service account, and deletion protection on by default. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

  • Private nodes (no public node IPs), optional fully-private endpoint
  • Workload Identity enabled (PROJECT.svc.id.goog)
  • Dedicated node service account with only the logging/monitoring/Artifact Registry roles GKE needs (never the default compute SA)
  • Shielded nodes, secure boot, integrity monitoring, GKE_METADATA workload metadata, legacy metadata endpoints disabled
  • Release-channel upgrades inside a weekend maintenance window
  • deletion_protection = true

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/google>= 7.0, < 8.0

The subnetwork must already have the two named secondary IP ranges (pods + services). Pair with the gcp-vpc module from this catalog.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs