Private GKE endpoint support with Terraform Agents

[tedparagon]

Issues Closed

• PARA-17569

Brief Summary

Add private GKE endpoint configuration and Terraform Cloud Agent support for GCP.

Detailed Summary

This PR adds support for running Terraform Cloud agents on GCP bastion hosts and enables configuration of private GKE endpoints. The Terraform Cloud agent is now conditionally installed when tfc_agent_token is provided, allowing Terraform runs to execute from the bastion. Additionally, the GKE cluster configuration has been updated to support disabling the public endpoint and using only private endpoints for enhanced security. The PR also includes fixes for deprecated Kubernetes resources and improvements to bastion instance template management.

Changes

• Added conditional Terraform Cloud agent installation on bastion when tfc_agent_token is provided
• Fixed Docker daemon startup and environment variable passing for Terraform agent container
• Switched GKE cluster module from root module to private-cluster submodule (v41.0.0)
• Added disable_public_endpoint variable to control GKE public/private endpoint configuration
• Fixed bastion instance template hash to include rendered template content (not just template file)
• Updated deprecated Kubernetes resources (kubernetes_namespace, kubernetes_config_map, kubernetes_secret) to v1 versions
• Added google-beta provider for compatibility with private-cluster submodule
• Upgraded GCP providers to v7.0.0

Unrelated Changes

• Updated Kubernetes provider resources to v1 versions to resolve deprecation warnings

Future Work

• Consider similar enhancements for AWS and Azure

Steps to Test

1. Terraform Cloud Agent:

   • Set tfc_agent_token in var.auto.tfvars
   • Apply infrastructure changes
   • Verify agent container is running: docker ps | grep tfc-agent
   • Check agent logs: docker logs tfc-agent
   • Verify agent appears in Terraform Cloud UI

2. Private GKE Endpoint:

   • Set disable_public_endpoint = true in cluster variables
   • Run terraform plan to verify cluster replacement is planned
   • Apply changes (WARNING: This will recreate the cluster)
   • Verify cluster endpoint is private IP only
   • Verify gcp_public_cidrs_access_enabled = false in cluster config

3. Kubernetes Resources:

   • Apply paragon workspace changes
   • Verify no deprecation warnings for Kubernetes resources
   • Verify namespace and secrets are created correctly

QA Notes

• Cluster Replacement Warning: Changing disable_public_endpoint from false to true (or vice versa) will trigger a full cluster replacement. This is destructive and will require downtime unless workloads are manually migrated first.
• The bastion instance template now uses a hash of the rendered template content, so any variable changes will trigger a new template and instance replacement.

Deployment Notes

• Provider Updates: This PR upgrades Google providers to v7.0.0. Run terraform init -upgrade before applying.
• Module Change: The GKE cluster now uses the private-cluster submodule. Existing clusters will need to be migrated or recreated.
• New Variable: disable_public_endpoint defaults to false (maintains current behavior). Set to true to enable private-only endpoint.
• Terraform Cloud Agent: Requires tfc_agent_token to be set in var.auto.tfvars for the agent to be installed. If not provided, Docker and agent installation is skipped.

Screenshots

[franklingarcia-paragon]