Switch to using an explicit net/subnet.

terraform/basic_gke/main.tf

@@ -48,6 +48,7 @@ data "google_project" "project" {
 module "networking" {
   source  = "../modules/networking"
   project = var.project
+  region  = var.region
 }
 
 #################### Workload Identity ####################
@@ -73,10 +74,12 @@ resource "google_project_service" "cloudkms" {
 #################### GKE ##################################
 
 module "gke" {
-  source           = "../modules/gke"
+  source                = "../modules/gke"
-  project          = var.project
+  project               = var.project
-  region           = var.region
+  region                = var.region
-  service_cloudkms = google_project_service.cloudkms
+  private_network_id    = module.networking.private_network_id
+  private_subnetwork_id = module.networking.private_subnetwork_id
+  service_cloudkms      = google_project_service.cloudkms
 
   # depends_on = [
   #   module.networking

terraform/modules/gke/gke.tf

@@ -12,6 +12,16 @@ variable "service_cloudkms" {
   description = "cloudkms service."
 }
 
+variable "private_network_id" {
+  description = "Private network id."
+  type        = string
+}
+
+variable "private_subnetwork_id" {
+  description = "Private subnetwork id."
+  type        = string
+}
+
 output "gke_connect_command" {
   description = "Command to run to connect to the kubernetes cluster."
   value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
@@ -104,10 +114,30 @@ resource "google_storage_bucket_iam_member" "gke_gcr" {
   ]
 }
 
+resource "google_compute_global_address" "gke_cluster_range" {
+  project       = var.project
+  name          = "gke-cluster-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = var.private_network_id
+}
+
+resource "google_compute_global_address" "gke_services_range" {
+  project       = var.project
+  name          = "gke-services-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 20
+  network       = var.private_network_id
+}
+
 resource "google_container_cluster" "primary" {
-  project  = var.project
+  project    = var.project
-  name     = "gke-cluster"
+  name       = "gke-cluster"
-  location = var.region
+  location   = var.region
+  network    = var.private_network_id
+  subnetwork = var.private_subnetwork_id
 
   remove_default_node_pool = true
   initial_node_count       = 1
@@ -139,8 +169,8 @@ resource "google_container_cluster" "primary" {
   }
 
   ip_allocation_policy {
-    cluster_ipv4_cidr_block  = "10.1.0.0/16"
+    cluster_secondary_range_name  = google_compute_global_address.gke_cluster_range.name
-    services_ipv4_cidr_block = "10.2.0.0/20"
+    services_secondary_range_name = google_compute_global_address.gke_services_range.name
   }
 
   lifecycle {

terraform/modules/networking/networking.tf

@@ -3,11 +3,21 @@ variable "project" {
   type        = string
 }
 
+variable "region" {
+  description = "Region."
+  type        = string
+}
+
 output "private_network_id" {
   description = "Private network id."
   value       = google_compute_network.private_network.id
 }
 
+output "private_subnetwork_id" {
+  description = "Private subnetwork id."
+  value       = google_compute_subnetwork.subnet.id
+}
+
 resource "google_project_service" "servicenetworking" {
   project                    = var.project
   service                    = "servicenetworking.googleapis.com"
@@ -23,6 +33,13 @@ resource "google_compute_network" "private_network" {
   ]
 }
 
+resource "google_compute_subnetwork" "subnet" {
+  name          = "private-subnetwork"
+  ip_cidr_range = "10.100.0.0/16"
+  region        = var.region
+  network       = google_compute_network.private_network.id
+}
+
 resource "google_compute_global_address" "private_ip_address" {
   project       = google_compute_network.private_network.project
   name          = "private-ip-address"