feat: add network tier configuration (#2497)

romancin · web-flow · commit 873d39ec26e8 · 2025-12-04T15:07:45.000-08:00
diff --git a/README.md b/README.md
@@ -237,6 +237,7 @@ Then perform the following commands on the root folder:
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -567,6 +567,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type                    = var.stack_type
   }
 
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -1246,3 +1246,13 @@ variable "rbac_binding_config" {
     enable_insecure_binding_system_authenticated   = null
   }
 }
+
+variable "network_tier_config" {
+  description = "Network tier configuration for the cluster"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)
+    error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"
+  }
+}
diff --git a/cluster.tf b/cluster.tf
@@ -434,6 +434,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type = var.stack_type
   }
 
diff --git a/metadata.display.yaml b/metadata.display.yaml
@@ -285,6 +285,9 @@ spec:
         master_authorized_networks:
           name: master_authorized_networks
           title: Master Authorized Networks
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus
@@ -321,6 +324,9 @@ spec:
         network_tags:
           name: network_tags
           title: Network Tags
+        network_tier_config:
+          name: network_tier_config
+          title: Network Tier Config
         node_metadata:
           name: node_metadata
           title: Node Metadata
diff --git a/metadata.yaml b/metadata.yaml
@@ -806,6 +806,9 @@ spec:
         defaultValue:
           enable_insecure_binding_system_authenticated: null
           enable_insecure_binding_system_unauthenticated: null
+      - name: network_tier_config
+        description: Network tier configuration for the cluster
+        varType: string
     outputs:
       - name: ca_certificate
         description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
@@ -147,6 +147,7 @@ Then perform the following commands on the root folder:
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -329,6 +329,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type = var.stack_type
   }
 
diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml
@@ -262,6 +262,9 @@ spec:
         network_tags:
           name: network_tags
           title: Network Tags
+        network_tier_config:
+          name: network_tier_config
+          title: Network Tier Config
         node_pools_cgroup_mode:
           name: node_pools_cgroup_mode
           title: Node Pools Cgroup Mode
diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml
@@ -534,6 +534,9 @@ spec:
         defaultValue:
           enable_insecure_binding_system_authenticated: null
           enable_insecure_binding_system_unauthenticated: null
+      - name: network_tier_config
+        description: Network tier configuration for the cluster
+        varType: string
     outputs:
       - name: ca_certificate
         description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
@@ -716,3 +716,13 @@ variable "rbac_binding_config" {
     enable_insecure_binding_system_authenticated   = null
   }
 }
+
+variable "network_tier_config" {
+  description = "Network tier configuration for the cluster"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)
+    error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"
+  }
+}
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
@@ -136,6 +136,7 @@ Then perform the following commands on the root folder:
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -329,6 +329,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type = var.stack_type
   }
 
diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml
@@ -247,6 +247,9 @@ spec:
         network_tags:
           name: network_tags
           title: Network Tags
+        network_tier_config:
+          name: network_tier_config
+          title: Network Tier Config
         node_pools_cgroup_mode:
           name: node_pools_cgroup_mode
           title: Node Pools Cgroup Mode
diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml
@@ -512,6 +512,9 @@ spec:
         defaultValue:
           enable_insecure_binding_system_authenticated: null
           enable_insecure_binding_system_unauthenticated: null
+      - name: network_tier_config
+        description: Network tier configuration for the cluster
+        varType: string
     outputs:
       - name: ca_certificate
         description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
@@ -680,3 +680,13 @@ variable "rbac_binding_config" {
     enable_insecure_binding_system_authenticated   = null
   }
 }
+
+variable "network_tier_config" {
+  description = "Network tier configuration for the cluster"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)
+    error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"
+  }
+}
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -281,6 +281,7 @@ Then perform the following commands on the root folder:
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -471,6 +471,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type = var.stack_type
   }
 
diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml
@@ -325,6 +325,9 @@ spec:
         master_ipv4_cidr_block:
           name: master_ipv4_cidr_block
           title: Master Ipv4 Cidr Block
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus
@@ -361,6 +364,9 @@ spec:
         network_tags:
           name: network_tags
           title: Network Tags
+        network_tier_config:
+          name: network_tier_config
+          title: Network Tier Config
         node_metadata:
           name: node_metadata
           title: Node Metadata
diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml
@@ -831,6 +831,9 @@ spec:
         defaultValue:
           enable_insecure_binding_system_authenticated: null
           enable_insecure_binding_system_unauthenticated: null
+      - name: network_tier_config
+        description: Network tier configuration for the cluster
+        varType: string
     outputs:
       - name: ca_certificate
         description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -1164,3 +1164,13 @@ variable "rbac_binding_config" {
     enable_insecure_binding_system_authenticated   = null
   }
 }
+
+variable "network_tier_config" {
+  description = "Network tier configuration for the cluster"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)
+    error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"
+  }
+}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -259,6 +259,7 @@ Then perform the following commands on the root folder:
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -471,6 +471,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type = var.stack_type
   }
 
diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml
@@ -325,6 +325,9 @@ spec:
         master_ipv4_cidr_block:
           name: master_ipv4_cidr_block
           title: Master Ipv4 Cidr Block
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus
@@ -361,6 +364,9 @@ spec:
         network_tags:
           name: network_tags
           title: Network Tags
+        network_tier_config:
+          name: network_tier_config
+          title: Network Tier Config
         node_metadata:
           name: node_metadata
           title: Node Metadata
diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml
@@ -831,6 +831,9 @@ spec:
         defaultValue:
           enable_insecure_binding_system_authenticated: null
           enable_insecure_binding_system_unauthenticated: null
+      - name: network_tier_config
+        description: Network tier configuration for the cluster
+        varType: string
     outputs:
       - name: ca_certificate
         description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -1164,3 +1164,13 @@ variable "rbac_binding_config" {
     enable_insecure_binding_system_authenticated   = null
   }
 }
+
+variable "network_tier_config" {
+  description = "Network tier configuration for the cluster"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)
+    error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"
+  }
+}
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
@@ -270,6 +270,7 @@ Then perform the following commands on the root folder:
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -471,6 +471,12 @@ resource "google_container_cluster" "primary" {
         pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names
       }
     }
+    dynamic "network_tier_config" {
+      for_each = var.network_tier_config != null ? [1] : []
+      content {
+        network_tier = var.network_tier_config
+      }
+    }
     stack_type = var.stack_type
   }
 
diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml
@@ -310,6 +310,9 @@ spec:
         master_authorized_networks:
           name: master_authorized_networks
           title: Master Authorized Networks
+        monitoring_auto_monitoring_config_scope:
+          name: monitoring_auto_monitoring_config_scope
+          title: Monitoring Auto Monitoring Config Scope
         monitoring_enable_managed_prometheus:
           name: monitoring_enable_managed_prometheus
           title: Monitoring Enable Managed Prometheus
@@ -346,6 +349,9 @@ spec:
         network_tags:
           name: network_tags
           title: Network Tags
+        network_tier_config:
+          name: network_tier_config
+          title: Network Tier Config
         node_metadata:
           name: node_metadata
           title: Node Metadata
diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml
@@ -809,6 +809,9 @@ spec:
         defaultValue:
           enable_insecure_binding_system_authenticated: null
           enable_insecure_binding_system_unauthenticated: null
+      - name: network_tier_config
+        description: Network tier configuration for the cluster
+        varType: string
     outputs:
       - name: ca_certificate
         description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
@@ -1128,3 +1128,13 @@ variable "rbac_binding_config" {
     enable_insecure_binding_system_authenticated   = null
   }
 }
+
+variable "network_tier_config" {
+  description = "Network tier configuration for the cluster"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)
+    error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"
+  }
+}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -248,6 +248,7 @@ Then perform the following commands on the root folder:
 | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to autopilot and auto-provisioned node pools. | `list(string)` | `[]` | no |
+| network\_tier\_config | Network tier configuration for the cluster | `string` | `null` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no |
 | node\_pools | List of maps containing node pools | `list(map(any))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
 | node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml
diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
diff --git a/modules/gke-autopilot-cluster/metadata.yaml b/modules/gke-autopilot-cluster/metadata.yaml
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml
diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml
diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -567,6 +567,12 @@ resource "google_container_cluster" "primary" {`
`567`	`567`	`pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names`
`568`	`568`	`}`
`569`	`569`	`}`
	`570`	`+ dynamic "network_tier_config" {`
	`571`	`+ for_each = var.network_tier_config != null ? [1] : []`
	`572`	`+ content {`
	`573`	`+ network_tier = var.network_tier_config`
	`574`	`+ }`
	`575`	`+ }`
`570`	`576`	`stack_type = var.stack_type`
`571`	`577`	`}`
`572`	`578`
Original file line number	Diff line number	Diff line change
`@@ -1246,3 +1246,13 @@ variable "rbac_binding_config" {`
`1246`	`1246`	`enable_insecure_binding_system_authenticated = null`
`1247`	`1247`	`}`
`1248`	`1248`	`}`
	`1249`	`+`
	`1250`	`+variable "network_tier_config" {`
	`1251`	`+ description = "Network tier configuration for the cluster"`
	`1252`	`+ type = string`
	`1253`	`+ default = null`
	`1254`	`+ validation {`
	`1255`	`+ condition = var.network_tier_config == null ? true : contains(["NETWORK_TIER_DEFAULT", "NETWORK_TIER_STANDARD", "NETWORK_TIER_PREMIUM"], var.network_tier_config)`
	`1256`	`+ error_message = "Network tier allowed values are only NETWORK_TIER_DEFAULT, NETWORK_TIER_STANDARD or NETWORK_TIER_PREMIUM"`
	`1257`	`+ }`
	`1258`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -434,6 +434,12 @@ resource "google_container_cluster" "primary" {`
`434`	`434`	`pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names`
`435`	`435`	`}`
`436`	`436`	`}`
	`437`	`+ dynamic "network_tier_config" {`
	`438`	`+ for_each = var.network_tier_config != null ? [1] : []`
	`439`	`+ content {`
	`440`	`+ network_tier = var.network_tier_config`
	`441`	`+ }`
	`442`	`+ }`
`437`	`443`	`stack_type = var.stack_type`
`438`	`444`	`}`
`439`	`445`
Original file line number	Diff line number	Diff line change
`@@ -329,6 +329,12 @@ resource "google_container_cluster" "primary" {`
`329`	`329`	`pod_ipv4_range_names = additional_ip_ranges_config.value.pod_ipv4_range_names`
`330`	`330`	`}`
`331`	`331`	`}`
	`332`	`+ dynamic "network_tier_config" {`
	`333`	`+ for_each = var.network_tier_config != null ? [1] : []`
	`334`	`+ content {`
	`335`	`+ network_tier = var.network_tier_config`
	`336`	`+ }`
	`337`	`+ }`
`332`	`338`	`stack_type = var.stack_type`
`333`	`339`	`}`
`334`	`340`