cloud-foundation-fabric/blueprints/gke/patterns/autopilot-cluster/main.tf

/**
 * Copyright 2024 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

locals {
  cluster_create = var.cluster_create != null || local.vpc_create
  create_nat     = local.vpc_create && try(var.vpc_create.enable_cloud_nat, false) == true
  vpc_create = (
    !local.use_shared_vpc && (
      var.vpc_create != null || var.project_create != null
    )
  )
  fleet_host = join("", [
    "https://connectgateway.googleapis.com/v1/",
    "projects/${local.fleet_project.number}/",
    "locations/global/gkeMemberships/${var.cluster_name}"
  ])
  fleet_project = (
    var.fleet_project_id == null
    ? {
      project_id = var.project_id
      number     = module.project.number
    }
    : {
      project_id = var.fleet_project_id
      number     = module.fleet-project.0.number
    }
  )
  proxy_only_subnet = (local.vpc_create && try(var.vpc_create.proxy_only_subnet, null) != null) ? [
    {
      ip_cidr_range = var.vpc_create.proxy_only_subnet
      name          = "proxy"
      region        = var.region
      active        = true
    }
  ] : null
  use_shared_vpc = (
    try(var.project_create.shared_vpc_host, null) != null
  )
}

module "project" {
  source          = "../../../../modules/project"
  parent          = try(var.project_create.parent, null)
  billing_account = try(var.project_create.billing_account, null)
  name            = var.project_id
  project_create  = var.project_create != null
  services = compact([
    "anthos.googleapis.com",
    var.registry_create ? "artifactregistry.googleapis.com" : null,
    "cloudresourcemanager.googleapis.com",
    "connectgateway.googleapis.com",
    "container.googleapis.com",
    "gkeconnect.googleapis.com",
    "gkehub.googleapis.com",
    "stackdriver.googleapis.com"
  ])
  shared_vpc_service_config = !local.use_shared_vpc ? null : {
    attach       = true
    host_project = var.project_create.shared_vpc_host
    # grant required roles on the host project to service identities
    service_identity_iam = {
      "roles/compute.networkUser" = [
        "cloudservices", "container-engine"
      ]
      "roles/container.hostServiceAgentUser" = [
        "container-engine"
      ]
    }
  }
  iam_bindings_additive = merge(
    # allow GKE fleet service identity to manage clusters in this project
    {
      gkehub-robot = {
        role = "roles/gkehub.serviceAgent"
        member = (
          var.fleet_project_id == null
          ? "serviceAccount:${module.project.service_accounts.robots.gkehub}"
          : "serviceAccount:${module.fleet-project.0.service_accounts.robots.gkehub}"
        )
      }
    },
    # grant required roles to GKE node service account
    {
      for r in local.cluster_sa_roles : "gke-sa-${r}" => {
        role   = r
        member = "serviceAccount:${local.cluster_sa}"
      }
    }
  )
}

module "vpc" {
  source     = "../../../../modules/net-vpc"
  count      = local.vpc_create ? 1 : 0
  project_id = module.project.project_id
  name = coalesce(
    try(var.vpc_create.name, null), var.prefix
  )
  subnets = [{
    name = coalesce(
      try(var.vpc_create.subnet_name, null), "${var.prefix}-default"
    )
    region = var.region
    ip_cidr_range = try(
      var.vpc_create.primary_range_nodes, "10.0.0.0/24"
    )
    secondary_ip_ranges = {
      pods = try(
        var.vpc_create.secondary_range_pods, "10.16.0.0/20"
      )
      services = try(
        var.vpc_create.secondary_range_services, "10.32.0.0/24"
      )
    }
  }]
  subnets_proxy_only = local.proxy_only_subnet
}

module "fleet-project" {
  source         = "../../../../modules/project"
  count          = var.fleet_project_id == null ? 0 : 1
  name           = var.fleet_project_id
  project_create = false
}

module "fleet" {
  source     = "../../../../modules/gke-hub"
  project_id = local.fleet_project.project_id
  clusters = {
    (var.cluster_name) = (
      var.cluster_create != null
      ? module.cluster.0.id
      : "projects/${var.project_id}/locations/${var.region}/clusters/${var.cluster_name}"
    )
  }
}

module "registry" {
  source     = "../../../../modules/artifact-registry"
  count      = var.registry_create ? 1 : 0
  project_id = module.project.project_id
  location   = var.region
  name       = var.prefix
  format     = { docker = {} }
  mode       = { remote = true }
}

module "nat" {
  source         = "../../../../modules/net-cloudnat"
  count          = local.create_nat ? 1 : 0
  project_id     = module.project.project_id
  region         = var.region
  name           = "default"
  router_network = local.cluster_vpc.network
}
GKE stateful blueprints (#2059) * var definitions * skeleton, untested * fix errors, test with existing cluster * test vpc creation, todo notes * initial variables for AR and image * initial variables for AR and image * Add support for remote repositories to artifact-registry * Add support for virtual repositories to artifact-registry * Add support for extra config options to artifact-registry * artifact registry module: add validation and precondition, fix tests * ar module id/name * registry * service accoutn and roles * fetch pods, remove image prefix * small changes * use additive IAM at project level * use additive IAM at project level * configmaps * manifests * fix statefulset manifest * service manifest * fix configmap mode * add todo * job (broken) * job * wait on manifest, endpoints datasource * fix job * Fix local * sa * Update README.md * Restructure gke bp * refactor tree and infra variables * no create test * simplify cluster SA * test cluster and vpc creation * project creation fixes * use iam_members variable * nits * readme with examples * readme with examples * outputs * variables, provider configuration * variables, manifests * start cluster job * fix redis cluster creation Co-authored-by: Julio Castillo <juliocc@users.noreply.github.com> * Revert changes in autopilot cluster * Default templates path, use namespace for node names * Update readmes * Fix IAM bindings * Make STABLE the default release channel * Use Cloud DNS as default DNS provider * Allow optional Cloud NAT creation * Allow backup agent and proxy only subnet * Work around terraform not short-circuiting logical operators * Rename create variables to be more consistent with other blueprints * Add basic features * Update variable names * Initial kafka JS * Move providers to a new file * Kafka / Strimzi * First possibily working version for MySQL (with a lot of todo's left) * Explicitly use proxy repo + some other fixes * Strimzi draft * Refactor variables, use CluterIP as pointer for mysql-router for bootstraping * Validate number of replicas, autoscale required number of running nodes to n/2+1 * Use seaprate service for bootstrap, do not recreate all resources on change of replicas count as the config is preserved in PV * Test dual chart kafka * Update chart for kafka * Expose basic kafka configuration options * Remove unused manifest * Added batch blueprint * Added README * switch to kubectl_manifest * Add README and support for static IP address * Move namespace creation to helm * Interpolate kafka variables * Rename kafka-strimzi to kafka * Added TUTORIAL for cloudshell for batch blueprint * deleted tutorial * Remove commented replace trigger * Move to helm chart * WIP of Cloud Shell tutorial for MySQL * Rename folders * Fix rename * Update paths * Unify styles * Update paths * Add Readme links * Update mysql tutorial * Fix path according to self-link * Use relative path to cwd * Fix service_account variable location * Fix tfvars creation * Restore some fixes for helm deployment * Add cluster deletion_prevention * Fixes for tutorial * Update cluster docs * Fixes to batch tutorial * Bare bones readme for batch * Update batch readme * README fixes * Fix README title for redis * Fix Typos * Make it easy to pass variables from autopilot-cluster to other modules * Add connectivity test and bastion host * updates to readme, and gpu fix * Add versions.tf and README updates * Fix typo * Kafka and Redis README updates * Update versions.tf * Fixes * Add boilerplate * Fix linting * Move mysql to separate branch * Update cloud shell links * Fix broken link --------- Co-authored-by: Ludo <ludomagno@google.com> Co-authored-by: Daniel Marzini <44803752+danielmarzini@users.noreply.github.com> Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Miren Esnaola <mirene@google.com> 2024-02-08 10:28:41 -08:00			`/**`
			`* Copyright 2024 Google LLC`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`locals {`
			`cluster_create = var.cluster_create != null \|\| local.vpc_create`
			`create_nat = local.vpc_create && try(var.vpc_create.enable_cloud_nat, false) == true`
			`vpc_create = (`
			`!local.use_shared_vpc && (`
			`var.vpc_create != null \|\| var.project_create != null`
			`)`
			`)`
			`fleet_host = join("", [`
			`"https://connectgateway.googleapis.com/v1/",`
			`"projects/${local.fleet_project.number}/",`
			`"locations/global/gkeMemberships/${var.cluster_name}"`
			`])`
			`fleet_project = (`
			`var.fleet_project_id == null`
			`? {`
			`project_id = var.project_id`
			`number = module.project.number`
			`}`
			`: {`
			`project_id = var.fleet_project_id`
			`number = module.fleet-project.0.number`
			`}`
			`)`
			`proxy_only_subnet = (local.vpc_create && try(var.vpc_create.proxy_only_subnet, null) != null) ? [`
			`{`
			`ip_cidr_range = var.vpc_create.proxy_only_subnet`
			`name = "proxy"`
			`region = var.region`
			`active = true`
			`}`
			`] : null`
			`use_shared_vpc = (`
			`try(var.project_create.shared_vpc_host, null) != null`
			`)`
			`}`

			`module "project" {`
			`source = "../../../../modules/project"`
			`parent = try(var.project_create.parent, null)`
			`billing_account = try(var.project_create.billing_account, null)`
			`name = var.project_id`
			`project_create = var.project_create != null`
			`services = compact([`
			`"anthos.googleapis.com",`
			`var.registry_create ? "artifactregistry.googleapis.com" : null,`
			`"cloudresourcemanager.googleapis.com",`
			`"connectgateway.googleapis.com",`
			`"container.googleapis.com",`
			`"gkeconnect.googleapis.com",`
			`"gkehub.googleapis.com",`
			`"stackdriver.googleapis.com"`
			`])`
			`shared_vpc_service_config = !local.use_shared_vpc ? null : {`
			`attach = true`
			`host_project = var.project_create.shared_vpc_host`
			`# grant required roles on the host project to service identities`
			`service_identity_iam = {`
			`"roles/compute.networkUser" = [`
			`"cloudservices", "container-engine"`
			`]`
			`"roles/container.hostServiceAgentUser" = [`
			`"container-engine"`
			`]`
			`}`
			`}`
			`iam_bindings_additive = merge(`
			`# allow GKE fleet service identity to manage clusters in this project`
			`{`
			`gkehub-robot = {`
			`role = "roles/gkehub.serviceAgent"`
			`member = (`
			`var.fleet_project_id == null`
			`? "serviceAccount:${module.project.service_accounts.robots.gkehub}"`
			`: "serviceAccount:${module.fleet-project.0.service_accounts.robots.gkehub}"`
			`)`
			`}`
			`},`
			`# grant required roles to GKE node service account`
			`{`
			`for r in local.cluster_sa_roles : "gke-sa-${r}" => {`
			`role = r`
			`member = "serviceAccount:${local.cluster_sa}"`
			`}`
			`}`
			`)`
			`}`

			`module "vpc" {`
			`source = "../../../../modules/net-vpc"`
			`count = local.vpc_create ? 1 : 0`
			`project_id = module.project.project_id`
			`name = coalesce(`
			`try(var.vpc_create.name, null), var.prefix`
			`)`
			`subnets = [{`
			`name = coalesce(`
			`try(var.vpc_create.subnet_name, null), "${var.prefix}-default"`
			`)`
			`region = var.region`
			`ip_cidr_range = try(`
			`var.vpc_create.primary_range_nodes, "10.0.0.0/24"`
			`)`
			`secondary_ip_ranges = {`
			`pods = try(`
			`var.vpc_create.secondary_range_pods, "10.16.0.0/20"`
			`)`
			`services = try(`
			`var.vpc_create.secondary_range_services, "10.32.0.0/24"`
			`)`
			`}`
			`}]`
			`subnets_proxy_only = local.proxy_only_subnet`
			`}`

			`module "fleet-project" {`
			`source = "../../../../modules/project"`
			`count = var.fleet_project_id == null ? 0 : 1`
			`name = var.fleet_project_id`
			`project_create = false`
			`}`

			`module "fleet" {`
			`source = "../../../../modules/gke-hub"`
			`project_id = local.fleet_project.project_id`
			`clusters = {`
			`(var.cluster_name) = (`
			`var.cluster_create != null`
			`? module.cluster.0.id`
			`: "projects/${var.project_id}/locations/${var.region}/clusters/${var.cluster_name}"`
			`)`
			`}`
			`}`

			`module "registry" {`
			`source = "../../../../modules/artifact-registry"`
			`count = var.registry_create ? 1 : 0`
			`project_id = module.project.project_id`
			`location = var.region`
			`name = var.prefix`
			`format = { docker = {} }`
			`mode = { remote = true }`
			`}`

			`module "nat" {`
			`source = "../../../../modules/net-cloudnat"`
			`count = local.create_nat ? 1 : 0`
			`project_id = module.project.project_id`
			`region = var.region`
			`name = "default"`
			`router_network = local.cluster_vpc.network`
			`}`