zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add example to FAST GKE stage, streamline GKE Hub module variables and usage (#1977) 

* implement optionals in gke-hub module

* simplify gke hub module call in mc mesh blueprint

* simplify gke hub module call and variables in multitenant blueprint

* gke hub inventory

* provide cluster and fleet examples in stage
This commit is contained in:
Ludovico Magnocavallo 2024-01-20 11:06:38 +01:00 committed by GitHub
parent d62012cebc
commit 11d7edac64
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 143 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
blueprints/gke/multi-cluster-mesh-gke-fleet-api/gke.tf
View File

@ -63,12 +63,7 @@ module "hub" {
project_id = module.fleet_project.project_id
clusters = { for k, v in module.clusters : k => v.id }
features = {
appdevexperience = false
configmanagement = false
identityservice = false
multiclusteringress = null
servicemesh = true
multiclusterservicediscovery = false
servicemesh = true
}
depends_on = [
module.fleet_project

40
blueprints/gke/multitenant-fleet/README.md
View File

@ -175,7 +175,6 @@ module "gke" {
}
}
fleet_features = {
appdevexperience = false
configmanagement = true
identityservice = true
multiclusteringress = "cluster-0"
@ -188,15 +187,11 @@ module "gke" {
binauthz = true
config_sync = {
git = {
gcp_service_account_email = null
https_proxy = null
policy_dir = "configsync"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "main"
sync_repo = "https://github.com/myorg/myrepo"
sync_rev = null
sync_wait_secs = null
policy_dir = "configsync"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "main"
sync_repo = "https://github.com/myorg/myrepo"
}
prevent_drift = true
source_format = "hierarchy"
@ -223,7 +218,6 @@ module "gke" {
vpc_self_link = "projects/prj-host/global/networks/prod-0"
}
}
# tftest modules=8 resources=38
```
@ -245,21 +239,21 @@ module "gke" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [billing_account_id](variables.tf#L17) | Billing account ID. | <code>string</code> | ✓ | |
| [folder_id](variables.tf#L161) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | <code>string</code> | ✓ | |
| [prefix](variables.tf#L211) | Prefix used for resource names. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L220) | ID of the project that will contain all the clusters. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L232) | Shared VPC project and VPC details. | <code title="object&#40;&#123;&#10; host_project_id &#61; string&#10; vpc_self_link &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [folder_id](variables.tf#L134) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | <code>string</code> | ✓ | |
| [prefix](variables.tf#L184) | Prefix used for resource names. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L193) | ID of the project that will contain all the clusters. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L205) | Shared VPC project and VPC details. | <code title="object&#40;&#123;&#10; host_project_id &#61; string&#10; vpc_self_link &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [clusters](variables.tf#L22) | Clusters configuration. Refer to the gke-cluster module for type details. | <code title="map&#40;object&#40;&#123;&#10; cluster_autoscaling &#61; optional&#40;any&#41;&#10; description &#61; optional&#40;string&#41;&#10; enable_addons &#61; optional&#40;any, &#123;&#10; horizontal_pod_autoscaling &#61; true, http_load_balancing &#61; true&#10; &#125;&#41;&#10; enable_features &#61; optional&#40;any, &#123;&#10; workload_identity &#61; true&#10; &#125;&#41;&#10; issue_client_certificate &#61; optional&#40;bool, false&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; location &#61; string&#10; logging_config &#61; optional&#40;object&#40;&#123;&#10; enable_system_logs &#61; optional&#40;bool, true&#41;&#10; enable_workloads_logs &#61; optional&#40;bool, true&#41;&#10; enable_api_server_logs &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_logs &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; maintenance_config &#61; optional&#40;any, &#123;&#10; daily_window_start_time &#61; &#34;03:00&#34;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10; &#125;&#41;&#10; max_pods_per_node &#61; optional&#40;number, 110&#41;&#10; min_master_version &#61; optional&#40;string&#41;&#10; monitoring_config &#61; optional&#40;object&#40;&#123;&#10; enable_system_metrics &#61; optional&#40;bool, true&#41;&#10; enable_api_server_metrics &#61; optional&#40;bool, false&#41;&#10; enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10; enable_scheduler_metrics &#61; optional&#40;bool, false&#41;&#10; enable_daemonset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_deployment_metrics &#61; optional&#40;bool, false&#41;&#10; enable_hpa_metrics &#61; optional&#40;bool, false&#41;&#10; enable_pod_metrics &#61; optional&#40;bool, false&#41;&#10; enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10; enable_storage_metrics &#61; optional&#40;bool, false&#41;&#10; enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#10;&#10; node_locations &#61; optional&#40;list&#40;string&#41;&#41;&#10; private_cluster_config &#61; optional&#40;any&#41;&#10; release_channel &#61; optional&#40;string&#41;&#10; vpc_config &#61; object&#40;&#123;&#10; subnetwork &#61; string&#10; network &#61; optional&#40;string&#41;&#10; secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;&#41;&#10; secondary_range_names &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;, &#123; pods &#61; &#34;pods&#34;, services &#61; &#34;services&#34; &#125;&#41;&#10; master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10; master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10; &#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [deletion_protection](variables.tf#L92) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | <code>bool</code> | | <code>false</code> |
| [fleet_configmanagement_clusters](variables.tf#L99) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [fleet_configmanagement_templates](variables.tf#L106) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code title="map&#40;object&#40;&#123;&#10; binauthz &#61; bool&#10; config_sync &#61; object&#40;&#123;&#10; git &#61; object&#40;&#123;&#10; gcp_service_account_email &#61; string&#10; https_proxy &#61; string&#10; policy_dir &#61; string&#10; secret_type &#61; string&#10; sync_branch &#61; string&#10; sync_repo &#61; string&#10; sync_rev &#61; string&#10; sync_wait_secs &#61; number&#10; &#125;&#41;&#10; prevent_drift &#61; string&#10; source_format &#61; string&#10; &#125;&#41;&#10; hierarchy_controller &#61; object&#40;&#123;&#10; enable_hierarchical_resource_quota &#61; bool&#10; enable_pod_tree_labels &#61; bool&#10; &#125;&#41;&#10; policy_controller &#61; object&#40;&#123;&#10; audit_interval_seconds &#61; number&#10; exemptable_namespaces &#61; list&#40;string&#41;&#10; log_denies_enabled &#61; bool&#10; referential_rules_enabled &#61; bool&#10; template_library_installed &#61; bool&#10; &#125;&#41;&#10; version &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [fleet_features](variables.tf#L141) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | <code title="object&#40;&#123;&#10; appdevexperience &#61; bool&#10; configmanagement &#61; bool&#10; identityservice &#61; bool&#10; multiclusteringress &#61; string&#10; multiclusterservicediscovery &#61; bool&#10; servicemesh &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [fleet_workload_identity](variables.tf#L154) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | <code>bool</code> | | <code>false</code> |
| [group_iam](variables.tf#L166) | Project-level IAM bindings for groups. Use group emails as keys, list of roles as values. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam](variables.tf#L173) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [labels](variables.tf#L180) | Project-level labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [nodepools](variables.tf#L186) | Nodepools configuration. Refer to the gke-nodepool module for type details. | <code title="map&#40;map&#40;object&#40;&#123;&#10; gke_version &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; max_pods_per_node &#61; optional&#40;number&#41;&#10; name &#61; optional&#40;string&#41;&#10; node_config &#61; optional&#40;any, &#123; disk_type &#61; &#34;pd-balanced&#34; &#125;&#41;&#10; node_count &#61; optional&#40;map&#40;number&#41;, &#123; initial &#61; 1 &#125;&#41;&#10; node_locations &#61; optional&#40;list&#40;string&#41;&#41;&#10; nodepool_config &#61; optional&#40;any&#41;&#10; pod_range &#61; optional&#40;any&#41;&#10; reservation_affinity &#61; optional&#40;any&#41;&#10; service_account &#61; optional&#40;any&#41;&#10; sole_tenant_nodegroup &#61; optional&#40;string&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; taints &#61; optional&#40;map&#40;object&#40;&#123;&#10; value &#61; string&#10; effect &#61; string&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [project_services](variables.tf#L225) | Additional project services to enable. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [fleet_configmanagement_templates](variables.tf#L106) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [fleet_features](variables.tf#L114) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | <code title="object&#40;&#123;&#10; appdevexperience &#61; optional&#40;bool, false&#41;&#10; configmanagement &#61; optional&#40;bool, false&#41;&#10; identityservice &#61; optional&#40;bool, false&#41;&#10; multiclusteringress &#61; optional&#40;string, null&#41;&#10; multiclusterservicediscovery &#61; optional&#40;bool, false&#41;&#10; servicemesh &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [fleet_workload_identity](variables.tf#L127) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | <code>bool</code> | | <code>false</code> |
| [group_iam](variables.tf#L139) | Project-level IAM bindings for groups. Use group emails as keys, list of roles as values. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam](variables.tf#L146) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [labels](variables.tf#L153) | Project-level labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [nodepools](variables.tf#L159) | Nodepools configuration. Refer to the gke-nodepool module for type details. | <code title="map&#40;map&#40;object&#40;&#123;&#10; gke_version &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; max_pods_per_node &#61; optional&#40;number&#41;&#10; name &#61; optional&#40;string&#41;&#10; node_config &#61; optional&#40;any, &#123; disk_type &#61; &#34;pd-balanced&#34; &#125;&#41;&#10; node_count &#61; optional&#40;map&#40;number&#41;, &#123; initial &#61; 1 &#125;&#41;&#10; node_locations &#61; optional&#40;list&#40;string&#41;&#41;&#10; nodepool_config &#61; optional&#40;any&#41;&#10; pod_range &#61; optional&#40;any&#41;&#10; reservation_affinity &#61; optional&#40;any&#41;&#10; service_account &#61; optional&#40;any&#41;&#10; sole_tenant_nodegroup &#61; optional&#40;string&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; taints &#61; optional&#40;map&#40;object&#40;&#123;&#10; value &#61; string&#10; effect &#61; string&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [project_services](variables.tf#L198) | Additional project services to enable. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
## Outputs

11
blueprints/gke/multitenant-fleet/main.tf
View File

@ -63,17 +63,6 @@ module "gke-project-0" {
})
}
# specify project-level org policies here if you need them
# policy_boolean = {
# "compute.disableGuestAttributesAccess" = true
# }
# policy_list = {
# "compute.trustedImageProjects" = {
# inherit_from_parent = null
# suggested_value = null
# status = true
# values = ["projects/fl01-prod-iac-core-0"]
# }
# }
}
module "gke-dataset-resource-usage" {

43
blueprints/gke/multitenant-fleet/variables.tf
View File

@ -105,35 +105,8 @@ variable "fleet_configmanagement_clusters" {
variable "fleet_configmanagement_templates" {
description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format."
type = map(object({
binauthz = bool
config_sync = object({
git = object({
gcp_service_account_email = string
https_proxy = string
policy_dir = string
secret_type = string
sync_branch = string
sync_repo = string
sync_rev = string
sync_wait_secs = number
})
prevent_drift = string
source_format = string
})
hierarchy_controller = object({
enable_hierarchical_resource_quota = bool
enable_pod_tree_labels = bool
})
policy_controller = object({
audit_interval_seconds = number
exemptable_namespaces = list(string)
log_denies_enabled = bool
referential_rules_enabled = bool
template_library_installed = bool
})
version = string
}))
# refer to the gke-hub module for the full type
type = map(any)
default = {}
nullable = false
}
@ -141,12 +114,12 @@ variable "fleet_configmanagement_templates" {
variable "fleet_features" {
description = "Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used."
type = object({
appdevexperience = bool
configmanagement = bool
identityservice = bool
multiclusteringress = string
multiclusterservicediscovery = bool
servicemesh = bool
appdevexperience = optional(bool, false)
configmanagement = optional(bool, false)
identityservice = optional(bool, false)
multiclusteringress = optional(string, null)
multiclusterservicediscovery = optional(bool, false)
servicemesh = optional(bool, false)
})
default = null
}

75
fast/stages/3-gke-multitenant/dev/README.md
View File

@ -8,13 +8,29 @@ The following diagram illustrates the high-level design of created resources, wh
<img src="diagram.png" alt="GKE multitenant">
</p>
<!-- BEGIN TOC -->
- [Design overview and choices](#design-overview-and-choices)
- [How to run this stage](#how-to-run-this-stage)
- [Provider and Terraform variables](#provider-and-terraform-variables)
- [Impersonating the automation service account](#impersonating-the-automation-service-account)
- [Variable configuration](#variable-configuration)
- [Running the stage](#running-the-stage)
- [Running in isolation](#running-in-isolation)
- [Customizations](#customizations)
- [Clusters and node pools](#clusters-and-node-pools)
- [Fleet management](#fleet-management)
- [Files](#files)
- [Variables](#variables)
- [Outputs](#outputs)
<!-- END TOC -->
## Design overview and choices
> The detailed architecture of the underlying resources is explained in the documentation of [GKE multitenant module](../../../../blueprints/gke/multitenant-fleet/README.md).
> The detailed architecture of the underlying resources is explained in the documentation of the [GKE multitenant blueprint](../../../../blueprints/gke/multitenant-fleet/README.md).
This stage creates a project containing and as many clusters and node pools as requested by the user through the [variables](#variables) explained below. The GKE clusters are created with the with the following setup:
This stage creates a project containing as many clusters and node pools as requested by the user, configured via the [variables](#variables) explained below. The GKE clusters are created with the following setup:
- All clusters are assumed to be [private](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), therefore only [VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips) are supported.
- Even though public clusters are supported, this stage is designed with [private clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) in mind so it only supports [VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips).
- Logging and monitoring configured to use Cloud Operations for system components and user workloads.
- [GKE metering](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering) enabled by default and stored in a bigquery dataset created within the project.
- Optional [GKE Fleet](https://cloud.google.com/kubernetes-engine/docs/fleets-overview) support with the possibility to enable any of the following features:
@ -125,16 +141,41 @@ The VPC host project, VPC and subnets should already exist.
## Customizations
### Cluster and node pools
This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables allow management of clusters, nodepools, and fleet registration and configurations.
This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables are designed to support this approach for both clusters and node pools:
### Clusters and node pools
- the `cluster_default` variable allows defining common defaults for all clusters
- the `clusters` variable is used to declare the actual GKE clusters and allows overriding defaults on a per-cluster basis
- the `nodepool_defaults` variable allows defining common defaults for all node pools
- the `nodepools` variable is used to declare cluster node pools and allows overriding defaults on a per-cluster basis
This is an example of declaring a private cluster with one nodepool via `tfvars` file:
There are two additional variables that influence cluster configuration: `authenticator_security_group` to configure [Google Groups for RBAC](https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac), `dns_domain` to configure [Cloud DNS for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns).
```hcl
clusters = {
test-00 = {
description = "Cluster test 0"
location = "europe-west8"
private_cluster_config = {
enable_private_endpoint = true
master_global_access = true
}
vpc_config = {
subnetwork = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke"
master_ipv4_cidr_block = "172.16.20.0/28"
master_authorized_ranges = {
private = "10.0.0.0/8"
}
}
}
}
nodepools = {
test-00 = {
00 = {
node_count = { initial = 1 }
}
}
}
# tftest skip
```
If clusters share similar configurations, those can be centralized via `locals` blocks in this stage's `main.tf` file, and merged in with clusters via a simple `for_each` loop. One example of this approach is provided in the underlying [GKE multitenant blueprint](../../../../blueprints/gke/multitenant-fleet/).
### Fleet management
@ -145,7 +186,19 @@ Fleet management is entirely optional, and uses three separate variables:
- `fleet_configmanagement_clusters`: specifies which clusters are managed by fleet features, and the optional Config Management template for each cluster
- `fleet_workload_identity`: to enables optional centralized [Workload Identity](https://cloud.google.com/anthos/fleet-management/docs/use-workload-identity)
Leave all these variables unset (or set to `null`) to disable fleet management.
Leave all these variables unset (or set to `null`) to disable fleet management. One example of a simple fleet configuration that integrates with the cluster example above:
```hcl
fleet_features = {
configmanagement = true
identityservice = true
multiclusteringress = "test-0"
multiclusterservicediscovery = true
servicemesh = true
}
# tftest skip
```
<!-- TFDOC OPTS files:1 show_extra:1 -->
<!-- BEGIN TFDOC -->

33
modules/gke-hub/README.md
View File

@ -75,29 +75,17 @@ module "hub" {
cluster-1 = module.cluster_1.id
}
features = {
appdevexperience = false
configmanagement = true
identityservice = false
multiclusteringress = null
servicemesh = false
multiclusterservicediscovery = false
configmanagement = true
}
configmanagement_templates = {
default = {
binauthz = false
config_sync = {
git = {
gcp_service_account_email = null
https_proxy = null
policy_dir = "configsync"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "main"
sync_repo = "https://github.com/danielmarzini/configsync-platform-example"
sync_rev = null
sync_wait_secs = null
policy_dir = "configsync"
source_format = "hierarchy"
sync_branch = "main"
sync_repo = "https://github.com/danielmarzini/configsync-platform-example"
}
prevent_drift = false
source_format = "hierarchy"
}
hierarchy_controller = {
@ -106,7 +94,6 @@ module "hub" {
}
policy_controller = {
audit_interval_seconds = 120
exemptable_namespaces = []
log_denies_enabled = true
referential_rules_enabled = true
template_library_installed = true
@ -317,22 +304,20 @@ module "hub" {
# tftest modules=8 resources=34
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [project_id](variables.tf#L87) | GKE hub project ID. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L80) | GKE hub project ID. | <code>string</code> | ✓ | |
| [clusters](variables.tf#L17) | Clusters members of this GKE Hub in name => id format. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [configmanagement_clusters](variables.tf#L24) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [configmanagement_templates](variables.tf#L31) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code title="map&#40;object&#40;&#123;&#10; binauthz &#61; bool&#10; config_sync &#61; object&#40;&#123;&#10; git &#61; object&#40;&#123;&#10; gcp_service_account_email &#61; string&#10; https_proxy &#61; string&#10; policy_dir &#61; string&#10; secret_type &#61; string&#10; sync_branch &#61; string&#10; sync_repo &#61; string&#10; sync_rev &#61; string&#10; sync_wait_secs &#61; number&#10; &#125;&#41;&#10; prevent_drift &#61; string&#10; source_format &#61; string&#10; &#125;&#41;&#10; hierarchy_controller &#61; object&#40;&#123;&#10; enable_hierarchical_resource_quota &#61; bool&#10; enable_pod_tree_labels &#61; bool&#10; &#125;&#41;&#10; policy_controller &#61; object&#40;&#123;&#10; audit_interval_seconds &#61; number&#10; exemptable_namespaces &#61; list&#40;string&#41;&#10; log_denies_enabled &#61; bool&#10; referential_rules_enabled &#61; bool&#10; template_library_installed &#61; bool&#10; &#125;&#41;&#10; version &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [features](variables.tf#L66) | Enable and configure fleet features. | <code title="object&#40;&#123;&#10; appdevexperience &#61; optional&#40;bool, false&#41;&#10; configmanagement &#61; optional&#40;bool, false&#41;&#10; identityservice &#61; optional&#40;bool, false&#41;&#10; multiclusteringress &#61; optional&#40;string, null&#41;&#10; multiclusterservicediscovery &#61; optional&#40;bool, false&#41;&#10; servicemesh &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; appdevexperience &#61; false&#10; configmanagement &#61; false&#10; identityservice &#61; false&#10; multiclusteringress &#61; null&#10; servicemesh &#61; false&#10; multiclusterservicediscovery &#61; false&#10;&#125;">&#123;&#8230;&#125;</code> |
| [workload_identity_clusters](variables.tf#L92) | Clusters that will use Fleet Workload Identity. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [configmanagement_templates](variables.tf#L31) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | <code title="map&#40;object&#40;&#123;&#10; binauthz &#61; optional&#40;bool&#41;&#10; version &#61; optional&#40;string&#41;&#10; config_sync &#61; object&#40;&#123;&#10; git &#61; optional&#40;object&#40;&#123;&#10; sync_repo &#61; string&#10; policy_dir &#61; string&#10; gcp_service_account_email &#61; optional&#40;string&#41;&#10; https_proxy &#61; optional&#40;string&#41;&#10; secret_type &#61; optional&#40;string, &#34;none&#34;&#41;&#10; sync_branch &#61; optional&#40;string&#41;&#10; sync_rev &#61; optional&#40;string&#41;&#10; sync_wait_secs &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; prevent_drift &#61; optional&#40;bool&#41;&#10; source_format &#61; optional&#40;string, &#34;hierarchy&#34;&#41;&#10; &#125;&#41;&#10; hierarchy_controller &#61; optional&#40;object&#40;&#123;&#10; enable_hierarchical_resource_quota &#61; optional&#40;bool&#41;&#10; enable_pod_tree_labels &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; policy_controller &#61; object&#40;&#123;&#10; audit_interval_seconds &#61; optional&#40;number&#41;&#10; exemptable_namespaces &#61; optional&#40;list&#40;string&#41;&#41;&#10; log_denies_enabled &#61; optional&#40;bool&#41;&#10; referential_rules_enabled &#61; optional&#40;bool&#41;&#10; template_library_installed &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [features](variables.tf#L66) | Enable and configure fleet features. | <code title="object&#40;&#123;&#10; appdevexperience &#61; optional&#40;bool, false&#41;&#10; configmanagement &#61; optional&#40;bool, false&#41;&#10; identityservice &#61; optional&#40;bool, false&#41;&#10; multiclusteringress &#61; optional&#40;string, null&#41;&#10; multiclusterservicediscovery &#61; optional&#40;bool, false&#41;&#10; servicemesh &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [workload_identity_clusters](variables.tf#L85) | Clusters that will use Fleet Workload Identity. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [cluster_ids](outputs.tf#L17) | Fully qualified ids of all clusters. | |
<!-- END TFDOC -->

53
modules/gke-hub/variables.tf
View File

@ -31,33 +31,33 @@ variable "configmanagement_clusters" {
variable "configmanagement_templates" {
description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format."
type = map(object({
binauthz = bool
binauthz = optional(bool)
version = optional(string)
config_sync = object({
git = object({
gcp_service_account_email = string
https_proxy = string
policy_dir = string
secret_type = string
sync_branch = string
git = optional(object({
sync_repo = string
sync_rev = string
sync_wait_secs = number
})
prevent_drift = string
source_format = string
})
hierarchy_controller = object({
enable_hierarchical_resource_quota = bool
enable_pod_tree_labels = bool
policy_dir = string
gcp_service_account_email = optional(string)
https_proxy = optional(string)
secret_type = optional(string, "none")
sync_branch = optional(string)
sync_rev = optional(string)
sync_wait_secs = optional(number)
}))
prevent_drift = optional(bool)
source_format = optional(string, "hierarchy")
})
hierarchy_controller = optional(object({
enable_hierarchical_resource_quota = optional(bool)
enable_pod_tree_labels = optional(bool)
}))
policy_controller = object({
audit_interval_seconds = number
exemptable_namespaces = list(string)
log_denies_enabled = bool
referential_rules_enabled = bool
template_library_installed = bool
audit_interval_seconds = optional(number)
exemptable_namespaces = optional(list(string))
log_denies_enabled = optional(bool)
referential_rules_enabled = optional(bool)
template_library_installed = optional(bool)
})
version = string
}))
default = {}
nullable = false
@ -73,14 +73,7 @@ variable "features" {
multiclusterservicediscovery = optional(bool, false)
servicemesh = optional(bool, false)
})
default = {
appdevexperience = false
configmanagement = false
identityservice = false
multiclusteringress = null
servicemesh = false
multiclusterservicediscovery = false
}
default = {}
nullable = false
}

23
tests/modules/gke_hub/examples/full.yaml
View File

@ -122,6 +122,7 @@ values:
remove_default_node_pool: true
resource_labels: null
resource_usage_export_config: []
timeouts: null
workload_identity_config:
- workload_pool: gkehub-test.svc.id.goog
module.hub.google_gke_hub_feature.default["configmanagement"]:
@ -131,6 +132,7 @@ values:
name: configmanagement
project: gkehub-test
spec: []
timeouts: null
module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
configmanagement:
- config_sync:
@ -145,7 +147,6 @@ values:
sync_wait_secs: null
metrics_gcp_service_account_email: null
oci: []
prevent_drift: false
source_format: hierarchy
hierarchy_controller:
- enable_hierarchical_resource_quota: true
@ -154,7 +155,7 @@ values:
policy_controller:
- audit_interval_seconds: '120'
enabled: true
exemptable_namespaces: []
exemptable_namespaces: null
log_denies_enabled: true
mutation_enabled: null
referential_rules_enabled: true
@ -166,6 +167,7 @@ values:
membership_location: null
mesh: []
project: gkehub-test
timeouts: null
module.hub.google_gke_hub_membership.default["cluster-1"]:
authority: []
description: null
@ -176,6 +178,7 @@ values:
location: global
membership_id: cluster-1
project: gkehub-test
timeouts: null
module.project.google_project.project[0]:
auto_create_network: false
billing_account: 123456-123456-123456
@ -185,47 +188,57 @@ values:
org_id: null
project_id: gkehub-test
skip_delete: false
timeouts: null
module.project.google_project_service.project_services["anthosconfigmanagement.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: anthosconfigmanagement.googleapis.com
timeouts: null
module.project.google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: container.googleapis.com
timeouts: null
module.project.google_project_service.project_services["gkeconnect.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: gkeconnect.googleapis.com
timeouts: null
module.project.google_project_service.project_services["gkehub.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: gkehub.googleapis.com
timeouts: null
module.project.google_project_service.project_services["mesh.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: mesh.googleapis.com
timeouts: null
module.project.google_project_service.project_services["multiclusteringress.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: multiclusteringress.googleapis.com
timeouts: null
module.project.google_project_service.project_services["multiclusterservicediscovery.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: multiclusterservicediscovery.googleapis.com
timeouts: null
module.project.google_project_service_identity.jit_si["gkehub.googleapis.com"]:
project: gkehub-test
service: gkehub.googleapis.com
timeouts: null
module.project.google_project_service_identity.jit_si["multiclusteringress.googleapis.com"]:
project: gkehub-test
service: multiclusteringress.googleapis.com
timeouts: null
module.vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
@ -235,6 +248,7 @@ values:
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: gkehub-test
routing_mode: GLOBAL
timeouts: null
module.vpc.google_compute_route.gateway["private-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.8/30
@ -246,6 +260,7 @@ values:
priority: 1000
project: gkehub-test
tags: null
timeouts: null
module.vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
@ -257,6 +272,7 @@ values:
priority: 1000
project: gkehub-test
tags: null
timeouts: null
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/cluster-1"]:
description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
@ -268,6 +284,7 @@ values:
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
counts:
google_compute_network: 1
@ -282,3 +299,5 @@ counts:
google_project_service_identity: 2
modules: 4
resources: 18
outputs: {}