zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into maunope/network-dashboards-updates

This commit is contained in:
Aurélien Legrand 2022-10-10 10:12:07 +02:00 committed by GitHub
parent dffd5b4c3b e13bce1147
commit 17ee413a7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 566 additions and 698 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
### BLUEPRINTS
- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-10 07:38:21+00:00 -->
- [[#818](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/818)] Example wordpress ([skalolazka](https://github.com/skalolazka)) <!-- 2022-10-07 14:24:38+00:00 -->
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc)) <!-- 2022-10-07 07:50:43+00:00 -->
- [[#854](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/854)] Added an example of a Nginx reverse proxy cluster using RMIGs ([rosmo](https://github.com/rosmo)) <!-- 2022-10-04 13:49:44+00:00 -->
@ -27,6 +28,8 @@ All notable changes to this project will be documented in this file.
### FAST
- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-10 07:38:21+00:00 -->
- [[#867](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/867)] FAST: Replace NVAs in 02-networking-nva with COS-based VMs ([sruffilli](https://github.com/sruffilli)) <!-- 2022-10-10 07:16:29+00:00 -->
- [[#865](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/865)] Enable FAST 00-cicd provider test ([ludoo](https://github.com/ludoo)) <!-- 2022-10-07 11:20:57+00:00 -->
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc)) <!-- 2022-10-07 07:50:43+00:00 -->
- [[#858](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/858)] Default gcp-support to gcp-devops ([juliocc](https://github.com/juliocc)) <!-- 2022-10-06 12:58:26+00:00 -->
@ -38,6 +41,8 @@ All notable changes to this project will be documented in this file.
### MODULES
- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-10 07:38:21+00:00 -->
- [[#866](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/866)] Update ipprefix_by_netmask.sh in nva module ([sruffilli](https://github.com/sruffilli)) <!-- 2022-10-09 15:26:54+00:00 -->
- [[#860](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/860)] **incompatible change:** Refactor compute-vm for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-07 08:53:53+00:00 -->
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc)) <!-- 2022-10-07 07:50:43+00:00 -->
- [[#859](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/859)] Make project shared VPC fields optional ([juliocc](https://github.com/juliocc)) <!-- 2022-10-06 14:18:01+00:00 -->

18
blueprints/gke/binauthz/main.tf
View File

@ -83,21 +83,19 @@ module "nat" {
}
module "cluster" {
source = "../../../modules/gke-cluster"
project_id = module.project.project_id
name = "${local.prefix}cluster"
location = var.zone
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
secondary_range_pods = "pods"
secondary_range_services = "services"
source = "../../../modules/gke-cluster"
project_id = module.project.project_id
name = "${local.prefix}cluster"
location = var.zone
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = var.master_cidr_block
master_global_access = false
}
workload_identity = true
}
module "cluster_nodepool" {

35
blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
View File

@ -133,30 +133,27 @@ module "mgmt_server" {
}
module "clusters" {
for_each = var.clusters_config
source = "../../../modules/gke-cluster"
project_id = module.fleet_project.project_id
name = each.key
location = var.region
network = module.svpc.self_link
subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
secondary_range_pods = "pods"
secondary_range_services = "services"
for_each = var.clusters_config
source = "../../../modules/gke-cluster"
project_id = module.fleet_project.project_id
name = each.key
location = var.region
vpc_config = {
network = module.svpc.self_link
subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
master_authorized_ranges = merge({
mgmt : var.mgmt_subnet_cidr_block
},
{ for key, config in var.clusters_config :
"pods-${key}" => config.pods_cidr_block if key != each.key
})
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = each.value.master_cidr_block
master_global_access = true
}
master_authorized_ranges = merge({
mgmt : var.mgmt_subnet_cidr_block
},
{ for key, config in var.clusters_config :
"pods-${key}" => config.pods_cidr_block if key != each.key
})
enable_autopilot = false
release_channel = "REGULAR"
workload_identity = true
release_channel = "REGULAR"
labels = {
mesh_id = "proj-${module.fleet_project.number}"
}

138
blueprints/gke/multitenant-fleet/gke-clusters.tf
View File

@ -24,93 +24,69 @@ locals {
}
module "gke-cluster" {
source = "../../../modules/gke-cluster"
for_each = local.clusters
name = each.key
project_id = module.gke-project-0.project_id
description = each.value.description
location = each.value.location
network = var.vpc_config.vpc_self_link
subnetwork = each.value.net.subnet
secondary_range_pods = each.value.net.pods
secondary_range_services = each.value.net.services
labels = each.value.labels
addons = {
cloudrun_config = each.value.overrides.cloudrun_config
dns_cache_config = true
http_load_balancing = true
gce_persistent_disk_csi_driver_config = true
horizontal_pod_autoscaling = true
config_connector_config = true
kalm_config = false
gcp_filestore_csi_driver_config = each.value.overrides.gcp_filestore_csi_driver_config
gke_backup_agent_config = false
# enable only if enable_dataplane_v2 is changed to false below
network_policy_config = false
istio_config = {
enabled = false
tls = false
source = "../../../modules/gke-cluster"
for_each = local.clusters
name = each.key
project_id = module.gke-project-0.project_id
description = each.value.description
location = each.value.location
vpc_config = {
network = var.vpc_config.vpc_self_link
subnetwork = each.value.net.subnet
secondary_range_names = {
pods = each.value.net.pods
services = each.value.net.services
}
master_authorized_ranges = each.value.overrides.master_authorized_ranges
}
labels = each.value.labels
enable_addons = {
cloudrun = each.value.overrides.cloudrun_config
config_connector = true
dns_cache = true
gce_persistent_disk_csi_driver = true
gcp_filestore_csi_driver = each.value.overrides.gcp_filestore_csi_driver_config
gke_backup_agent = false
horizontal_pod_autoscaling = true
http_load_balancing = true
}
enable_features = {
cloud_dns = var.dns_domain == null ? null : {
cluster_dns = "CLOUD_DNS"
cluster_dns_scope = "VPC_SCOPE"
cluster_dns_domain = "${each.key}.${var.dns_domain}"
}
database_encryption = (
each.value.overrides.database_encryption_key == null
? null
: {
state = "ENCRYPTED"
key_name = each.value.overrides.database_encryption_key
}
)
dataplane_v2 = true
groups_for_rbac = var.authenticator_security_group
intranode_visibility = true
pod_security_policy = each.value.overrides.pod_security_policy
resource_usage_export = {
dataset = module.gke-dataset-resource-usage.dataset_id
}
shielded_nodes = true
vertical_pod_autoscaling = each.value.overrides.vertical_pod_autoscaling
workload_identity = true
}
# change these here for all clusters if absolutely needed
authenticator_security_group = var.authenticator_security_group
enable_dataplane_v2 = true
enable_l4_ilb_subsetting = false
enable_intranode_visibility = true
enable_shielded_nodes = true
workload_identity = true
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = false
enable_private_endpoint = true
master_ipv4_cidr_block = each.value.net.master_range
master_global_access = true
}
dns_config = each.value.dns_domain == null ? null : {
cluster_dns = "CLOUD_DNS"
cluster_dns_scope = "VPC_SCOPE"
cluster_dns_domain = "${each.key}.${var.dns_domain}"
peering_config = var.peering_config == null ? null : {
export_routes = var.peering_config.export_routes
import_routes = var.peering_config.import_routes
project_id = var.vpc_config.host_project_id
}
}
logging_config = ["SYSTEM_COMPONENTS", "WORKLOADS"]
monitoring_config = ["SYSTEM_COMPONENTS", "WORKLOADS"]
peering_config = var.peering_config == null ? null : {
export_routes = var.peering_config.export_routes
import_routes = var.peering_config.import_routes
project_id = var.vpc_config.host_project_id
}
resource_usage_export_config = {
enabled = true
dataset = module.gke-dataset-resource-usage.dataset_id
}
# TODO: the attributes below are "primed" from project-level defaults
# in locals, merge defaults with cluster-level stuff
# TODO(jccb): change fabric module
database_encryption = (
each.value.overrides.database_encryption_key == null
? {
enabled = false
state = null
key_name = null
}
: {
enabled = true
state = "ENCRYPTED"
key_name = each.value.overrides.database_encryption_key
}
)
default_max_pods_per_node = each.value.overrides.max_pods_per_node
master_authorized_ranges = each.value.overrides.master_authorized_ranges
pod_security_policy = each.value.overrides.pod_security_policy
release_channel = each.value.overrides.release_channel
vertical_pod_autoscaling = each.value.overrides.vertical_pod_autoscaling
# dynamic "cluster_autoscaling" {
# for_each = each.value.cluster_autoscaling == null ? {} : { 1 = 1 }
# content {
# enabled = true
# cpu_min = each.value.cluster_autoscaling.cpu_min
# cpu_max = each.value.cluster_autoscaling.cpu_max
# memory_min = each.value.cluster_autoscaling.memory_min
# memory_max = each.value.cluster_autoscaling.memory_max
# }
# }
max_pods_per_node = each.value.overrides.max_pods_per_node
release_channel = each.value.overrides.release_channel
}

34
blueprints/networking/hub-and-spoke-peering/main.tf
View File

@ -237,31 +237,29 @@ module "service-account-gce" {
################################################################################
module "cluster-1" {
source = "../../../modules/gke-cluster"
name = "${local.prefix}cluster-1"
project_id = module.project.project_id
location = "${var.region}-b"
network = module.vpc-spoke-2.self_link
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/${local.prefix}spoke-2-1"]
secondary_range_pods = "pods"
secondary_range_services = "services"
default_max_pods_per_node = 32
source = "../../../modules/gke-cluster"
name = "${local.prefix}cluster-1"
project_id = module.project.project_id
location = "${var.region}-b"
vpc_config = {
network = module.vpc-spoke-2.self_link
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/${local.prefix}spoke-2-1"]
master_authorized_ranges = {
for name, range in var.ip_ranges : name => range
}
}
max_pods_per_node = 32
labels = {
environment = "test"
}
master_authorized_ranges = {
for name, range in var.ip_ranges : name => range
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = var.private_service_ranges.spoke-2-cluster-1
master_global_access = true
}
peering_config = {
export_routes = true
import_routes = false
project_id = null
peering_config = {
export_routes = true
import_routes = false
}
}
}

31
blueprints/networking/shared-vpc-gke/main.tf
View File

@ -196,28 +196,27 @@ module "vm-bastion" {
################################################################################
module "cluster-1" {
source = "../../../modules/gke-cluster"
count = var.cluster_create ? 1 : 0
name = "cluster-1"
project_id = module.project-svc-gke.project_id
location = "${var.region}-b"
network = module.vpc-shared.self_link
subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
secondary_range_pods = "pods"
secondary_range_services = "services"
default_max_pods_per_node = 32
labels = {
environment = "test"
}
master_authorized_ranges = {
internal-vms = var.ip_ranges.gce
source = "../../../modules/gke-cluster"
count = var.cluster_create ? 1 : 0
name = "cluster-1"
project_id = module.project-svc-gke.project_id
location = "${var.region}-b"
vpc_config = {
network = module.vpc-shared.self_link
subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
master_authorized_ranges = {
internal-vms = var.ip_ranges.gce
}
}
max_pods_per_node = 32
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = var.private_service_ranges.cluster-1
master_global_access = true
}
labels = {
environment = "test"
}
}
module "cluster-1-nodepool-1" {

114
modules/gke-cluster/README.md
View File

@ -8,20 +8,23 @@ This module allows simplified creation and management of GKE clusters and should
```hcl
module "cluster-1" {
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1-b"
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_pods = "pods"
secondary_range_services = "services"
default_max_pods_per_node = 32
master_authorized_ranges = {
internal-vms = "10.0.0.0/8"
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1-b"
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_names = {
pods = "pods"
services = "services"
}
master_authorized_ranges = {
internal-vms = "10.0.0.0/8"
}
}
max_pods_per_node = 32
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = "192.168.0.0/28"
master_global_access = false
@ -37,25 +40,30 @@ module "cluster-1" {
```hcl
module "cluster-1" {
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1-b"
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_pods = "pods"
secondary_range_services = "services"
default_max_pods_per_node = 32
enable_dataplane_v2 = true
master_authorized_ranges = {
internal-vms = "10.0.0.0/8"
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-1"
location = "europe-west1-b"
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_names = {
pods = "pods"
services = "services"
}
master_authorized_ranges = {
internal-vms = "10.0.0.0/8"
}
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = "192.168.0.0/28"
master_global_access = false
}
enable_features = {
dataplane_v2 = true
workload_identity = true
}
labels = {
environment = "dev"
}
@ -68,44 +76,24 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [location](variables.tf#L161) | Cluster zone or region. | <code>string</code> | ✓ | |
| [name](variables.tf#L228) | Cluster name. | <code>string</code> | ✓ | |
| [network](variables.tf#L233) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L277) | Cluster project id. | <code>string</code> | ✓ | |
| [secondary_range_pods](variables.tf#L300) | Subnet secondary range name used for pods. | <code>string</code> | ✓ | |
| [secondary_range_services](variables.tf#L305) | Subnet secondary range name used for services. | <code>string</code> | ✓ | |
| [subnetwork](variables.tf#L310) | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10; cloudrun_config &#61; bool&#10; dns_cache_config &#61; bool&#10; horizontal_pod_autoscaling &#61; bool&#10; http_load_balancing &#61; bool&#10; istio_config &#61; object&#40;&#123;&#10; enabled &#61; bool&#10; tls &#61; bool&#10; &#125;&#41;&#10; network_policy_config &#61; bool&#10; gce_persistent_disk_csi_driver_config &#61; bool&#10; gcp_filestore_csi_driver_config &#61; bool&#10; config_connector_config &#61; bool&#10; kalm_config &#61; bool&#10; gke_backup_agent_config &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; cloudrun_config &#61; false&#10; dns_cache_config &#61; false&#10; horizontal_pod_autoscaling &#61; true&#10; http_load_balancing &#61; true&#10; istio_config &#61; &#123;&#10; enabled &#61; false&#10; tls &#61; false&#10; &#125;&#10; network_policy_config &#61; false&#10; gce_persistent_disk_csi_driver_config &#61; false&#10; gcp_filestore_csi_driver_config &#61; false&#10; config_connector_config &#61; false&#10; kalm_config &#61; false&#10; gke_backup_agent_config &#61; false&#10;&#125;">&#123;&#8230;&#125;</code> |
| [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code>string</code> | | <code>null</code> |
| [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10; enabled &#61; bool&#10; cpu_min &#61; number&#10; cpu_max &#61; number&#10; memory_min &#61; number&#10; memory_max &#61; number&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; enabled &#61; false&#10; cpu_min &#61; 0&#10; cpu_max &#61; 0&#10; memory_min &#61; 0&#10; memory_max &#61; 0&#10;&#125;">&#123;&#8230;&#125;</code> |
| [database_encryption](variables.tf#L77) | Enable and configure GKE application-layer secrets encryption. | <code title="object&#40;&#123;&#10; enabled &#61; bool&#10; state &#61; string&#10; key_name &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; enabled &#61; false&#10; state &#61; &#34;DECRYPTED&#34;&#10; key_name &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| [default_max_pods_per_node](variables.tf#L91) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
| [description](variables.tf#L97) | Cluster description. | <code>string</code> | | <code>null</code> |
| [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | <code title="object&#40;&#123;&#10; cluster_dns &#61; string&#10; cluster_dns_scope &#61; string&#10; cluster_dns_domain &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | <code>bool</code> | | <code>false</code> |
| [enable_binary_authorization](variables.tf#L119) | Enable Google Binary Authorization. | <code>bool</code> | | <code>false</code> |
| [enable_dataplane_v2](variables.tf#L125) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | <code>bool</code> | | <code>false</code> |
| [enable_intranode_visibility](variables.tf#L131) | Enable intra-node visibility to make same node pod to pod traffic visible. | <code>bool</code> | | <code>null</code> |
| [enable_l4_ilb_subsetting](variables.tf#L137) | Enable L4ILB Subsetting. | <code>bool</code> | | <code>null</code> |
| [enable_shielded_nodes](variables.tf#L143) | Enable Shielded Nodes features on all nodes in this cluster. | <code>bool</code> | | <code>null</code> |
| [enable_tpu](variables.tf#L149) | Enable Cloud TPU resources in this cluster. | <code>bool</code> | | <code>null</code> |
| [labels](variables.tf#L155) | Cluster resource labels. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [logging_config](variables.tf#L166) | Logging configuration (enabled components). | <code>list&#40;string&#41;</code> | | <code>null</code> |
| [logging_service](variables.tf#L172) | Logging service (disable with an empty string). | <code>string</code> | | <code>&#34;logging.googleapis.com&#47;kubernetes&#34;</code> |
| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | <code title="object&#40;&#123;&#10; daily_maintenance_window &#61; object&#40;&#123;&#10; start_time &#61; string&#10; &#125;&#41;&#10; recurring_window &#61; object&#40;&#123;&#10; start_time &#61; string&#10; end_time &#61; string&#10; recurrence &#61; string&#10; &#125;&#41;&#10; maintenance_exclusion &#61; list&#40;object&#40;&#123;&#10; exclusion_name &#61; string&#10; start_time &#61; string&#10; end_time &#61; string&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; daily_maintenance_window &#61; &#123;&#10; start_time &#61; &#34;03:00&#34;&#10; &#125;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [master_authorized_ranges](variables.tf#L204) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [min_master_version](variables.tf#L210) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
| [monitoring_config](variables.tf#L216) | Monitoring configuration (enabled components). | <code>list&#40;string&#41;</code> | | <code>null</code> |
| [monitoring_service](variables.tf#L222) | Monitoring service (disable with an empty string). | <code>string</code> | | <code>&#34;monitoring.googleapis.com&#47;kubernetes&#34;</code> |
| [node_locations](variables.tf#L238) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [notification_config](variables.tf#L244) | GKE Cluster upgrade notifications via PubSub. | <code>bool</code> | | <code>false</code> |
| [peering_config](variables.tf#L250) | Configure peering with the master VPC for private clusters. | <code title="object&#40;&#123;&#10; export_routes &#61; bool&#10; import_routes &#61; bool&#10; project_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [pod_security_policy](variables.tf#L260) | Enable the PodSecurityPolicy feature. | <code>bool</code> | | <code>null</code> |
| [private_cluster_config](variables.tf#L266) | Enable and configure private cluster, private nodes must be true if used. | <code title="object&#40;&#123;&#10; enable_private_nodes &#61; bool&#10; enable_private_endpoint &#61; bool&#10; master_ipv4_cidr_block &#61; string&#10; master_global_access &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [release_channel](variables.tf#L282) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
| [resource_usage_export_config](variables.tf#L288) | Configure the ResourceUsageExportConfig feature. | <code title="object&#40;&#123;&#10; enabled &#61; bool&#10; dataset &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; enabled &#61; null&#10; dataset &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| [vertical_pod_autoscaling](variables.tf#L315) | Enable the Vertical Pod Autoscaling feature. | <code>bool</code> | | <code>null</code> |
| [workload_identity](variables.tf#L321) | Enable the Workload Identity feature. | <code>bool</code> | | <code>true</code> |
| [location](variables.tf#L118) | Cluster zone or region. | <code>string</code> | ✓ | |
| [name](variables.tf#L170) | Cluster name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L197) | Cluster project id. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L208) | VPC-level configuration. | <code title="object&#40;&#123;&#10; network &#61; string&#10; subnetwork &#61; string&#10; secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;, &#41;&#10; secondary_range_names &#61; optional&#40;object&#40;&#123;&#10; pods &#61; string&#10; services &#61; string&#10; &#125;&#41;, &#123; pods &#61; &#34;pods&#34;, services &#61; &#34;services&#34; &#125;&#41;&#10; master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [cluster_autoscaling](variables.tf#L17) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10; auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10; boot_disk_kms_key &#61; optional&#40;string&#41;&#10; image_type &#61; optional&#40;string&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; cpu_limits &#61; optional&#40;object&#40;&#123;&#10; min &#61; number&#10; max &#61; number&#10; &#125;&#41;&#41;&#10; mem_limits &#61; optional&#40;object&#40;&#123;&#10; min &#61; number&#10; max &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [description](variables.tf#L38) | Cluster description. | <code>string</code> | | <code>null</code> |
| [enable_addons](variables.tf#L44) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10; cloudrun &#61; optional&#40;bool, false&#41;&#10; config_connector &#61; optional&#40;bool, false&#41;&#10; dns_cache &#61; optional&#40;bool, false&#41;&#10; gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10; gcp_filestore_csi_driver &#61; optional&#40;bool, false&#41;&#10; gke_backup_agent &#61; optional&#40;bool, false&#41;&#10; horizontal_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10; http_load_balancing &#61; optional&#40;bool, false&#41;&#10; istio &#61; optional&#40;object&#40;&#123;&#10; enable_tls &#61; bool&#10; &#125;&#41;&#41;&#10; kalm &#61; optional&#40;bool, false&#41;&#10; network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; horizontal_pod_autoscaling &#61; true&#10; http_load_balancing &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
| [enable_features](variables.tf#L68) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10; autopilot &#61; optional&#40;bool, false&#41;&#10; binary_authorization &#61; optional&#40;bool, false&#41;&#10; cloud_dns &#61; optional&#40;object&#40;&#123;&#10; provider &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; domain &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; database_encryption &#61; optional&#40;object&#40;&#123;&#10; state &#61; string&#10; key_name &#61; string&#10; &#125;&#41;&#41;&#10; dataplane_v2 &#61; optional&#40;bool, false&#41;&#10; groups_for_rbac &#61; optional&#40;string&#41;&#10; intranode_visibility &#61; optional&#40;bool, false&#41;&#10; l4_ilb_subsetting &#61; optional&#40;bool, false&#41;&#10; pod_security_policy &#61; optional&#40;bool, false&#41;&#10; resource_usage_export &#61; optional&#40;object&#40;&#123;&#10; dataset &#61; optional&#40;string&#41;&#10; enable_network_egress_metering &#61; optional&#40;bool, false&#41;&#10; enable_resource_consumption_metering &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; shielded_nodes &#61; optional&#40;bool, false&#41;&#10; tpu &#61; optional&#40;bool, false&#41;&#10; upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10; topic_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10; workload_identity &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; workload_identity &#61; true&#10; resource_usage_export &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| [issue_client_certificate](variables.tf#L106) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
| [labels](variables.tf#L112) | Cluster resource labels. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [logging_config](variables.tf#L123) | Logging configuration. | <code>list&#40;string&#41;</code> | | <code>&#91;&#34;SYSTEM_COMPONENTS&#34;&#93;</code> |
| [maintenance_config](variables.tf#L129) | Maintenance window configuration. | <code title="object&#40;&#123;&#10; daily_window_start_time &#61; optional&#40;string&#41;&#10; recurring_window &#61; optional&#40;object&#40;&#123;&#10; start_time &#61; string&#10; end_time &#61; string&#10; recurrence &#61; string&#10; &#125;&#41;&#41;&#10; maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10; name &#61; string&#10; start_time &#61; string&#10; end_time &#61; string&#10; scope &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; daily_window_start_time &#61; &#34;03:00&#34;&#10; recurring_window &#61; null&#10; maintenance_exclusion &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [max_pods_per_node](variables.tf#L152) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
| [min_master_version](variables.tf#L158) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
| [monitoring_config](variables.tf#L164) | Monitoring components. | <code>list&#40;string&#41;</code> | | <code>&#91;&#34;SYSTEM_COMPONENTS&#34;&#93;</code> |
| [node_locations](variables.tf#L175) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [private_cluster_config](variables.tf#L182) | Private cluster configuration. | <code title="object&#40;&#123;&#10; enable_private_endpoint &#61; optional&#40;bool&#41;&#10; master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10; master_global_access &#61; optional&#40;bool&#41;&#10; peering_config &#61; optional&#40;object&#40;&#123;&#10; export_routes &#61; optional&#40;bool&#41;&#10; import_routes &#61; optional&#40;bool&#41;&#10; project_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [release_channel](variables.tf#L202) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
## Outputs

421
modules/gke-cluster/main.tf
View File

@ -14,159 +14,216 @@
* limitations under the License.
*/
locals {
# The Google provider is unable to validate certain configurations of
# private_cluster_config when enable_private_nodes is false (provider docs)
is_private = try(var.private_cluster_config.enable_private_nodes, false)
peering = try(
google_container_cluster.cluster.private_cluster_config.0.peering_name,
null
)
peering_project_id = (
try(var.peering_config.project_id, null) == null
? var.project_id
: var.peering_config.project_id
)
}
resource "google_container_cluster" "cluster" {
provider = google-beta
project = var.project_id
name = var.name
description = var.description
location = var.location
node_locations = length(var.node_locations) == 0 ? null : var.node_locations
min_master_version = var.min_master_version
network = var.network
subnetwork = var.subnetwork
logging_service = var.monitoring_config != null ? null : var.logging_config == null ? var.logging_service : null
monitoring_service = var.monitoring_config == null ? var.monitoring_service : null
resource_labels = var.labels
default_max_pods_per_node = var.enable_autopilot ? null : var.default_max_pods_per_node
enable_intranode_visibility = var.enable_intranode_visibility
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_shielded_nodes = var.enable_shielded_nodes
enable_tpu = var.enable_tpu
initial_node_count = 1
remove_default_node_pool = var.enable_autopilot ? null : true
datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
enable_autopilot = var.enable_autopilot == true ? true : null
provider = google-beta
project = var.project_id
name = var.name
description = var.description
location = var.location
node_locations = (
length(var.node_locations) == 0 ? null : var.node_locations
)
min_master_version = var.min_master_version
network = var.vpc_config.network
subnetwork = var.vpc_config.subnetwork
resource_labels = var.labels
default_max_pods_per_node = (
var.enable_features.autopilot ? null : var.max_pods_per_node
)
enable_intranode_visibility = (
var.enable_features.autopilot ? null : var.enable_features.intranode_visibility
)
enable_l4_ilb_subsetting = var.enable_features.l4_ilb_subsetting
enable_shielded_nodes = (
var.enable_features.autopilot ? null : var.enable_features.shielded_nodes
)
enable_tpu = var.enable_features.tpu
initial_node_count = 1
remove_default_node_pool = var.enable_features.autopilot ? null : true
datapath_provider = (
var.enable_features.dataplane_v2
? "ADVANCED_DATAPATH"
: "DATAPATH_PROVIDER_UNSPECIFIED"
)
enable_autopilot = var.enable_features.autopilot ? true : null
# the default nodepool is deleted here, use the gke-nodepool module instead
# node_config {}
# NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
# Specify that node_config as an parameter to gke-nodepool module instead.
# TODO(ludomagno): compute addons map in locals and use a single dynamic block
addons_config {
dynamic "dns_cache_config" {
# Pass the user-provided value when autopilot is disabled. When
# autopilot is enabled, pass the value only when the addon is
# set to true. This will fail but warns the user that autopilot
# doesn't support this option, instead of silently discarding
# and hiding the error
for_each = !var.enable_autopilot || (var.enable_autopilot && var.addons.dns_cache_config) ? [""] : []
for_each = !var.enable_features.autopilot ? [""] : []
content {
enabled = var.addons.dns_cache_config
enabled = var.enable_addons.dns_cache
}
}
http_load_balancing {
disabled = !var.addons.http_load_balancing
disabled = !var.enable_addons.http_load_balancing
}
horizontal_pod_autoscaling {
disabled = !var.addons.horizontal_pod_autoscaling
disabled = !var.enable_addons.horizontal_pod_autoscaling
}
dynamic "network_policy_config" {
for_each = !var.enable_autopilot ? [""] : []
for_each = !var.enable_features.autopilot ? [""] : []
content {
disabled = !var.addons.network_policy_config
disabled = !var.enable_addons.network_policy
}
}
cloudrun_config {
disabled = !var.addons.cloudrun_config
disabled = !var.enable_addons.cloudrun
}
istio_config {
disabled = !var.addons.istio_config.enabled
auth = var.addons.istio_config.tls ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
disabled = var.enable_addons.istio == null
auth = (
try(var.enable_addons.istio.enable_tls, false) ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
)
}
gce_persistent_disk_csi_driver_config {
enabled = var.enable_autopilot || var.addons.gce_persistent_disk_csi_driver_config
enabled = var.enable_addons.gce_persistent_disk_csi_driver
}
dynamic "gcp_filestore_csi_driver_config" {
# Pass the user-provided value when autopilot is disabled. When
# autopilot is enabled, pass the value only when the addon is
# set to true. This will fail but warns the user that autopilot
# doesn't support this option, instead of silently discarding
# and hiding the error
for_each = var.enable_autopilot && !var.addons.gcp_filestore_csi_driver_config ? [] : [""]
for_each = !var.enable_features.autopilot ? [""] : []
content {
enabled = var.addons.gcp_filestore_csi_driver_config
enabled = var.enable_addons.gcp_filestore_csi_driver
}
}
kalm_config {
enabled = var.addons.kalm_config
enabled = var.enable_addons.kalm
}
config_connector_config {
enabled = var.addons.config_connector_config
enabled = var.enable_addons.config_connector
}
gke_backup_agent_config {
enabled = var.addons.gke_backup_agent_config
enabled = var.enable_addons.gke_backup_agent
}
}
# TODO(ludomagno): support setting address ranges instead of range names
# https://www.terraform.io/docs/providers/google/r/container_cluster.html#cluster_ipv4_cidr_block
ip_allocation_policy {
cluster_secondary_range_name = var.secondary_range_pods
services_secondary_range_name = var.secondary_range_services
dynamic "authenticator_groups_config" {
for_each = var.enable_features.groups_for_rbac != null ? [""] : []
content {
security_group = var.enable_features.groups_for_rbac
}
}
dynamic "binary_authorization" {
for_each = var.enable_features.binary_authorization ? [""] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}
dynamic "cluster_autoscaling" {
for_each = var.cluster_autoscaling == null ? [] : [""]
content {
enabled = true
dynamic "resource_limits" {
for_each = var.cluster_autoscaling.cpu_limits != null ? [""] : []
content {
resource_type = "cpu"
minimum = var.cluster_autoscaling.cpu_limits.min
maximum = var.cluster_autoscaling.cpu_limits.max
}
}
dynamic "resource_limits" {
for_each = var.cluster_autoscaling.mem_limits != null ? [""] : []
content {
resource_type = "cpu"
minimum = var.cluster_autoscaling.mem_limits.min
maximum = var.cluster_autoscaling.mem_limits.max
}
}
// TODO: support GPUs too
}
}
dynamic "database_encryption" {
for_each = var.enable_features.database_encryption != null ? [""] : []
content {
state = var.enable_features.database_encryption.state
key_name = var.enable_features.database_encryption.key_name
}
}
dynamic "dns_config" {
for_each = var.enable_features.cloud_dns != null ? [""] : []
content {
cluster_dns = enable_features.cloud_dns.cluster_dns
cluster_dns_scope = enable_features.cloud_dns.cluster_dns_scope
cluster_dns_domain = enable_features.cloud_dns.cluster_dns_domain
}
}
dynamic "ip_allocation_policy" {
for_each = var.vpc_config.secondary_range_blocks != null ? [""] : []
content {
cluster_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.pods
services_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.services
}
}
dynamic "ip_allocation_policy" {
for_each = var.vpc_config.secondary_range_names != null ? [""] : []
content {
cluster_secondary_range_name = var.vpc_config.secondary_range_names.pods
services_secondary_range_name = var.vpc_config.secondary_range_names.services
}
}
dynamic "logging_config" {
for_each = var.logging_config != null ? [""] : []
content {
enable_components = var.logging_config
}
}
# https://www.terraform.io/docs/providers/google/r/container_cluster.html#daily_maintenance_window
maintenance_policy {
dynamic "daily_maintenance_window" {
for_each = var.maintenance_config != null && lookup(var.maintenance_config, "daily_maintenance_window", null) != null ? [var.maintenance_config.daily_maintenance_window] : []
iterator = config
for_each = (
try(var.maintenance_config.daily_window_start_time, null) != null
? [""]
: []
)
content {
start_time = config.value.start_time
start_time = var.maintenance_config.daily_window_start_time
}
}
dynamic "recurring_window" {
for_each = var.maintenance_config != null && lookup(var.maintenance_config, "recurring_window", null) != null ? [var.maintenance_config.recurring_window] : []
iterator = config
for_each = (
try(var.maintenance_config.recurring_window, null) != null
? [""]
: []
)
content {
start_time = config.value.start_time
end_time = config.value.end_time
recurrence = config.value.recurrence
start_time = var.maintenance_config.recurring_window.start_time
end_time = var.maintenance_config.recurring_window.end_time
recurrence = var.maintenance_config.recurring_window.recurrence
}
}
dynamic "maintenance_exclusion" {
for_each = var.maintenance_config != null && lookup(var.maintenance_config, "maintenance_exclusion", null) != null ? var.maintenance_config.maintenance_exclusion : []
iterator = config
for_each = (
try(var.maintenance_config.maintenance_exclusions, null) == null
? []
: var.maintenance_config.maintenance_exclusions
)
iterator = exclusion
content {
exclusion_name = config.value.exclusion_name
start_time = config.value.start_time
end_time = config.value.end_time
exclusion_name = exclusion.value.name
start_time = exclusion.value.start_time
end_time = exclusion.value.end_time
}
}
}
master_auth {
client_certificate_config {
issue_client_certificate = false
issue_client_certificate = var.issue_client_certificate
}
}
dynamic "master_authorized_networks_config" {
for_each = (
length(var.master_authorized_ranges) == 0
? []
: [var.master_authorized_ranges]
)
iterator = ranges
for_each = var.vpc_config.master_authorized_ranges != null ? [""] : []
content {
dynamic "cidr_blocks" {
for_each = ranges.value
for_each = var.vpc_config.master_authorized_ranges
iterator = range
content {
cidr_block = range.value
@ -176,69 +233,58 @@ resource "google_container_cluster" "cluster" {
}
}
#the network_policy block is enabled if network_policy_config and network_dataplane_v2 is set to false. Dataplane V2 has built-in network policies.
dynamic "network_policy" {
for_each = var.addons.network_policy_config ? [""] : []
dynamic "monitoring_config" {
for_each = var.monitoring_config != null ? [""] : []
content {
enabled = var.enable_dataplane_v2 ? false : true
provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
enable_components = var.monitoring_config
}
}
# dataplane v2 has bult-in network policies
dynamic "network_policy" {
for_each = (
var.enable_addons.network_policy && !var.enable_features.dataplane_v2
? [""]
: []
)
content {
enabled = true
provider = "CALICO"
}
}
dynamic "notification_config" {
for_each = var.enable_features.upgrade_notifications != null ? [""] : []
content {
pubsub {
enabled = true
topic = (
try(var.enable_features.upgrade_notifications.topic_id, null) != null
? var.enable_features.upgrade_notifications.topic_id
: google_pubsub_topic.notifications[0].id
)
}
}
}
dynamic "private_cluster_config" {
for_each = local.is_private ? [var.private_cluster_config] : []
iterator = config
for_each = (
var.private_cluster_config != null ? [""] : []
)
content {
enable_private_nodes = config.value.enable_private_nodes
enable_private_endpoint = config.value.enable_private_endpoint
master_ipv4_cidr_block = config.value.master_ipv4_cidr_block
enable_private_nodes = true
enable_private_endpoint = var.private_cluster_config.enable_private_endpoint
master_ipv4_cidr_block = var.private_cluster_config.master_ipv4_cidr_block
master_global_access_config {
enabled = config.value.master_global_access
enabled = var.private_cluster_config.master_global_access
}
}
}
# beta features
dynamic "authenticator_groups_config" {
for_each = var.authenticator_security_group == null ? [] : [""]
content {
security_group = var.authenticator_security_group
}
}
dynamic "cluster_autoscaling" {
for_each = var.cluster_autoscaling.enabled ? [var.cluster_autoscaling] : []
iterator = config
content {
enabled = true
resource_limits {
resource_type = "cpu"
minimum = config.value.cpu_min
maximum = config.value.cpu_max
}
resource_limits {
resource_type = "memory"
minimum = config.value.memory_min
maximum = config.value.memory_max
}
// TODO: support GPUs too
}
}
dynamic "database_encryption" {
for_each = var.database_encryption.enabled ? [var.database_encryption] : []
iterator = config
content {
state = config.value.state
key_name = config.value.key_name
}
}
dynamic "pod_security_policy_config" {
for_each = var.pod_security_policy != null ? [""] : []
for_each = var.enable_features.pod_security_policy ? [""] : []
content {
enabled = var.pod_security_policy
enabled = var.enable_features.pod_security_policy
}
}
@ -251,86 +297,61 @@ resource "google_container_cluster" "cluster" {
dynamic "resource_usage_export_config" {
for_each = (
var.resource_usage_export_config.enabled != null
&&
var.resource_usage_export_config.dataset != null
? [""] : []
try(var.enable_features.resource_usage_export.dataset, null) != null
? [""]
: []
)
content {
enable_network_egress_metering = var.resource_usage_export_config.enabled
enable_network_egress_metering = (
var.enable_features.resource_usage_export.enable_network_egress_metering
)
enable_resource_consumption_metering = (
var.enable_features.resource_usage_export.enable_resource_consumption_metering
)
bigquery_destination {
dataset_id = var.resource_usage_export_config.dataset
dataset_id = var.enable_features.resource_usage_export.dataset
}
}
}
dynamic "vertical_pod_autoscaling" {
for_each = var.vertical_pod_autoscaling == null ? [] : [""]
for_each = var.enable_features.vertical_pod_autoscaling ? [""] : []
content {
enabled = var.vertical_pod_autoscaling
enabled = var.enable_features.vertical_pod_autoscaling
}
}
dynamic "workload_identity_config" {
for_each = var.workload_identity && !var.enable_autopilot ? [""] : []
for_each = var.enable_features.workload_identity ? [""] : []
content {
workload_pool = "${var.project_id}.svc.id.goog"
}
}
dynamic "monitoring_config" {
for_each = var.monitoring_config != null ? [""] : []
content {
enable_components = var.monitoring_config
}
}
dynamic "logging_config" {
for_each = var.logging_config != null ? [""] : []
content {
enable_components = var.logging_config
}
}
dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [""] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}
dynamic "dns_config" {
for_each = var.dns_config != null ? [""] : []
content {
cluster_dns = var.dns_config.cluster_dns
cluster_dns_scope = var.dns_config.cluster_dns_scope
cluster_dns_domain = var.dns_config.cluster_dns_domain
}
}
dynamic "notification_config" {
for_each = var.notification_config ? [""] : []
content {
pubsub {
enabled = var.notification_config
topic = var.notification_config ? google_pubsub_topic.notifications[0].id : null
}
}
}
}
resource "google_compute_network_peering_routes_config" "gke_master" {
count = local.is_private && var.peering_config != null ? 1 : 0
project = local.peering_project_id
peering = local.peering
network = element(reverse(split("/", var.network)), 0)
import_custom_routes = var.peering_config.import_routes
export_custom_routes = var.peering_config.export_routes
count = (
try(var.private_cluster_config.peering_config, null) != null ? 1 : 0
)
project = (
try(var.private_cluster_config.peering_config, null) == null
? var.project_id
: var.private_cluster_config.peering_config.project_id
)
peering = try(
google_container_cluster.cluster.private_cluster_config.0.peering_name,
null
)
network = element(reverse(split("/", var.vpc_config.network)), 0)
import_custom_routes = var.private_cluster_config.peering_config.import_routes
export_custom_routes = var.private_cluster_config.peering_config.export_routes
}
resource "google_pubsub_topic" "notifications" {
count = var.notification_config ? 1 : 0
name = "gke-pubsub-notifications"
count = (
try(var.enable_features.upgrade_notifications.topic_id, null) == null ? 0 : 1
)
name = "gke-pubsub-notifications"
labels = {
content = "gke-notifications"
}

2
modules/gke-cluster/outputs.tf
View File

@ -53,7 +53,7 @@ output "name" {
output "notifications" {
description = "GKE PubSub notifications topic."
value = var.notification_config ? google_pubsub_topic.notifications[0].id : null
value = try(google_pubsub_topic.notifications[0].id, null)
}
output "self_link" {

337
modules/gke-cluster/variables.tf
View File

@ -14,84 +14,25 @@
* limitations under the License.
*/
variable "addons" {
description = "Addons enabled in the cluster (true means enabled)."
type = object({
cloudrun_config = bool
dns_cache_config = bool
horizontal_pod_autoscaling = bool
http_load_balancing = bool
istio_config = object({
enabled = bool
tls = bool
})
network_policy_config = bool
gce_persistent_disk_csi_driver_config = bool
gcp_filestore_csi_driver_config = bool
config_connector_config = bool
kalm_config = bool
gke_backup_agent_config = bool
})
default = {
cloudrun_config = false
dns_cache_config = false
horizontal_pod_autoscaling = true
http_load_balancing = true
istio_config = {
enabled = false
tls = false
}
network_policy_config = false
gce_persistent_disk_csi_driver_config = false
gcp_filestore_csi_driver_config = false
config_connector_config = false
kalm_config = false
gke_backup_agent_config = false
}
}
variable "authenticator_security_group" {
description = "RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com."
type = string
default = null
}
variable "cluster_autoscaling" {
description = "Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler."
type = object({
enabled = bool
cpu_min = number
cpu_max = number
memory_min = number
memory_max = number
auto_provisioning_defaults = optional(object({
boot_disk_kms_key = optional(string)
image_type = optional(string)
oauth_scopes = optional(list(string))
service_account = optional(string)
}))
cpu_limits = optional(object({
min = number
max = number
}))
mem_limits = optional(object({
min = number
max = number
}))
})
default = {
enabled = false
cpu_min = 0
cpu_max = 0
memory_min = 0
memory_max = 0
}
}
variable "database_encryption" {
description = "Enable and configure GKE application-layer secrets encryption."
type = object({
enabled = bool
state = string
key_name = string
})
default = {
enabled = false
state = "DECRYPTED"
key_name = null
}
}
variable "default_max_pods_per_node" {
description = "Maximum number of pods per node in this cluster."
type = number
default = 110
default = null
}
variable "description" {
@ -100,58 +41,74 @@ variable "description" {
default = null
}
variable "dns_config" {
description = "Configuration for Using Cloud DNS for GKE."
variable "enable_addons" {
description = "Addons enabled in the cluster (true means enabled)."
type = object({
cluster_dns = string
cluster_dns_scope = string
cluster_dns_domain = string
cloudrun = optional(bool, false)
config_connector = optional(bool, false)
dns_cache = optional(bool, false)
gce_persistent_disk_csi_driver = optional(bool, false)
gcp_filestore_csi_driver = optional(bool, false)
gke_backup_agent = optional(bool, false)
horizontal_pod_autoscaling = optional(bool, false)
http_load_balancing = optional(bool, false)
istio = optional(object({
enable_tls = bool
}))
kalm = optional(bool, false)
network_policy = optional(bool, false)
})
default = null
default = {
horizontal_pod_autoscaling = true
http_load_balancing = true
}
nullable = false
}
variable "enable_autopilot" {
description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)."
variable "enable_features" {
description = "Enable cluster-level features. Certain features allow configuration."
type = object({
autopilot = optional(bool, false)
binary_authorization = optional(bool, false)
cloud_dns = optional(object({
provider = optional(string)
scope = optional(string)
domain = optional(string)
}))
database_encryption = optional(object({
state = string
key_name = string
}))
dataplane_v2 = optional(bool, false)
groups_for_rbac = optional(string)
intranode_visibility = optional(bool, false)
l4_ilb_subsetting = optional(bool, false)
pod_security_policy = optional(bool, false)
resource_usage_export = optional(object({
dataset = optional(string)
enable_network_egress_metering = optional(bool, false)
enable_resource_consumption_metering = optional(bool, false)
}))
shielded_nodes = optional(bool, false)
tpu = optional(bool, false)
upgrade_notifications = optional(object({
topic_id = optional(string)
}))
vertical_pod_autoscaling = optional(bool, false)
workload_identity = optional(bool, false)
})
default = {
workload_identity = true
resource_usage_export = null
}
}
variable "issue_client_certificate" {
description = "Enable issuing client certificate."
type = bool
default = false
}
variable "enable_binary_authorization" {
description = "Enable Google Binary Authorization."
type = bool
default = false
}
variable "enable_dataplane_v2" {
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config."
type = bool
default = false
}
variable "enable_intranode_visibility" {
description = "Enable intra-node visibility to make same node pod to pod traffic visible."
type = bool
default = null
}
variable "enable_l4_ilb_subsetting" {
description = "Enable L4ILB Subsetting."
type = bool
default = null
}
variable "enable_shielded_nodes" {
description = "Enable Shielded Nodes features on all nodes in this cluster."
type = bool
default = null
}
variable "enable_tpu" {
description = "Enable Cloud TPU resources in this cluster."
type = bool
default = null
}
variable "labels" {
description = "Cluster resource labels."
type = map(string)
@ -164,47 +121,38 @@ variable "location" {
}
variable "logging_config" {
description = "Logging configuration (enabled components)."
description = "Logging configuration."
type = list(string)
default = null
}
variable "logging_service" {
description = "Logging service (disable with an empty string)."
type = string
default = "logging.googleapis.com/kubernetes"
default = ["SYSTEM_COMPONENTS"]
}
variable "maintenance_config" {
description = "Maintenance window configuration."
type = object({
daily_maintenance_window = object({
start_time = string
})
recurring_window = object({
daily_window_start_time = optional(string)
recurring_window = optional(object({
start_time = string
end_time = string
recurrence = string
})
maintenance_exclusion = list(object({
exclusion_name = string
start_time = string
end_time = string
}))
maintenance_exclusions = optional(list(object({
name = string
start_time = string
end_time = string
scope = optional(string)
})))
})
default = {
daily_maintenance_window = {
start_time = "03:00"
}
recurring_window = null
maintenance_exclusion = []
daily_window_start_time = "03:00"
recurring_window = null
maintenance_exclusion = []
}
}
variable "master_authorized_ranges" {
description = "External Ip address ranges that can access the Kubernetes cluster master through HTTPS."
type = map(string)
default = {}
variable "max_pods_per_node" {
description = "Maximum number of pods per node in this cluster."
type = number
default = 110
}
variable "min_master_version" {
@ -214,15 +162,9 @@ variable "min_master_version" {
}
variable "monitoring_config" {
description = "Monitoring configuration (enabled components)."
description = "Monitoring components."
type = list(string)
default = null
}
variable "monitoring_service" {
description = "Monitoring service (disable with an empty string)."
type = string
default = "monitoring.googleapis.com/kubernetes"
default = ["SYSTEM_COMPONENTS"]
}
variable "name" {
@ -230,46 +172,24 @@ variable "name" {
type = string
}
variable "network" {
description = "Name or self link of the VPC used for the cluster. Use the self link for Shared VPC."
type = string
}
variable "node_locations" {
description = "Zones in which the cluster's nodes are located."
type = list(string)
default = []
}
variable "notification_config" {
description = "GKE Cluster upgrade notifications via PubSub."
type = bool
default = false
}
variable "peering_config" {
description = "Configure peering with the master VPC for private clusters."
type = object({
export_routes = bool
import_routes = bool
project_id = string
})
default = null
}
variable "pod_security_policy" {
description = "Enable the PodSecurityPolicy feature."
type = bool
default = null
nullable = false
}
variable "private_cluster_config" {
description = "Enable and configure private cluster, private nodes must be true if used."
description = "Private cluster configuration."
type = object({
enable_private_nodes = bool
enable_private_endpoint = bool
master_ipv4_cidr_block = string
master_global_access = bool
enable_private_endpoint = optional(bool)
master_ipv4_cidr_block = optional(string)
master_global_access = optional(bool)
peering_config = optional(object({
export_routes = optional(bool)
import_routes = optional(bool)
project_id = optional(string)
}))
})
default = null
}
@ -285,41 +205,20 @@ variable "release_channel" {
default = null
}
variable "resource_usage_export_config" {
description = "Configure the ResourceUsageExportConfig feature."
variable "vpc_config" {
description = "VPC-level configuration."
type = object({
enabled = bool
dataset = string
network = string
subnetwork = string
secondary_range_blocks = optional(object({
pods = string
services = string
}), )
secondary_range_names = optional(object({
pods = string
services = string
}), { pods = "pods", services = "services" })
master_authorized_ranges = optional(map(string))
})
default = {
enabled = null
dataset = null
}
}
variable "secondary_range_pods" {
description = "Subnet secondary range name used for pods."
type = string
}
variable "secondary_range_services" {
description = "Subnet secondary range name used for services."
type = string
}
variable "subnetwork" {
description = "VPC subnetwork name or self link."
type = string
}
variable "vertical_pod_autoscaling" {
description = "Enable the Vertical Pod Autoscaling feature."
type = bool
default = null
}
variable "workload_identity" {
description = "Enable the Workload Identity feature."
type = bool
default = true
nullable = false
}

78
modules/gke-hub/README.md
View File

@ -48,18 +48,20 @@ module "vpc" {
}
module "cluster_1" {
source = "./fabric/modules/gke-cluster"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1-b"
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
secondary_range_pods = "pods"
secondary_range_services = "services"
enable_dataplane_v2 = true
master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
source = "./fabric/modules/gke-cluster"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1"
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
}
enable_features = {
dataplane_v2 = true
workload_identity = true
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
master_ipv4_cidr_block = "192.168.0.0/28"
master_global_access = false
@ -225,27 +227,24 @@ module "firewall" {
}
module "cluster_1" {
source = "./fabric/modules/gke-cluster"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-wes1"
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
secondary_range_pods = "pods"
secondary_range_services = "services"
source = "./fabric/modules/gke-cluster"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1"
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
master_authorized_ranges = {
mgmt = "10.0.0.0/28"
pods-cluster-1 = "10.3.0.0/16"
}
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = "192.168.1.0/28"
master_global_access = true
}
master_authorized_ranges = {
mgmt = "10.0.0.0/28"
pods-cluster-1 = "10.3.0.0/16"
}
enable_autopilot = false
release_channel = "REGULAR"
workload_identity = true
release_channel = "REGULAR"
labels = {
mesh_id = "proj-${module.project.number}"
}
@ -266,25 +265,22 @@ module "cluster_1_nodepool" {
module "cluster_2" {
source = "./fabric/modules/gke-cluster"
project_id = module.project.project_id
name = "cluster-1"
location = "europe-wes1"
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
secondary_range_pods = "pods"
secondary_range_services = "services"
name = "cluster-2"
location = "europe-west4"
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
master_authorized_ranges = {
mgmt = "10.0.0.0/28"
pods-cluster-1 = "10.3.0.0/16"
}
}
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = "192.168.2.0/28"
master_global_access = true
}
master_authorized_ranges = {
mgmt = "10.0.0.0/28"
pods-cluster-1 = "10.1.0.0/16"
}
enable_autopilot = false
release_channel = "REGULAR"
workload_identity = true
release_channel = "REGULAR"
labels = {
mesh_id = "proj-${module.project.number}"
}

0
tests/blueprints/networking/shared_vpc_gke/__init__.py → tests/blueprints/gke/shared_vpc_gke/__init__.py
View File

2
tests/blueprints/networking/shared_vpc_gke/fixture/main.tf → tests/blueprints/gke/shared_vpc_gke/fixture/main.tf
View File

@ -15,7 +15,7 @@
*/
module "test" {
source = "../../../../../blueprints/networking/shared-vpc-gke"
source = "../../../../../blueprints/gke/shared-vpc-gke"
billing_account_id = var.billing_account_id
prefix = var.prefix
root_node = var.root_node

0
tests/blueprints/networking/shared_vpc_gke/fixture/variables.tf → tests/blueprints/gke/shared_vpc_gke/fixture/variables.tf
View File

0
tests/blueprints/networking/shared_vpc_gke/test_plan.py → tests/blueprints/gke/shared_vpc_gke/test_plan.py
View File

20
tests/modules/gke_cluster/fixture/main.tf
View File

@ -15,14 +15,14 @@
*/
module "test" {
source = "../../../../modules/gke-cluster"
project_id = "my-project"
name = "cluster-1"
location = "europe-west1-b"
network = "mynetwork"
subnetwork = "mysubnet"
secondary_range_pods = "pods"
secondary_range_services = "services"
enable_autopilot = var.enable_autopilot
addons = var.addons
source = "../../../../modules/gke-cluster"
project_id = "my-project"
name = "cluster-1"
location = "europe-west1-b"
vpc_config = {
network = "mynetwork"
subnetwork = "mysubnet"
}
enable_addons = var.enable_addons
enable_features = var.enable_features
}

26
tests/modules/gke_cluster/fixture/variables.tf
View File

@ -14,25 +14,17 @@
* limitations under the License.
*/
variable "enable_autopilot" {
default = false
}
variable "addons" {
variable "enable_addons" {
type = any
default = {
cloudrun_config = false
dns_cache_config = false
horizontal_pod_autoscaling = true
http_load_balancing = true
istio_config = {
enabled = false
tls = false
}
network_policy_config = false
gce_persistent_disk_csi_driver_config = false
gcp_filestore_csi_driver_config = false
config_connector_config = false
kalm_config = false
gke_backup_agent_config = false
}
}
variable "enable_features" {
type = any
default = {
workload_identity = true
}
}

3
tests/modules/gke_cluster/test_plan.py
View File

@ -28,9 +28,8 @@ def test_standard(plan_runner):
def test_autopilot(plan_runner):
"Test resources created with variable defaults."
_, resources = plan_runner(enable_autopilot="true")
_, resources = plan_runner(enable_features='{ autopilot=true }')
assert len(resources) == 1
cluster_config = resources[0]['values']
assert cluster_config['name'] == "cluster-1"
assert cluster_config['network'] == "mynetwork"