From 220ab76e405d08c5445aa7ed6932ef749d957e7b Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 22 Feb 2024 08:35:27 +0100 Subject: [PATCH] enable shielded nodes by default on GKE mt blueprint and FAST stage (#2105) --- blueprints/gke/multitenant-fleet/README.md | 10 +++++----- blueprints/gke/multitenant-fleet/variables.tf | 20 +++++++++++++------ fast/stages/3-gke-multitenant/dev/README.md | 10 +++++----- .../stages/3-gke-multitenant/dev/variables.tf | 20 +++++++++++++------ 4 files changed, 38 insertions(+), 22 deletions(-) diff --git a/blueprints/gke/multitenant-fleet/README.md b/blueprints/gke/multitenant-fleet/README.md index 1967e4ec..fa9fe833 100644 --- a/blueprints/gke/multitenant-fleet/README.md +++ b/blueprints/gke/multitenant-fleet/README.md @@ -240,9 +240,9 @@ module "gke" { |---|---|:---:|:---:|:---:| | [billing_account_id](variables.tf#L17) | Billing account ID. | string | ✓ | | | [folder_id](variables.tf#L131) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | string | ✓ | | -| [prefix](variables.tf#L181) | Prefix used for resource names. | string | ✓ | | -| [project_id](variables.tf#L190) | ID of the project that will contain all the clusters. | string | ✓ | | -| [vpc_config](variables.tf#L202) | Shared VPC project and VPC details. | object({…}) | ✓ | | +| [prefix](variables.tf#L189) | Prefix used for resource names. | string | ✓ | | +| [project_id](variables.tf#L198) | ID of the project that will contain all the clusters. | string | ✓ | | +| [vpc_config](variables.tf#L210) | Shared VPC project and VPC details. | object({…}) | ✓ | | | [clusters](variables.tf#L22) | Clusters configuration. Refer to the gke-cluster module for type details. | map(object({…})) | | {} | | [deletion_protection](variables.tf#L89) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool | | false | | [fleet_configmanagement_clusters](variables.tf#L96) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} | @@ -252,8 +252,8 @@ module "gke" { | [iam](variables.tf#L136) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_by_principals](variables.tf#L143) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | [labels](variables.tf#L150) | Project-level labels. | map(string) | | {} | -| [nodepools](variables.tf#L156) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | -| [project_services](variables.tf#L195) | Additional project services to enable. | list(string) | | [] | +| [nodepools](variables.tf#L156) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | +| [project_services](variables.tf#L203) | Additional project services to enable. | list(string) | | [] | ## Outputs diff --git a/blueprints/gke/multitenant-fleet/variables.tf b/blueprints/gke/multitenant-fleet/variables.tf index c0f49ab8..d8cb9cfc 100644 --- a/blueprints/gke/multitenant-fleet/variables.tf +++ b/blueprints/gke/multitenant-fleet/variables.tf @@ -156,12 +156,20 @@ variable "labels" { variable "nodepools" { description = "Nodepools configuration. Refer to the gke-nodepool module for type details." type = map(map(object({ - gke_version = optional(string) - labels = optional(map(string), {}) - max_pods_per_node = optional(number) - name = optional(string) - node_config = optional(any, { disk_type = "pd-balanced" }) - node_count = optional(map(number), { initial = 1 }) + gke_version = optional(string) + labels = optional(map(string), {}) + max_pods_per_node = optional(number) + name = optional(string) + node_config = optional(any, { + disk_type = "pd-balanced" + shielded_instance_config = { + enable_integrity_monitoring = true + enable_secure_boot = true + } + }) + node_count = optional(map(number), { + initial = 1 + }) node_locations = optional(list(string)) nodepool_config = optional(any) pod_range = optional(any) diff --git a/fast/stages/3-gke-multitenant/dev/README.md b/fast/stages/3-gke-multitenant/dev/README.md index 77ee84b0..6e228835 100644 --- a/fast/stages/3-gke-multitenant/dev/README.md +++ b/fast/stages/3-gke-multitenant/dev/README.md @@ -218,8 +218,8 @@ Leave all these variables unset (or set to `null`) to disable fleet management. | [billing_account](variables.tf#L29) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables.tf#L175) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | | [host_project_ids](variables.tf#L183) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [prefix](variables.tf#L242) | Prefix used for resources that need unique names. | string | ✓ | | | -| [vpc_self_links](variables.tf#L258) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [prefix](variables.tf#L250) | Prefix used for resources that need unique names. | string | ✓ | | | +| [vpc_self_links](variables.tf#L266) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | | [clusters](variables.tf#L42) | Clusters configuration. Refer to the gke-cluster-standard module for type details. | map(object({…})) | | {} | | | [fleet_configmanagement_clusters](variables.tf#L112) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} | | | [fleet_configmanagement_templates](variables.tf#L120) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} | | @@ -228,9 +228,9 @@ Leave all these variables unset (or set to `null`) to disable fleet management. | [iam](variables.tf#L191) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | | [iam_by_principals](variables.tf#L198) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | | [labels](variables.tf#L205) | Project-level labels. | map(string) | | {} | | -| [nodepools](variables.tf#L211) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | -| [outputs_location](variables.tf#L236) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_services](variables.tf#L251) | Additional project services to enable. | list(string) | | [] | | +| [nodepools](variables.tf#L211) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | +| [outputs_location](variables.tf#L244) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [project_services](variables.tf#L259) | Additional project services to enable. | list(string) | | [] | | ## Outputs diff --git a/fast/stages/3-gke-multitenant/dev/variables.tf b/fast/stages/3-gke-multitenant/dev/variables.tf index eadcbe08..092f6304 100644 --- a/fast/stages/3-gke-multitenant/dev/variables.tf +++ b/fast/stages/3-gke-multitenant/dev/variables.tf @@ -211,12 +211,20 @@ variable "labels" { variable "nodepools" { description = "Nodepools configuration. Refer to the gke-nodepool module for type details." type = map(map(object({ - gke_version = optional(string) - labels = optional(map(string), {}) - max_pods_per_node = optional(number) - name = optional(string) - node_config = optional(any, { disk_type = "pd-balanced" }) - node_count = optional(map(number), { initial = 1 }) + gke_version = optional(string) + labels = optional(map(string), {}) + max_pods_per_node = optional(number) + name = optional(string) + node_config = optional(any, { + disk_type = "pd-balanced" + shielded_instance_config = { + enable_integrity_monitoring = true + enable_secure_boot = true + } + }) + node_count = optional(map(number), { + initial = 1 + }) node_locations = optional(list(string)) nodepool_config = optional(any) pod_range = optional(any)