Merge branch 'master' into 1849-implement-cloud-run-module-version-2
This commit is contained in:
Julio Diez
GitHub
commit
a04f59852f
30
CHANGELOG.md
30
CHANGELOG.md
|
|
@ -8,6 +8,13 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### BLUEPRINTS
|
||||
|
||||
- [[#1936](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1936)] Move squid to __need_fixing ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-19 14:27:37+00:00 -->
|
||||
- [[#1931](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1931)] Quota monitor blueprint: don't fail quota fetch on deleted project ([ludoo](https://github.com/ludoo)) <!-- 2023-12-15 19:20:49+00:00 -->
|
||||
- [[#1930](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1930)] Allow granting network user role on host project from project module and factory ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2023-12-15 13:39:21+00:00 -->
|
||||
- [[#1924](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1924)] Update quota monitor blueprint to support project discovery ([maunope](https://github.com/maunope)) <!-- 2023-12-12 18:17:01+00:00 -->
|
||||
- [[#1912](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1912)] **incompatible change:** Custom role factories for organization and project modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-11 14:16:39+00:00 -->
|
||||
- [[#1916](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1916)] Add triggerer configuration for Composer ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-11 11:54:49+00:00 -->
|
||||
- [[#1907](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1907)] Add support for subnet-level service network user grants to project module, improve docs ([ludoo](https://github.com/ludoo)) <!-- 2023-12-07 09:07:48+00:00 -->
|
||||
- [[#1871](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1871)] Added workstation-cluster module ([apichick](https://github.com/apichick)) <!-- 2023-11-30 06:15:37+00:00 -->
|
||||
- [[#1886](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1886)] Fixes to F5 blueprint docs ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-11-24 18:45:38+00:00 -->
|
||||
- [[#1874](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1874)] Added PSC support to CloudSQL Module ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2023-11-24 14:47:45+00:00 -->
|
||||
|
|
@ -15,16 +22,38 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### DOCUMENTATION
|
||||
|
||||
- [[#1936](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1936)] Move squid to __need_fixing ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-19 14:27:37+00:00 -->
|
||||
- [[#1890](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1890)] Use TFTEST_E2E_ instead of TF_VAR variables ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-30 19:03:59+00:00 -->
|
||||
- [[#1871](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1871)] Added workstation-cluster module ([apichick](https://github.com/apichick)) <!-- 2023-11-30 06:15:37+00:00 -->
|
||||
- [[#1883](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1883)] F5 deployment blueprint ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-11-24 13:02:34+00:00 -->
|
||||
|
||||
### FAST
|
||||
|
||||
- [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 16:09:22+00:00 -->
|
||||
- [[#1912](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1912)] **incompatible change:** Custom role factories for organization and project modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-11 14:16:39+00:00 -->
|
||||
- [[#1900](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1900)] Patch Github actions ci google-github-actions/auth@v0 --> v2 ([ibrahimparvez2](https://github.com/ibrahimparvez2)) <!-- 2023-12-04 12:16:02+00:00 -->
|
||||
|
||||
### MODULES
|
||||
|
||||
- [[#1936](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1936)] Move squid to __need_fixing ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-19 14:27:37+00:00 -->
|
||||
- [[#1935](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1935)] E2E tests fixes ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-19 10:01:03+00:00 -->
|
||||
- [[#1933](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1933)] Add project-scoped secure tags ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 17:24:06+00:00 -->
|
||||
- [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 16:09:22+00:00 -->
|
||||
- [[#1930](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1930)] Allow granting network user role on host project from project module and factory ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2023-12-15 13:39:21+00:00 -->
|
||||
- [[#1928](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1928)] **incompatible change:** Fix health check autocreation and id output in passthrough LB modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-13 23:39:55+00:00 -->
|
||||
- [[#1926](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1926)] Add support for policy based routes to net-vpc ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-13 15:19:41+00:00 -->
|
||||
- [[#1905](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1905)] gke-cluster-standard : Support upgrade_settings for node auto provisioner ([noony](https://github.com/noony)) <!-- 2023-12-12 19:17:52+00:00 -->
|
||||
- [[#1923](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1923)] Removed deprecated variable and added labels ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2023-12-12 18:32:48+00:00 -->
|
||||
- [[#1922](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1922)] can_ip_forward in simple-nva examples ([sruffilli](https://github.com/sruffilli)) <!-- 2023-12-12 13:09:59+00:00 -->
|
||||
- [[#1921](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1921)] Sync tf version to version used by tests ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-12 08:43:09+00:00 -->
|
||||
- [[#1920](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1920)] Bump tf version ([ludoo](https://github.com/ludoo)) <!-- 2023-12-12 08:19:47+00:00 -->
|
||||
- [[#1918](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1918)] Added missing parameters in kubelet and linux node configuration ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2023-12-11 19:05:24+00:00 -->
|
||||
- [[#1917](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1917)] Added the possibility to configure maintenance window and deny maintenance period in Cloud SQL module module ([francesco-pavan-huware](https://github.com/francesco-pavan-huware)) <!-- 2023-12-11 16:59:00+00:00 -->
|
||||
- [[#1912](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1912)] **incompatible change:** Custom role factories for organization and project modules ([ludoo](https://github.com/ludoo)) <!-- 2023-12-11 14:16:39+00:00 -->
|
||||
- [[#1909](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1909)] net_lb_ext module e2e and example testing changes ([dibaskar-google](https://github.com/dibaskar-google)) <!-- 2023-12-08 09:04:07+00:00 -->
|
||||
- [[#1908](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1908)] README fixes for #1907 ([wiktorn](https://github.com/wiktorn)) <!-- 2023-12-07 10:05:27+00:00 -->
|
||||
- [[#1906](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1906)] gke-cluster-standard : Set optional shielded_instance_config block in cluster_autoscaling.auto_provisioning_defaults ([noony](https://github.com/noony)) <!-- 2023-12-07 09:37:13+00:00 -->
|
||||
- [[#1907](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1907)] Add support for subnet-level service network user grants to project module, improve docs ([ludoo](https://github.com/ludoo)) <!-- 2023-12-07 09:07:48+00:00 -->
|
||||
- [[#1904](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1904)] gke-cluster-standard : Add possibility to enable image streaming feature at cluster level ([noony](https://github.com/noony)) <!-- 2023-12-07 05:36:22+00:00 -->
|
||||
- [[#1903](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1903)] Enable sole tenancy (`node_affinities`) on compute_vm ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-12-05 17:05:23+00:00 -->
|
||||
- [[#1901](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1901)] Add IPv6 to HA VPN module + test inventories ([LucaPrete](https://github.com/LucaPrete)) <!-- 2023-12-04 22:38:42+00:00 -->
|
||||
|
|
@ -41,6 +70,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### TOOLS
|
||||
|
||||
- [[#1932](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1932)] Simplify organization tags.tf locals ([juliocc](https://github.com/juliocc)) <!-- 2023-12-18 16:09:22+00:00 -->
|
||||
- [[#1890](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1890)] Use TFTEST_E2E_ instead of TF_VAR variables ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-30 19:03:59+00:00 -->
|
||||
|
||||
## [28.0.0] - 2023-11-24
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Currently available blueprints:
|
|||
- **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml)
|
||||
- **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
|
||||
- **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot)
|
||||
- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
|
||||
- **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke)
|
||||
- **serverless** - [Cloud Run series](./serverless/cloud-run-explore)
|
||||
- **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun)
|
||||
|
||||
|
|
|
|||
|
|
@ -38,9 +38,10 @@ The region, location of the bundle used to deploy the function, and scheduling f
|
|||
|
||||
The `quota_config` variable mirrors the arguments accepted by the Python program, and allows configuring several different aspects of its behaviour:
|
||||
|
||||
- `quota_config.discover_root` organization or folder to be used to discover all underlying projects to track quotas for, in `organizations/nnnnn` or `folders/nnnnn` format
|
||||
- `quota_config.exclude` do not generate metrics for quotas matching prefixes listed here
|
||||
- `quota_config.include` only generate metrics for quotas matching prefixes listed here
|
||||
- `quota_config.projects` projects to track quotas for, defaults to the project where metrics are stored
|
||||
- `quota_config.projects` projects to track quotas for, defaults to the project where metrics are stored, if projects are automatically discovered, those in this list are appended.
|
||||
- `quota_config.regions` regions to track quotas for, defaults to the `global` region for project-level quotas
|
||||
- `dry_run` do not write actual metrics
|
||||
- `verbose` increase logging verbosity
|
||||
|
|
@ -54,7 +55,6 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
|
|||
- `terraform init`
|
||||
- `terraform apply -var project_id=my-project-id`
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|
|
@ -64,10 +64,9 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
|
|||
| [bundle_path](variables.tf#L33) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| [name](variables.tf#L39) | Arbitrary string used to name created resources. | <code>string</code> | | <code>"quota-monitor"</code> |
|
||||
| [project_create_config](variables.tf#L45) | Create project instead of using an existing one. | <code title="object({ billing_account = string parent = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [quota_config](variables.tf#L59) | Cloud function configuration. | <code title="object({ exclude = optional(list(string), [ "a2", "c2", "c2d", "committed", "g2", "interconnect", "m1", "m2", "m3", "nvidia", "preemptible" ]) include = optional(list(string)) projects = optional(list(string)) regions = optional(list(string)) dry_run = optional(bool, false) verbose = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [region](variables.tf#L76) | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [schedule_config](variables.tf#L82) | Schedule timer configuration in crontab format. | <code>string</code> | | <code>"0 * * * *"</code> |
|
||||
|
||||
| [quota_config](variables.tf#L59) | Cloud function configuration. | <code title="object({ exclude = optional(list(string), [ "a2", "c2", "c2d", "committed", "g2", "interconnect", "m1", "m2", "m3", "nvidia", "preemptible" ]) discovery_root = optional(string, "") dry_run = optional(bool, false) include = optional(list(string)) projects = optional(list(string)) regions = optional(list(string)) verbose = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [region](variables.tf#L85) | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [schedule_config](variables.tf#L91) | Schedule timer configuration in crontab format. | <code>string</code> | | <code>"0 * * * *"</code> |
|
||||
<!-- END TFDOC -->
|
||||
## Test
|
||||
|
||||
|
|
@ -80,5 +79,5 @@ module "test" {
|
|||
billing_account = "12345-ABCDE-12345"
|
||||
}
|
||||
}
|
||||
# tftest modules=4 resources=14
|
||||
# tftest modules=4 resources=19
|
||||
```
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@ locals {
|
|||
? [var.project_id]
|
||||
: var.quota_config.projects
|
||||
)
|
||||
discovery_root_type = split("/", coalesce(var.quota_config["discovery_root"], "/"))[0]
|
||||
discovery_root_id = split("/", coalesce(var.quota_config["discovery_root"], "/"))[1]
|
||||
}
|
||||
|
||||
module "project" {
|
||||
|
|
@ -29,8 +31,11 @@ module "project" {
|
|||
parent = try(var.project_create_config.parent, null)
|
||||
project_create = var.project_create_config != null
|
||||
services = [
|
||||
"compute.googleapis.com",
|
||||
"cloudfunctions.googleapis.com"
|
||||
"cloudasset.googleapis.com",
|
||||
"cloudbuild.googleapis.com",
|
||||
"cloudfunctions.googleapis.com",
|
||||
"cloudscheduler.googleapis.com",
|
||||
"compute.googleapis.com"
|
||||
]
|
||||
}
|
||||
|
||||
|
|
@ -81,6 +86,55 @@ resource "google_cloud_scheduler_job" "default" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "google_organization_iam_member" "org_asset_viewer" {
|
||||
count = local.discovery_root_type == "organizations" ? 1 : 0
|
||||
org_id = local.discovery_root_id
|
||||
role = "roles/cloudasset.viewer"
|
||||
member = module.cf.service_account_iam_email
|
||||
}
|
||||
|
||||
|
||||
# role with the least privilege including compute.projects.get permission
|
||||
resource "google_organization_iam_member" "org_network_viewer" {
|
||||
count = local.discovery_root_type == "organizations" ? 1 : 0
|
||||
org_id = local.discovery_root_id
|
||||
role = "roles/compute.networkViewer"
|
||||
member = module.cf.service_account_iam_email
|
||||
}
|
||||
|
||||
resource "google_organization_iam_member" "org_quota_viewer" {
|
||||
count = local.discovery_root_type == "organizations" ? 1 : 0
|
||||
org_id = local.discovery_root_id
|
||||
role = "roles/servicemanagement.quotaViewer"
|
||||
member = module.cf.service_account_iam_email
|
||||
}
|
||||
|
||||
resource "google_folder_iam_member" "folder_asset_viewer" {
|
||||
count = local.discovery_root_type == "folders" ? 1 : 0
|
||||
folder = local.discovery_root_id
|
||||
role = "roles/cloudasset.viewer"
|
||||
member = module.cf.service_account_iam_email
|
||||
}
|
||||
|
||||
# role with the least privilege including compute.projects.get permission
|
||||
resource "google_folder_iam_member" "folder_network_viewer" {
|
||||
count = local.discovery_root_type == "folders" ? 1 : 0
|
||||
folder = local.discovery_root_id
|
||||
role = "roles/compute.networkViewer"
|
||||
member = module.cf.service_account_iam_email
|
||||
}
|
||||
|
||||
resource "google_folder_iam_member" "folder_quota_viewer" {
|
||||
count = local.discovery_root_type == "folders" ? 1 : 0
|
||||
folder = local.discovery_root_id
|
||||
role = "roles/servicemanagement.quotaViewer"
|
||||
member = module.cf.service_account_iam_email
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
resource "google_project_iam_member" "metric_writer" {
|
||||
project = module.project.project_id
|
||||
role = "roles/monitoring.metricWriter"
|
||||
|
|
|
|||
|
|
@ -39,6 +39,9 @@ HTTP_HEADERS = {'content-type': 'application/json; charset=UTF-8'}
|
|||
URL_PROJECT = 'https://compute.googleapis.com/compute/v1/projects/{}'
|
||||
URL_REGION = 'https://compute.googleapis.com/compute/v1/projects/{}/regions/{}'
|
||||
URL_TS = 'https://monitoring.googleapis.com/v3/projects/{}/timeSeries'
|
||||
URL_DISCOVERY = ('https://cloudasset.googleapis.com/v1/{}/assets?'
|
||||
'assetTypes=cloudresourcemanager.googleapis.com%2FProject&'
|
||||
'contentType=RESOURCE&pageSize=100&pageToken={}')
|
||||
|
||||
_Quota = collections.namedtuple('_Quota',
|
||||
'project region tstamp metric limit usage')
|
||||
|
|
@ -48,6 +51,10 @@ HTTPRequest = collections.namedtuple(
|
|||
}])
|
||||
|
||||
|
||||
class NotFound(Exception):
|
||||
pass
|
||||
|
||||
|
||||
class Quota(_Quota):
|
||||
'Compute quota.'
|
||||
|
||||
|
|
@ -80,8 +87,8 @@ class Quota(_Quota):
|
|||
else:
|
||||
d['valueType'] = 'INT64'
|
||||
d['points'][0]['value'] = {'int64Value': value}
|
||||
# remove this label if cardinality gets too high
|
||||
d['metric']['labels']['quota'] = f'{self.usage}/{self.limit}'
|
||||
# re-enable the following line if cardinality is not a problem
|
||||
# d['metric']['labels']['quota'] = f'{self.usage}/{self.limit}'
|
||||
return d
|
||||
|
||||
@property
|
||||
|
|
@ -92,7 +99,7 @@ class Quota(_Quota):
|
|||
ratio = 0
|
||||
yield self._api_format('ratio', ratio)
|
||||
yield self._api_format('usage', self.usage)
|
||||
# yield self._api_format('limit', self.limit)
|
||||
yield self._api_format('limit', self.limit)
|
||||
|
||||
|
||||
def batched(iterable, n):
|
||||
|
|
@ -112,6 +119,23 @@ def configure_logging(verbose=True):
|
|||
warnings.filterwarnings('ignore', r'.*end user credentials.*', UserWarning)
|
||||
|
||||
|
||||
def discover_projects(discovery_root):
|
||||
'Discovers projects under a folder or organization.'
|
||||
if discovery_root.partition('/')[0] not in ('folders', 'organizations'):
|
||||
raise SystemExit(f'Invalid discovery root {discovery_root}.')
|
||||
next_page_token = ''
|
||||
while True:
|
||||
list_assets_results = fetch(
|
||||
HTTPRequest(URL_DISCOVERY.format(discovery_root, next_page_token)))
|
||||
if 'assets' in list_assets_results:
|
||||
for asset in list_assets_results['assets']:
|
||||
if (asset['resource']['data']['lifecycleState'] == 'ACTIVE'):
|
||||
yield asset['resource']['data']['projectId']
|
||||
next_page_token = list_assets_results.get('nextPageToken')
|
||||
if not next_page_token:
|
||||
break
|
||||
|
||||
|
||||
def fetch(request, delete=False):
|
||||
'Minimal HTTP client interface for API calls.'
|
||||
logging.debug(f'fetch {"POST" if request.data else "GET"} {request.url}')
|
||||
|
|
@ -132,6 +156,9 @@ def fetch(request, delete=False):
|
|||
except json.JSONDecodeError as e:
|
||||
logging.critical(e)
|
||||
raise SystemExit(f'Error decoding response: {response.content}')
|
||||
if response.status_code == 404:
|
||||
raise NotFound(
|
||||
f'Resource not found. Error: {rdata.get("error")} URL: {request.url}')
|
||||
if response.status_code != 200:
|
||||
logging.critical(rdata)
|
||||
error = rdata.get('error', {})
|
||||
|
|
@ -155,17 +182,25 @@ def get_quotas(project, region='global'):
|
|||
request = HTTPRequest(URL_PROJECT.format(project))
|
||||
else:
|
||||
request = HTTPRequest(URL_REGION.format(project, region))
|
||||
resp = fetch(request)
|
||||
ts = datetime.datetime.utcnow()
|
||||
for quota in resp.get('quotas'):
|
||||
yield Quota(project, region, ts, **quota)
|
||||
try:
|
||||
resp = fetch(request)
|
||||
except NotFound as e:
|
||||
logging.warn(e.args[0])
|
||||
else:
|
||||
ts = datetime.datetime.utcnow()
|
||||
for quota in resp.get('quotas'):
|
||||
yield Quota(project, region, ts, **quota)
|
||||
|
||||
|
||||
@click.command()
|
||||
@click.argument('project-id', required=True)
|
||||
@click.option(
|
||||
'--discovery-root', '-dr', required=False, help=
|
||||
'Root node used to dynamically fetch projects, in organizations/nnn or folders/nnn format.'
|
||||
)
|
||||
@click.option(
|
||||
'--project-ids', multiple=True, help=
|
||||
'Project ids to monitor (multiple). Defaults to monitoring project if not set.'
|
||||
'Project ids to monitor (multiple). Defaults to monitoring project if not set, values are appended to those found under discovery-root'
|
||||
)
|
||||
@click.option('--regions', multiple=True,
|
||||
help='Regions (multiple). Defaults to "global" if not set.')
|
||||
|
|
@ -175,11 +210,13 @@ def get_quotas(project, region='global'):
|
|||
help='Exclude quotas starting with keyword (multiple).')
|
||||
@click.option('--dry-run', is_flag=True, help='Do not write metrics.')
|
||||
@click.option('--verbose', is_flag=True, help='Verbose output.')
|
||||
def main_cli(project_id=None, project_ids=None, regions=None, include=None,
|
||||
exclude=None, dry_run=False, verbose=False):
|
||||
def main_cli(project_id=None, discovery_root=None, project_ids=None,
|
||||
regions=None, include=None, exclude=None, dry_run=False,
|
||||
verbose=False):
|
||||
'Fetch GCE quotas and writes them as custom metrics to Stackdriver.'
|
||||
try:
|
||||
_main(project_id, project_ids, regions, include, exclude, dry_run, verbose)
|
||||
_main(project_id, discovery_root, project_ids, regions, include, exclude,
|
||||
dry_run, verbose)
|
||||
except RuntimeError as e:
|
||||
logging.exception(f'exception raised: {e.args[0]}')
|
||||
|
||||
|
|
@ -193,14 +230,18 @@ def main(event, context):
|
|||
raise
|
||||
|
||||
|
||||
def _main(monitoring_project, projects=None, regions=None, include=None,
|
||||
exclude=None, dry_run=False, verbose=False):
|
||||
def _main(monitoring_project, discovery_root=None, projects=None, regions=None,
|
||||
include=None, exclude=None, dry_run=False, verbose=False):
|
||||
"""Module entry point used by cli and cloud function wrappers."""
|
||||
configure_logging(verbose=verbose)
|
||||
projects = projects or [monitoring_project]
|
||||
|
||||
# default to monitoring scope project if projects parameter is not passed, then merge the list with discovered projects, if any
|
||||
regions = regions or ['global']
|
||||
include = set(include or [])
|
||||
exclude = set(exclude or [])
|
||||
projects = projects or [monitoring_project]
|
||||
if (discovery_root):
|
||||
projects = set(list(projects) + list(discover_projects(discovery_root)))
|
||||
for k in ('monitoring_project', 'projects', 'regions', 'include', 'exclude'):
|
||||
logging.debug(f'{k} {locals().get(k)}')
|
||||
timeseries = []
|
||||
|
|
|
|||
|
|
@ -63,14 +63,23 @@ variable "quota_config" {
|
|||
"a2", "c2", "c2d", "committed", "g2", "interconnect", "m1", "m2", "m3",
|
||||
"nvidia", "preemptible"
|
||||
])
|
||||
include = optional(list(string))
|
||||
projects = optional(list(string))
|
||||
regions = optional(list(string))
|
||||
dry_run = optional(bool, false)
|
||||
verbose = optional(bool, false)
|
||||
discovery_root = optional(string, "")
|
||||
dry_run = optional(bool, false)
|
||||
include = optional(list(string))
|
||||
projects = optional(list(string))
|
||||
regions = optional(list(string))
|
||||
verbose = optional(bool, false)
|
||||
})
|
||||
nullable = false
|
||||
default = {}
|
||||
validation {
|
||||
condition = (
|
||||
var.quota_config.discovery_root == "" ||
|
||||
startswith(var.quota_config.discovery_root, "folders/") ||
|
||||
startswith(var.quota_config.discovery_root, "organizations/")
|
||||
)
|
||||
error_message = "non-null discovery root needs to start with folders/ or organizations/"
|
||||
}
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ module "project-factory" {
|
|||
# location where the yaml files are read from
|
||||
factory_data_path = "data"
|
||||
}
|
||||
# tftest modules=7 resources=31 files=prj-app-1,prj-app-2,prj-app-3 inventory=example.yaml
|
||||
# tftest modules=7 resources=33 files=prj-app-1,prj-app-2,prj-app-3 inventory=example.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
|
|
@ -85,9 +85,15 @@ service_accounts:
|
|||
|
||||
```yaml
|
||||
labels:
|
||||
app: app-2
|
||||
team: foo
|
||||
app: app-2
|
||||
team: foo
|
||||
parent: folders/12345678
|
||||
org_policies:
|
||||
"compute.restrictSharedVpcSubnetworks":
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/foo-host/regions/europe-west1/subnetworks/prod-default-ew1
|
||||
service_accounts:
|
||||
app-2-be: {}
|
||||
services:
|
||||
|
|
@ -98,13 +104,17 @@ services:
|
|||
shared_vpc_service_config:
|
||||
host_project: foo-host
|
||||
service_identity_iam:
|
||||
"roles/compute.networkUser":
|
||||
- cloudservices
|
||||
- container-engine
|
||||
"roles/vpcaccess.user":
|
||||
- cloudrun
|
||||
- cloudrun
|
||||
"roles/container.hostServiceAgentUser":
|
||||
- container-engine
|
||||
- container-engine
|
||||
service_identity_subnet_iam:
|
||||
europe-west1/prod-default-ew1:
|
||||
- cloudservices
|
||||
- container-engine
|
||||
network_subnet_users:
|
||||
europe-west1/prod-default-ew1:
|
||||
- group:team-1@example.com
|
||||
|
||||
# tftest-file id=prj-app-2 path=data/prj-app-2.yaml
|
||||
```
|
||||
|
|
@ -117,15 +127,16 @@ services:
|
|||
|
||||
# tftest-file id=prj-app-3 path=data/prj-app-3.yaml
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [factory_data_path](variables.tf#L89) | Path to folder with YAML project description data files. | <code>string</code> | ✓ | |
|
||||
| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | <code title="object({ billing_account = optional(string) contacts = optional(map(list(string)), {}) labels = optional(map(string), {}) metric_scopes = optional(list(string), []) parent = optional(string) prefix = optional(string) service_encryption_key_ids = optional(map(list(string)), {}) service_perimeter_bridges = optional(list(string), []) service_perimeter_standard = optional(string) services = optional(list(string), []) shared_vpc_service_config = optional(object({ host_project = string service_identity_iam = optional(map(list(string)), {}) service_identity_subnet_iam = optional(map(list(string)), {}) service_iam_grants = optional(list(string), []) }), { host_project = null }) tag_bindings = optional(map(string), {}) service_accounts = optional(map(object({ display_name = optional(string, "Terraform-managed.") iam_project_roles = optional(list(string)) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [data_merges](variables.tf#L47) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | <code title="object({ contacts = optional(map(list(string)), {}) labels = optional(map(string), {}) metric_scopes = optional(list(string), []) service_encryption_key_ids = optional(map(list(string)), {}) service_perimeter_bridges = optional(list(string), []) services = optional(list(string), []) tag_bindings = optional(map(string), {}) service_accounts = optional(map(object({ display_name = optional(string, "Terraform-managed.") iam_project_roles = optional(list(string)) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [data_overrides](variables.tf#L67) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code title="object({ billing_account = optional(string) contacts = optional(map(list(string))) parent = optional(string) prefix = optional(string) service_encryption_key_ids = optional(map(list(string))) service_perimeter_bridges = optional(list(string)) service_perimeter_standard = optional(string) tag_bindings = optional(map(string)) services = optional(list(string)) service_accounts = optional(map(object({ display_name = optional(string, "Terraform-managed.") iam_project_roles = optional(list(string)) }))) })">object({…})</code> | | <code>{}</code> |
|
||||
| [factory_data_path](variables.tf#L91) | Path to folder with YAML project description data files. | <code>string</code> | ✓ | |
|
||||
| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | <code title="object({ billing_account = optional(string) contacts = optional(map(list(string)), {}) labels = optional(map(string), {}) metric_scopes = optional(list(string), []) parent = optional(string) prefix = optional(string) service_encryption_key_ids = optional(map(list(string)), {}) service_perimeter_bridges = optional(list(string), []) service_perimeter_standard = optional(string) services = optional(list(string), []) shared_vpc_service_config = optional(object({ host_project = string network_users = optional(list(string), []) service_identity_iam = optional(map(list(string)), {}) service_identity_subnet_iam = optional(map(list(string)), {}) service_iam_grants = optional(list(string), []) network_subnet_users = optional(map(list(string)), {}) }), { host_project = null }) tag_bindings = optional(map(string), {}) service_accounts = optional(map(object({ display_name = optional(string, "Terraform-managed.") iam_project_roles = optional(list(string)) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [data_merges](variables.tf#L49) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | <code title="object({ contacts = optional(map(list(string)), {}) labels = optional(map(string), {}) metric_scopes = optional(list(string), []) service_encryption_key_ids = optional(map(list(string)), {}) service_perimeter_bridges = optional(list(string), []) services = optional(list(string), []) tag_bindings = optional(map(string), {}) service_accounts = optional(map(object({ display_name = optional(string, "Terraform-managed.") iam_project_roles = optional(list(string)) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [data_overrides](variables.tf#L69) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code title="object({ billing_account = optional(string) contacts = optional(map(list(string))) parent = optional(string) prefix = optional(string) service_encryption_key_ids = optional(map(list(string))) service_perimeter_bridges = optional(list(string)) service_perimeter_standard = optional(string) tag_bindings = optional(map(string)) services = optional(list(string)) service_accounts = optional(map(object({ display_name = optional(string, "Terraform-managed.") iam_project_roles = optional(list(string)) }))) })">object({…})</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
@ -134,6 +145,7 @@ services:
|
|||
| [projects](outputs.tf#L17) | Project module outputs. | |
|
||||
| [service_accounts](outputs.tf#L22) | Service account emails. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## Tests
|
||||
|
||||
These tests validate fixes to the project factory.
|
||||
|
|
|
|||
|
|
@ -79,9 +79,11 @@ locals {
|
|||
try(v.shared_vpc_service_config, null) != null
|
||||
? merge(
|
||||
{
|
||||
network_users = []
|
||||
service_identity_iam = {}
|
||||
service_identity_subnet_iam = {}
|
||||
service_iam_grants = []
|
||||
network_subnet_users = {}
|
||||
},
|
||||
v.shared_vpc_service_config
|
||||
)
|
||||
|
|
|
|||
|
|
@ -29,9 +29,11 @@ variable "data_defaults" {
|
|||
services = optional(list(string), [])
|
||||
shared_vpc_service_config = optional(object({
|
||||
host_project = string
|
||||
network_users = optional(list(string), [])
|
||||
service_identity_iam = optional(map(list(string)), {})
|
||||
service_identity_subnet_iam = optional(map(list(string)), {})
|
||||
service_iam_grants = optional(list(string), [])
|
||||
network_subnet_users = optional(map(list(string)), {})
|
||||
}), { host_project = null })
|
||||
tag_bindings = optional(map(string), {})
|
||||
# non-project resources
|
||||
|
|
|
|||
|
|
@ -73,14 +73,14 @@ The emulated on-premises environment can be used to test access to different ser
|
|||
|
||||
<br clear="left">
|
||||
|
||||
-->
|
||||
|
||||
### Network filtering with Squid
|
||||
|
||||
<a href="./filtering-proxy/" title="Network filtering with Squid"><img src="./filtering-proxy/squid.png" align="left" width="280px"></a> This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling.
|
||||
|
||||
<br clear="left">
|
||||
|
||||
-->
|
||||
|
||||
### Shared VPC with GKE and per-subnet support
|
||||
|
||||
<a href="./shared-vpc-gke/" title="Shared VPC with GKE"><img src="./shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.
|
||||
|
|
|
|||
|
|
@ -3,3 +3,4 @@
|
|||
The blueprints in this folder are either deprecated or need work on them.
|
||||
|
||||
- nginx reverse proxy cluster needs tests and resolving a cycle
|
||||
- filtering-proxy needs upstream `cloud-config-container/__need_fixing/squid` to be fixed
|
||||
|
|
|
|||
|
|
@ -29,10 +29,9 @@ To simplify the usage of the proxy, a Cloud DNS private zone is created in each
|
|||
|
||||
## Test
|
||||
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/blueprints/networking/filtering-proxy-psc"
|
||||
source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy-psc"
|
||||
prefix = "fabric"
|
||||
project_create = {
|
||||
billing_account = "123456-ABCDEF-123456"
|
||||
|
|
@ -19,7 +19,7 @@
|
|||
###############################################################################
|
||||
|
||||
module "vpc-consumer" {
|
||||
source = "../../../modules/net-vpc"
|
||||
source = "../../../../modules/net-vpc"
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-app"
|
||||
subnets = [
|
||||
|
|
@ -36,7 +36,7 @@ module "vpc-consumer" {
|
|||
###############################################################################
|
||||
|
||||
module "test-vm-consumer" {
|
||||
source = "../../../modules/compute-vm"
|
||||
source = "../../../../modules/compute-vm"
|
||||
project_id = module.project.project_id
|
||||
zone = "${var.region}-b"
|
||||
name = "${var.prefix}-test-vm"
|
||||
|
|
@ -83,7 +83,7 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
|
|||
###############################################################################
|
||||
|
||||
module "private-dns" {
|
||||
source = "../../../modules/dns"
|
||||
source = "../../../../modules/dns"
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-internal"
|
||||
zone_config = {
|
||||
|
|
@ -99,7 +99,7 @@ module "private-dns" {
|
|||
}
|
||||
|
||||
module "firewall-consumer" {
|
||||
source = "../../../modules/net-vpc-firewall"
|
||||
source = "../../../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc-consumer.name
|
||||
}
|
||||
|
|
@ -19,7 +19,7 @@
|
|||
###############################################################################
|
||||
|
||||
module "project" {
|
||||
source = "../../../modules/project"
|
||||
source = "../../../../modules/project"
|
||||
project_create = var.project_create != null
|
||||
billing_account = try(var.project_create.billing_account, null)
|
||||
parent = try(var.project_create.parent, null)
|
||||
|
|
@ -33,7 +33,7 @@ module "project" {
|
|||
}
|
||||
|
||||
module "vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
source = "../../../../modules/net-vpc"
|
||||
project_id = module.project.project_id
|
||||
name = "${var.prefix}-vpc"
|
||||
subnets = [
|
||||
|
|
@ -53,7 +53,7 @@ module "vpc" {
|
|||
}
|
||||
|
||||
module "firewall" {
|
||||
source = "../../../modules/net-vpc-firewall"
|
||||
source = "../../../../modules/net-vpc-firewall"
|
||||
project_id = module.project.project_id
|
||||
network = module.vpc.name
|
||||
ingress_rules = {
|
||||
|
|
@ -73,7 +73,7 @@ module "firewall" {
|
|||
}
|
||||
|
||||
module "nat" {
|
||||
source = "../../../modules/net-cloudnat"
|
||||
source = "../../../../modules/net-cloudnat"
|
||||
project_id = module.project.project_id
|
||||
region = var.region
|
||||
name = "default"
|
||||
|
|
@ -118,7 +118,7 @@ resource "google_compute_service_attachment" "service_attachment" {
|
|||
###############################################################################
|
||||
|
||||
module "service-account-squid" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
source = "../../../../modules/iam-service-account"
|
||||
project_id = module.project.project_id
|
||||
name = "svc-squid"
|
||||
iam_project_roles = {
|
||||
|
|
@ -130,7 +130,7 @@ module "service-account-squid" {
|
|||
}
|
||||
|
||||
module "cos-squid" {
|
||||
source = "../../../modules/cloud-config-container/squid"
|
||||
source = "../../../../modules/cloud-config-container/__need_fixing/squid"
|
||||
allow = var.allowed_domains
|
||||
clients = [var.cidrs.app]
|
||||
squid_config = "${path.module}/squid.conf"
|
||||
|
|
@ -140,7 +140,7 @@ module "cos-squid" {
|
|||
}
|
||||
|
||||
module "squid-vm" {
|
||||
source = "../../../modules/compute-vm"
|
||||
source = "../../../../modules/compute-vm"
|
||||
project_id = module.project.project_id
|
||||
zone = "${var.region}-b"
|
||||
name = "squid-vm"
|
||||
|
|
@ -165,7 +165,7 @@ module "squid-vm" {
|
|||
}
|
||||
|
||||
module "squid-mig" {
|
||||
source = "../../../modules/compute-mig"
|
||||
source = "../../../../modules/compute-mig"
|
||||
project_id = module.project.project_id
|
||||
location = "${var.region}-b"
|
||||
name = "squid-mig"
|
||||
|
|
@ -202,7 +202,7 @@ module "squid-mig" {
|
|||
}
|
||||
|
||||
module "squid-ilb" {
|
||||
source = "../../../modules/net-lb-int"
|
||||
source = "../../../../modules/net-lb-int"
|
||||
project_id = module.project.project_id
|
||||
region = var.region
|
||||
name = "squid-ilb"
|
||||
|
|
@ -41,7 +41,7 @@ You can optionally deploy the Squid server as [Managed Instance Group](https://c
|
|||
|
||||
```hcl
|
||||
module "test1" {
|
||||
source = "./fabric/blueprints/networking/filtering-proxy"
|
||||
source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
|
||||
billing_account = "123456-123456-123456"
|
||||
mig = true
|
||||
prefix = "fabric"
|
||||
|
|
@ -52,7 +52,7 @@ module "test1" {
|
|||
|
||||
```hcl
|
||||
module "test2" {
|
||||
source = "./fabric/blueprints/networking/filtering-proxy"
|
||||
source = "./fabric/blueprints/networking/__need_fixing/filtering-proxy"
|
||||
billing_account = "123456-123456-123456"
|
||||
mig = false
|
||||
prefix = "fabric"
|
||||
|
|
@ -27,7 +27,7 @@ locals {
|
|||
###############################################################################
|
||||
|
||||
module "folder-netops" {
|
||||
source = "../../../modules/folder"
|
||||
source = "../../../../modules/folder"
|
||||
parent = var.root_node
|
||||
name = "netops"
|
||||
}
|
||||
|
|
@ -37,7 +37,7 @@ module "folder-netops" {
|
|||
###############################################################################
|
||||
|
||||
module "project-host" {
|
||||
source = "../../../modules/project"
|
||||
source = "../../../../modules/project"
|
||||
billing_account = var.billing_account
|
||||
name = "host"
|
||||
parent = module.folder-netops.id
|
||||
|
|
@ -53,7 +53,7 @@ module "project-host" {
|
|||
}
|
||||
|
||||
module "vpc" {
|
||||
source = "../../../modules/net-vpc"
|
||||
source = "../../../../modules/net-vpc"
|
||||
project_id = module.project-host.project_id
|
||||
name = "vpc"
|
||||
subnets = [
|
||||
|
|
@ -71,7 +71,7 @@ module "vpc" {
|
|||
}
|
||||
|
||||
module "firewall" {
|
||||
source = "../../../modules/net-vpc-firewall"
|
||||
source = "../../../../modules/net-vpc-firewall"
|
||||
project_id = module.project-host.project_id
|
||||
network = module.vpc.name
|
||||
ingress_rules = {
|
||||
|
|
@ -91,7 +91,7 @@ module "firewall" {
|
|||
}
|
||||
|
||||
module "nat" {
|
||||
source = "../../../modules/net-cloudnat"
|
||||
source = "../../../../modules/net-cloudnat"
|
||||
project_id = module.project-host.project_id
|
||||
region = var.region
|
||||
name = "default"
|
||||
|
|
@ -114,7 +114,7 @@ module "nat" {
|
|||
}
|
||||
|
||||
module "private-dns" {
|
||||
source = "../../../modules/dns"
|
||||
source = "../../../../modules/dns"
|
||||
project_id = module.project-host.project_id
|
||||
name = "internal"
|
||||
zone_config = {
|
||||
|
|
@ -134,7 +134,7 @@ module "private-dns" {
|
|||
###############################################################################
|
||||
|
||||
module "service-account-squid" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
source = "../../../../modules/iam-service-account"
|
||||
project_id = module.project-host.project_id
|
||||
name = "svc-squid"
|
||||
iam_project_roles = {
|
||||
|
|
@ -146,13 +146,13 @@ module "service-account-squid" {
|
|||
}
|
||||
|
||||
module "cos-squid" {
|
||||
source = "../../../modules/cloud-config-container/squid"
|
||||
source = "../../../../modules/cloud-config-container/__need_fixing/squid"
|
||||
allow = var.allowed_domains
|
||||
clients = [var.cidrs.apps]
|
||||
}
|
||||
|
||||
module "squid-vm" {
|
||||
source = "../../../modules/compute-vm"
|
||||
source = "../../../../modules/compute-vm"
|
||||
project_id = module.project-host.project_id
|
||||
zone = "${var.region}-b"
|
||||
name = "squid-vm"
|
||||
|
|
@ -177,7 +177,7 @@ module "squid-vm" {
|
|||
|
||||
module "squid-mig" {
|
||||
count = var.mig ? 1 : 0
|
||||
source = "../../../modules/compute-mig"
|
||||
source = "../../../../modules/compute-mig"
|
||||
project_id = module.project-host.project_id
|
||||
location = "${var.region}-b"
|
||||
name = "squid-mig"
|
||||
|
|
@ -206,7 +206,7 @@ module "squid-mig" {
|
|||
|
||||
module "squid-ilb" {
|
||||
count = var.mig ? 1 : 0
|
||||
source = "../../../modules/net-lb-int"
|
||||
source = "../../../../modules/net-lb-int"
|
||||
project_id = module.project-host.project_id
|
||||
region = var.region
|
||||
name = "squid-ilb"
|
||||
|
|
@ -236,7 +236,7 @@ module "squid-ilb" {
|
|||
###############################################################################
|
||||
|
||||
module "folder-apps" {
|
||||
source = "../../../modules/folder"
|
||||
source = "../../../../modules/folder"
|
||||
parent = var.root_node
|
||||
name = "apps"
|
||||
org_policies = {
|
||||
|
|
@ -248,7 +248,7 @@ module "folder-apps" {
|
|||
}
|
||||
|
||||
module "project-app" {
|
||||
source = "../../../modules/project"
|
||||
source = "../../../../modules/project"
|
||||
billing_account = var.billing_account
|
||||
name = "app1"
|
||||
parent = module.folder-apps.id
|
||||
|
|
@ -263,7 +263,7 @@ module "project-app" {
|
|||
}
|
||||
|
||||
module "test-vm" {
|
||||
source = "../../../modules/compute-vm"
|
||||
source = "../../../../modules/compute-vm"
|
||||
project_id = module.project-app.project_id
|
||||
zone = "${var.region}-b"
|
||||
name = "test-vm"
|
||||
|
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 52 KiB |
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -47,6 +47,19 @@ jobs:
|
|||
name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
# # Print JWT token payload, useful for debugging
|
||||
# - id: jwt-debug
|
||||
# name: Print GITHUB_TOKEN payload
|
||||
# shell: python -u {0}
|
||||
# run: |
|
||||
# import base64
|
||||
# import json
|
||||
#
|
||||
# token = '${{ secrets.GITHUB_TOKEN }}'
|
||||
# payload_text = token.split('.')[1]
|
||||
# payload = json.loads(base64.urlsafe_b64decode(payload_text + '=' * (4-len(payload_text) %4)))
|
||||
# print(json.dumps(payload, indent=2))
|
||||
|
||||
# set up SSH key authentication to the modules repository
|
||||
- id: ssh-config
|
||||
name: Configure SSH authentication
|
||||
|
|
|
|||
|
|
@ -48,21 +48,21 @@ module "organization" {
|
|||
description = "Resource management context."
|
||||
iam = {}
|
||||
values = {
|
||||
data = null
|
||||
gke = null
|
||||
networking = null
|
||||
sandbox = null
|
||||
security = null
|
||||
teams = null
|
||||
tenant = null
|
||||
data = {}
|
||||
gke = {}
|
||||
networking = {}
|
||||
sandbox = {}
|
||||
security = {}
|
||||
teams = {}
|
||||
tenant = {}
|
||||
}
|
||||
}
|
||||
(var.tag_names.environment) = {
|
||||
description = "Environment definition."
|
||||
iam = {}
|
||||
values = {
|
||||
development = null
|
||||
production = null
|
||||
development = {}
|
||||
production = {}
|
||||
}
|
||||
}
|
||||
(var.tag_names.tenant) = {
|
||||
|
|
|
|||
|
|
@ -81,6 +81,12 @@ googleapis-restricted:
|
|||
gstatic-all:
|
||||
dns_name: "*.gstatic.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu:
|
||||
dns_name: "kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu-all:
|
||||
dns_name: "*.kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
notebooks-all:
|
||||
dns_name: "*.notebooks.cloud.google.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
|
|
|
|||
|
|
@ -81,6 +81,12 @@ googleapis-restricted:
|
|||
gstatic-all:
|
||||
dns_name: "*.gstatic.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu:
|
||||
dns_name: "kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu-all:
|
||||
dns_name: "*.kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
notebooks-all:
|
||||
dns_name: "*.notebooks.cloud.google.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
|
|
|
|||
|
|
@ -81,6 +81,12 @@ googleapis-restricted:
|
|||
gstatic-all:
|
||||
dns_name: "*.gstatic.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu:
|
||||
dns_name: "kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu-all:
|
||||
dns_name: "*.kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
notebooks-all:
|
||||
dns_name: "*.notebooks.cloud.google.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
|
|
|
|||
|
|
@ -81,6 +81,12 @@ googleapis-restricted:
|
|||
gstatic-all:
|
||||
dns_name: "*.gstatic.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu:
|
||||
dns_name: "kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu-all:
|
||||
dns_name: "*.kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
notebooks-all:
|
||||
dns_name: "*.notebooks.cloud.google.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
|
|
|
|||
|
|
@ -81,6 +81,12 @@ googleapis-restricted:
|
|||
gstatic-all:
|
||||
dns_name: "*.gstatic.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu:
|
||||
dns_name: "kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
kernels-gu-all:
|
||||
dns_name: "*.kernels.googleusercontent.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
notebooks-all:
|
||||
dns_name: "*.notebooks.cloud.google.com."
|
||||
local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
|
@ -13,15 +13,15 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.71.0" # tftest
|
||||
version = ">= 5.6.0, < 6.0.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.71.0" # tftest
|
||||
version = ">= 5.6.0, < 6.0.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -237,7 +237,7 @@ module "bigtable-instance" {
|
|||
| [deletion_protection](variables.tf#L56) | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the instance will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [display_name](variables.tf#L63) | The human-readable display name of the Bigtable instance. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L69) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [instance_type](variables.tf#L75) | (deprecated) The instance type to create. One of 'DEVELOPMENT' or 'PRODUCTION'. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L75) | Labels to be attached to the instance. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tables](variables.tf#L91) | Tables to be created in the BigTable instance. | <code title="map(object({ split_keys = optional(list(string), []) column_families = optional(map(object( { gc_policy = optional(object({ deletion_policy = optional(string) gc_rules = optional(string) mode = optional(string) max_age = optional(string) max_version = optional(string) }), null) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -36,12 +36,11 @@ locals {
|
|||
}
|
||||
|
||||
resource "google_bigtable_instance" "default" {
|
||||
project = var.project_id
|
||||
name = var.name
|
||||
|
||||
instance_type = var.instance_type
|
||||
display_name = var.display_name == null ? var.display_name : var.name
|
||||
project = var.project_id
|
||||
name = var.name
|
||||
display_name = coalesce(var.display_name, var.name)
|
||||
deletion_protection = var.deletion_protection
|
||||
labels = var.labels
|
||||
|
||||
dynamic "cluster" {
|
||||
for_each = local.clusters_autoscaling
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
|
|||
|
|
@ -72,10 +72,10 @@ variable "iam" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "instance_type" {
|
||||
description = "(deprecated) The instance type to create. One of 'DEVELOPMENT' or 'PRODUCTION'."
|
||||
type = string
|
||||
default = null
|
||||
variable "labels" {
|
||||
description = "Labels to be attached to the instance."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
@ -25,3 +25,5 @@ terraform {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ These modules are designed for several use cases:
|
|||
- [CoreDNS](./coredns)
|
||||
- [MySQL](./mysql)
|
||||
- [Nginx](./nginx)
|
||||
- [Squid forward proxy](./squid)
|
||||
- On-prem in Docker (*needs fixing*)
|
||||
|
||||
## Using the modules
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ Logging and monitoring are enabled via the [Google Cloud Logging agent](https://
|
|||
|
||||
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
|
||||
|
||||
For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../README.md) for more details on the included instance.
|
||||
For convenience during development or for simple use cases, the module can optionally manage a single instance via the `test_instance` variable. If the instance is not needed the `instance*tf` files can be safely removed. Refer to the [top-level README](../../README.md) for more details on the included instance.
|
||||
|
||||
## Examples
|
||||
|
||||
|
|
@ -24,7 +24,7 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0
|
|||
|
||||
```hcl
|
||||
module "cos-squid" {
|
||||
source = "./fabric/modules/cloud-config-container/squid"
|
||||
source = "./fabric/modules/cloud-config-container/__need_fixing/squid"
|
||||
allow = [".github.com"]
|
||||
clients = ["10.0.0.0/8"]
|
||||
}
|
||||
|
|
@ -43,9 +43,11 @@ module "vm" {
|
|||
google-logging-enabled = true
|
||||
}
|
||||
boot_disk = {
|
||||
image = "projects/cos-cloud/global/images/family/cos-stable"
|
||||
type = "pd-ssd"
|
||||
size = 10
|
||||
initialize_params = {
|
||||
image = "projects/cos-cloud/global/images/family/cos-stable"
|
||||
type = "pd-ssd"
|
||||
size = 10
|
||||
}
|
||||
}
|
||||
tags = ["http-server", "ssh"]
|
||||
}
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
@ -26,3 +26,4 @@ terraform {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ This NVAs can be used to interconnect up to 8 VPCs.
|
|||
The NVAs run [Container-Optimized OS (COS)](https://cloud.google.com/container-optimized-os/docs). COS is a Linux-based OS designed for running containers. By default, it only allows SSH ingress connections. To see the exact host firewall configuration, run `sudo iptables -L -v`. More info available in the [official](https://cloud.google.com/container-optimized-os/docs/how-to/firewall) documentation.
|
||||
|
||||
To configure the firewall, you can either
|
||||
|
||||
- use the [open_ports](variables.tf#L84) variable
|
||||
- for a thiner grain control, pass a custom bash script at startup with iptables commands
|
||||
|
||||
|
|
@ -55,6 +56,7 @@ module "vm" {
|
|||
zone = "europe-west8-b"
|
||||
name = "cos-nva"
|
||||
network_interfaces = local.network_interfaces
|
||||
can_ip_forward = true
|
||||
metadata = {
|
||||
user-data = module.cos-nva.cloud_config
|
||||
google-logging-enabled = true
|
||||
|
|
@ -75,9 +77,9 @@ module "vm" {
|
|||
|
||||
The sample code brings up [FRRouting](https://frrouting.org/) container.
|
||||
|
||||
```
|
||||
```conf
|
||||
# tftest-file id=frr_conf path=./frr.conf
|
||||
# Example frr.conmf file
|
||||
# Example frr.conf file
|
||||
|
||||
log syslog informational
|
||||
no ipv6 forwarding
|
||||
|
|
@ -86,7 +88,7 @@ router bgp 65001
|
|||
line vty
|
||||
```
|
||||
|
||||
Following code assumes a file in the same folder named frr.conf exists.
|
||||
Following code assumes a file in the same folder named frr.conf exists.
|
||||
|
||||
```hcl
|
||||
locals {
|
||||
|
|
@ -126,6 +128,7 @@ module "vm" {
|
|||
zone = "europe-west8-b"
|
||||
name = "cos-nva"
|
||||
network_interfaces = local.network_interfaces
|
||||
can_ip_forward = true
|
||||
metadata = {
|
||||
user-data = module.cos-nva.cloud_config
|
||||
google-logging-enabled = true
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -303,10 +303,9 @@ module "org" {
|
|||
tags = {
|
||||
environment = {
|
||||
description = "Environment specification."
|
||||
iam = null
|
||||
values = {
|
||||
dev = null
|
||||
prod = null
|
||||
dev = {}
|
||||
prod = {}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -310,27 +310,27 @@ module "cluster-1" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [location](variables.tf#L179) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L290) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L326) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L337) | VPC-level configuration. | <code title="object({ network = string subnetwork = string master_ipv4_cidr_block = optional(string) secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string, "pods") services = optional(string, "services") })) master_authorized_ranges = optional(map(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [location](variables.tf#L211) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L322) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L358) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L369) | VPC-level configuration. | <code title="object({ network = string subnetwork = string master_ipv4_cidr_block = optional(string) secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = optional(string, "pods") services = optional(string, "services") })) master_authorized_ranges = optional(map(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ region = string applications = optional(map(list(string))) encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) namespaces = optional(list(string)) schedule = optional(string) retention_policy_days = optional(number) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(number) })), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ autoscaling_profile = optional(string, "BALANCED") auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) disk_size = optional(number) disk_type = optional(string, "pd-standard") image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) management = optional(object({ auto_repair = optional(bool, true) auto_upgrade = optional(bool, true) })) shielded_instance_config = optional(object({ integrity_monitoring = optional(bool, true) secure_boot = optional(bool, false) })) })) cpu_limits = optional(object({ min = number max = number })) mem_limits = optional(object({ min = number max = number })) gpu_resources = optional(list(object({ resource_type = string min = number max = number }))) })">object({…})</code> | | <code>null</code> |
|
||||
| [deletion_protection](variables.tf#L83) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L90) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L96) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, false) gce_persistent_disk_csi_driver = optional(bool, false) gcp_filestore_csi_driver = optional(bool, false) gcs_fuse_csi_driver = optional(bool, false) horizontal_pod_autoscaling = optional(bool, false) http_load_balancing = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) })">object({…})</code> | | <code title="{ horizontal_pod_autoscaling = true http_load_balancing = true }">{…}</code> |
|
||||
| [enable_features](variables.tf#L120) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ binary_authorization = optional(bool, false) cost_management = optional(bool, false) dns = optional(object({ provider = optional(string) scope = optional(string) domain = optional(string) })) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, false) fqdn_network_policy = optional(bool, false) gateway_api = optional(bool, false) groups_for_rbac = optional(string) image_streaming = optional(bool, false) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ topic_id = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) })">object({…})</code> | | <code title="{ workload_identity = true }">{…}</code> |
|
||||
| [issue_client_certificate](variables.tf#L167) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L173) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L184) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L205) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L228) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L234) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L240) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L295) | Node-level configuration. | <code title="object({ boot_disk_kms_key = optional(string) service_account = optional(string) tags = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L305) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [private_cluster_config](variables.tf#L312) | Private cluster configuration. | <code title="object({ enable_private_endpoint = optional(bool) master_global_access = optional(bool) peering_config = optional(object({ export_routes = optional(bool) import_routes = optional(bool) project_id = optional(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [release_channel](variables.tf#L331) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ autoscaling_profile = optional(string, "BALANCED") auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) disk_size = optional(number) disk_type = optional(string, "pd-standard") image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) management = optional(object({ auto_repair = optional(bool, true) auto_upgrade = optional(bool, true) })) shielded_instance_config = optional(object({ integrity_monitoring = optional(bool, true) secure_boot = optional(bool, false) })) upgrade_settings = optional(object({ blue_green = optional(object({ node_pool_soak_duration = optional(string) standard_rollout_policy = optional(object({ batch_percentage = optional(number) batch_node_count = optional(number) batch_soak_duration = optional(string) })) })) surge = optional(object({ max = optional(number) unavailable = optional(number) })) })) })) cpu_limits = optional(object({ min = number max = number })) mem_limits = optional(object({ min = number max = number })) gpu_resources = optional(list(object({ resource_type = string min = number max = number }))) })">object({…})</code> | | <code>null</code> |
|
||||
| [deletion_protection](variables.tf#L115) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> | | <code>true</code> |
|
||||
| [description](variables.tf#L122) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L128) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, false) gce_persistent_disk_csi_driver = optional(bool, false) gcp_filestore_csi_driver = optional(bool, false) gcs_fuse_csi_driver = optional(bool, false) horizontal_pod_autoscaling = optional(bool, false) http_load_balancing = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) })">object({…})</code> | | <code title="{ horizontal_pod_autoscaling = true http_load_balancing = true }">{…}</code> |
|
||||
| [enable_features](variables.tf#L152) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ binary_authorization = optional(bool, false) cost_management = optional(bool, false) dns = optional(object({ provider = optional(string) scope = optional(string) domain = optional(string) })) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, false) fqdn_network_policy = optional(bool, false) gateway_api = optional(bool, false) groups_for_rbac = optional(string) image_streaming = optional(bool, false) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ topic_id = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) })">object({…})</code> | | <code title="{ workload_identity = true }">{…}</code> |
|
||||
| [issue_client_certificate](variables.tf#L199) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L205) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L216) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [maintenance_config](variables.tf#L237) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L260) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L266) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L272) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object({ enable_system_metrics = optional(bool, true) enable_api_server_metrics = optional(bool, false) enable_controller_manager_metrics = optional(bool, false) enable_scheduler_metrics = optional(bool, false) enable_daemonset_metrics = optional(bool, false) enable_deployment_metrics = optional(bool, false) enable_hpa_metrics = optional(bool, false) enable_pod_metrics = optional(bool, false) enable_statefulset_metrics = optional(bool, false) enable_storage_metrics = optional(bool, false) enable_managed_prometheus = optional(bool, true) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_config](variables.tf#L327) | Node-level configuration. | <code title="object({ boot_disk_kms_key = optional(string) service_account = optional(string) tags = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [node_locations](variables.tf#L337) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [private_cluster_config](variables.tf#L344) | Private cluster configuration. | <code title="object({ enable_private_endpoint = optional(bool) master_global_access = optional(bool) peering_config = optional(object({ export_routes = optional(bool) import_routes = optional(bool) project_id = optional(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [release_channel](variables.tf#L363) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,13 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
cas = var.cluster_autoscaling
|
||||
cas_apd = try(local.cas.auto_provisioning_defaults, null)
|
||||
cas_apd_us = try(local.cas_apd.upgrade_settings, null)
|
||||
}
|
||||
|
||||
resource "google_container_cluster" "cluster" {
|
||||
provider = google-beta
|
||||
project = var.project_id
|
||||
|
|
@ -40,7 +47,6 @@ resource "google_container_cluster" "cluster" {
|
|||
? "ADVANCED_DATAPATH"
|
||||
: "DATAPATH_PROVIDER_UNSPECIFIED"
|
||||
)
|
||||
|
||||
# the default node pool is deleted here, use the gke-nodepool module instead.
|
||||
# shielded nodes are controlled by the cluster-level enable_features variable
|
||||
node_config {
|
||||
|
|
@ -55,7 +61,6 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
# gcfs_config deactivation need the block to be defined so it can't be dynamic
|
||||
node_pool_defaults {
|
||||
node_config_defaults {
|
||||
|
|
@ -64,7 +69,6 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
addons_config {
|
||||
dns_cache_config {
|
||||
enabled = var.enable_addons.dns_cache
|
||||
|
|
@ -106,81 +110,115 @@ resource "google_container_cluster" "cluster" {
|
|||
enabled = var.backup_configs.enable_backup_agent
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "authenticator_groups_config" {
|
||||
for_each = var.enable_features.groups_for_rbac != null ? [""] : []
|
||||
content {
|
||||
security_group = var.enable_features.groups_for_rbac
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "binary_authorization" {
|
||||
for_each = var.enable_features.binary_authorization ? [""] : []
|
||||
content {
|
||||
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "cost_management_config" {
|
||||
for_each = var.enable_features.cost_management == true ? [""] : []
|
||||
content {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "cluster_autoscaling" {
|
||||
for_each = var.cluster_autoscaling == null ? [] : [""]
|
||||
for_each = local.cas == null ? [] : [""]
|
||||
content {
|
||||
enabled = true
|
||||
|
||||
enabled = true
|
||||
autoscaling_profile = var.cluster_autoscaling.autoscaling_profile
|
||||
|
||||
dynamic "auto_provisioning_defaults" {
|
||||
for_each = var.cluster_autoscaling.auto_provisioning_defaults != null ? [""] : []
|
||||
for_each = local.cas_apd != null ? [""] : []
|
||||
content {
|
||||
boot_disk_kms_key = var.cluster_autoscaling.auto_provisioning_defaults.boot_disk_kms_key
|
||||
disk_size = var.cluster_autoscaling.auto_provisioning_defaults.disk_size
|
||||
disk_type = var.cluster_autoscaling.auto_provisioning_defaults.disk_type
|
||||
image_type = var.cluster_autoscaling.auto_provisioning_defaults.image_type
|
||||
oauth_scopes = var.cluster_autoscaling.auto_provisioning_defaults.oauth_scopes
|
||||
service_account = var.cluster_autoscaling.auto_provisioning_defaults.service_account
|
||||
boot_disk_kms_key = local.cas_apd.boot_disk_kms_key
|
||||
disk_size = local.cas_apd.disk_size
|
||||
disk_type = local.cas_apd.disk_type
|
||||
image_type = local.cas_apd.image_type
|
||||
oauth_scopes = local.cas_apd.oauth_scopes
|
||||
service_account = local.cas_apd.service_account
|
||||
dynamic "management" {
|
||||
for_each = var.cluster_autoscaling.auto_provisioning_defaults.management != null ? [""] : []
|
||||
for_each = local.cas_apd.management != null ? [""] : []
|
||||
content {
|
||||
auto_repair = var.cluster_autoscaling.auto_provisioning_defaults.management.auto_repair
|
||||
auto_upgrade = var.cluster_autoscaling.auto_provisioning_defaults.management.auto_upgrade
|
||||
auto_repair = local.cas_apd.management.auto_repair
|
||||
auto_upgrade = local.cas_apd.management.auto_upgrade
|
||||
}
|
||||
}
|
||||
dynamic "shielded_instance_config" {
|
||||
for_each = var.cluster_autoscaling.auto_provisioning_defaults.shielded_instance_config != null ? [""] : []
|
||||
for_each = local.cas_apd.shielded_instance_config != null ? [""] : []
|
||||
content {
|
||||
enable_integrity_monitoring = var.cluster_autoscaling.auto_provisioning_defaults.shielded_instance_config.integrity_monitoring
|
||||
enable_secure_boot = var.cluster_autoscaling.auto_provisioning_defaults.shielded_instance_config.secure_boot
|
||||
enable_integrity_monitoring = (
|
||||
local.cas_apd.shielded_instance_config.integrity_monitoring
|
||||
)
|
||||
enable_secure_boot = (
|
||||
local.cas_apd.shielded_instance_config.secure_boot
|
||||
)
|
||||
}
|
||||
}
|
||||
dynamic "upgrade_settings" {
|
||||
for_each = local.cas_apd_us != null ? [""] : []
|
||||
content {
|
||||
strategy = (
|
||||
local.cas_apd_us.blue_green != null ? "BLUE_GREEN" : "SURGE"
|
||||
)
|
||||
max_surge = try(local.cas_apd_us.surge.max, null)
|
||||
max_unavailable = try(local.cas_apd_us.surge.unavailable, null)
|
||||
dynamic "blue_green_settings" {
|
||||
for_each = local.cas_apd_us.blue_green != null ? [""] : []
|
||||
content {
|
||||
node_pool_soak_duration = (
|
||||
local.cas_apd_us.blue_green.node_pool_soak_duration
|
||||
)
|
||||
dynamic "standard_rollout_policy" {
|
||||
for_each = (
|
||||
local.cas_apd_us.blue_green.standard_rollout_policy != null
|
||||
? [""]
|
||||
: []
|
||||
)
|
||||
content {
|
||||
batch_node_count = (
|
||||
local.cas_apd_us.blue_green.standard_rollout_policy.batch_node_count
|
||||
)
|
||||
batch_percentage = (
|
||||
local.cas_apd_us.blue_green.standard_rollout_policy.batch_percentage
|
||||
)
|
||||
batch_soak_duration = (
|
||||
local.cas_apd_us.blue_green.standard_rollout_policy.batch_soak_duration
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
dynamic "resource_limits" {
|
||||
for_each = var.cluster_autoscaling.cpu_limits != null ? [""] : []
|
||||
for_each = local.cas.cpu_limits != null ? [""] : []
|
||||
content {
|
||||
resource_type = "cpu"
|
||||
minimum = var.cluster_autoscaling.cpu_limits.min
|
||||
maximum = var.cluster_autoscaling.cpu_limits.max
|
||||
minimum = local.cas.cpu_limits.min
|
||||
maximum = local.cas.cpu_limits.max
|
||||
}
|
||||
}
|
||||
dynamic "resource_limits" {
|
||||
for_each = var.cluster_autoscaling.mem_limits != null ? [""] : []
|
||||
for_each = local.cas.mem_limits != null ? [""] : []
|
||||
content {
|
||||
resource_type = "memory"
|
||||
minimum = var.cluster_autoscaling.mem_limits.min
|
||||
maximum = var.cluster_autoscaling.mem_limits.max
|
||||
minimum = local.cas.mem_limits.min
|
||||
maximum = local.cas.mem_limits.max
|
||||
}
|
||||
}
|
||||
dynamic "resource_limits" {
|
||||
for_each = (
|
||||
try(var.cluster_autoscaling.gpu_resources, null) == null
|
||||
try(local.cas.gpu_resources, null) == null
|
||||
? []
|
||||
: var.cluster_autoscaling.gpu_resources
|
||||
: local.cas.gpu_resources
|
||||
)
|
||||
iterator = gpu_resources
|
||||
content {
|
||||
|
|
@ -191,7 +229,6 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "database_encryption" {
|
||||
for_each = var.enable_features.database_encryption != null ? [""] : []
|
||||
content {
|
||||
|
|
@ -199,7 +236,6 @@ resource "google_container_cluster" "cluster" {
|
|||
key_name = var.enable_features.database_encryption.key_name
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "dns_config" {
|
||||
for_each = var.enable_features.dns != null ? [""] : []
|
||||
content {
|
||||
|
|
@ -208,31 +244,36 @@ resource "google_container_cluster" "cluster" {
|
|||
cluster_dns_domain = var.enable_features.dns.domain
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "gateway_api_config" {
|
||||
for_each = var.enable_features.gateway_api ? [""] : []
|
||||
content {
|
||||
channel = "CHANNEL_STANDARD"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "ip_allocation_policy" {
|
||||
for_each = var.vpc_config.secondary_range_blocks != null ? [""] : []
|
||||
content {
|
||||
cluster_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.pods
|
||||
services_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.services
|
||||
stack_type = var.vpc_config.stack_type
|
||||
cluster_ipv4_cidr_block = (
|
||||
var.vpc_config.secondary_range_blocks.pods
|
||||
)
|
||||
services_ipv4_cidr_block = (
|
||||
var.vpc_config.secondary_range_blocks.services
|
||||
)
|
||||
stack_type = var.vpc_config.stack_type
|
||||
}
|
||||
}
|
||||
dynamic "ip_allocation_policy" {
|
||||
for_each = var.vpc_config.secondary_range_names != null ? [""] : []
|
||||
content {
|
||||
cluster_secondary_range_name = var.vpc_config.secondary_range_names.pods
|
||||
services_secondary_range_name = var.vpc_config.secondary_range_names.services
|
||||
stack_type = var.vpc_config.stack_type
|
||||
cluster_secondary_range_name = (
|
||||
var.vpc_config.secondary_range_names.pods
|
||||
)
|
||||
services_secondary_range_name = (
|
||||
var.vpc_config.secondary_range_names.services
|
||||
)
|
||||
stack_type = var.vpc_config.stack_type
|
||||
}
|
||||
}
|
||||
|
||||
# Send GKE cluster logs from chosen sources to Cloud Logging.
|
||||
# System logs must be enabled if any other source is enabled.
|
||||
# This is validated by input variable validation rules.
|
||||
|
|
@ -256,7 +297,6 @@ resource "google_container_cluster" "cluster" {
|
|||
enable_components = []
|
||||
}
|
||||
}
|
||||
|
||||
maintenance_policy {
|
||||
dynamic "daily_maintenance_window" {
|
||||
for_each = (
|
||||
|
|
@ -294,13 +334,11 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
master_auth {
|
||||
client_certificate_config {
|
||||
issue_client_certificate = var.issue_client_certificate
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "master_authorized_networks_config" {
|
||||
for_each = var.vpc_config.master_authorized_ranges != null ? [""] : []
|
||||
content {
|
||||
|
|
@ -314,14 +352,12 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "mesh_certificates" {
|
||||
for_each = var.enable_features.mesh_certificates != null ? [""] : []
|
||||
content {
|
||||
enable_certificates = var.enable_features.mesh_certificates
|
||||
}
|
||||
}
|
||||
|
||||
monitoring_config {
|
||||
enable_components = toset(compact([
|
||||
# System metrics is the minimum requirement if any other metrics are enabled. This is checked by input var validation.
|
||||
|
|
@ -342,7 +378,6 @@ resource "google_container_cluster" "cluster" {
|
|||
enabled = var.monitoring_config.enable_managed_prometheus
|
||||
}
|
||||
}
|
||||
|
||||
# Dataplane V2 has built-in network policies
|
||||
dynamic "network_policy" {
|
||||
for_each = (
|
||||
|
|
@ -355,7 +390,6 @@ resource "google_container_cluster" "cluster" {
|
|||
provider = "CALICO"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "notification_config" {
|
||||
for_each = var.enable_features.upgrade_notifications != null ? [""] : []
|
||||
content {
|
||||
|
|
@ -369,7 +403,6 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "private_cluster_config" {
|
||||
for_each = (
|
||||
var.private_cluster_config != null ? [""] : []
|
||||
|
|
@ -383,21 +416,18 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "pod_security_policy_config" {
|
||||
for_each = var.enable_features.pod_security_policy ? [""] : []
|
||||
content {
|
||||
enabled = var.enable_features.pod_security_policy
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "release_channel" {
|
||||
for_each = var.release_channel != null ? [""] : []
|
||||
content {
|
||||
channel = var.release_channel
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "resource_usage_export_config" {
|
||||
for_each = (
|
||||
try(var.enable_features.resource_usage_export.dataset, null) != null
|
||||
|
|
@ -416,14 +446,12 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "vertical_pod_autoscaling" {
|
||||
for_each = var.enable_features.vertical_pod_autoscaling ? [""] : []
|
||||
content {
|
||||
enabled = var.enable_features.vertical_pod_autoscaling
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "workload_identity_config" {
|
||||
for_each = var.enable_features.workload_identity ? [""] : []
|
||||
content {
|
||||
|
|
@ -436,7 +464,11 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
|
||||
resource "google_gke_backup_backup_plan" "backup_plan" {
|
||||
for_each = var.backup_configs.enable_backup_agent ? var.backup_configs.backup_plans : {}
|
||||
for_each = (
|
||||
var.backup_configs.enable_backup_agent
|
||||
? var.backup_configs.backup_plans
|
||||
: {}
|
||||
)
|
||||
name = each.key
|
||||
cluster = google_container_cluster.cluster.id
|
||||
location = each.value.region
|
||||
|
|
@ -449,19 +481,20 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
|
|||
backup_schedule {
|
||||
cron_schedule = each.value.schedule
|
||||
}
|
||||
|
||||
backup_config {
|
||||
include_volume_data = each.value.include_volume_data
|
||||
include_secrets = each.value.include_secrets
|
||||
|
||||
dynamic "encryption_key" {
|
||||
for_each = each.value.encryption_key != null ? [""] : []
|
||||
content {
|
||||
gcp_kms_encryption_key = each.value.encryption_key
|
||||
}
|
||||
}
|
||||
|
||||
all_namespaces = lookup(each.value, "namespaces", null) != null || lookup(each.value, "applications", null) != null ? null : true
|
||||
all_namespaces = (
|
||||
lookup(each.value, "namespaces", null) != null
|
||||
||
|
||||
lookup(each.value, "applications", null) != null ? null : true
|
||||
)
|
||||
dynamic "selected_namespaces" {
|
||||
for_each = each.value.namespaces != null ? [""] : []
|
||||
content {
|
||||
|
|
|
|||
|
|
@ -54,6 +54,21 @@ variable "cluster_autoscaling" {
|
|||
integrity_monitoring = optional(bool, true)
|
||||
secure_boot = optional(bool, false)
|
||||
}))
|
||||
upgrade_settings = optional(object({
|
||||
blue_green = optional(object({
|
||||
node_pool_soak_duration = optional(string)
|
||||
standard_rollout_policy = optional(object({
|
||||
batch_percentage = optional(number)
|
||||
batch_node_count = optional(number)
|
||||
batch_soak_duration = optional(string)
|
||||
}))
|
||||
}))
|
||||
surge = optional(object({
|
||||
max = optional(number)
|
||||
unavailable = optional(number)
|
||||
}))
|
||||
}))
|
||||
# add validation rule to ensure only one is present if upgrade settings is defined
|
||||
}))
|
||||
cpu_limits = optional(object({
|
||||
min = number
|
||||
|
|
@ -71,13 +86,30 @@ variable "cluster_autoscaling" {
|
|||
})
|
||||
default = null
|
||||
validation {
|
||||
condition = (var.cluster_autoscaling == null ? true : contains(["BALANCED", "OPTIMIZE_UTILIZATION"], var.cluster_autoscaling.autoscaling_profile))
|
||||
condition = (var.cluster_autoscaling == null ? true : contains(
|
||||
["BALANCED", "OPTIMIZE_UTILIZATION"],
|
||||
var.cluster_autoscaling.autoscaling_profile
|
||||
))
|
||||
error_message = "Invalid autoscaling_profile."
|
||||
}
|
||||
validation {
|
||||
condition = (var.cluster_autoscaling == null ? true : contains(["pd-standard", "pd-ssd", "pd-balanced"], var.cluster_autoscaling.auto_provisioning_defaults.disk_type))
|
||||
condition = (
|
||||
var.cluster_autoscaling == null ? true : contains(
|
||||
["pd-standard", "pd-ssd", "pd-balanced"],
|
||||
var.cluster_autoscaling.auto_provisioning_defaults.disk_type)
|
||||
)
|
||||
error_message = "Invalid disk_type."
|
||||
}
|
||||
validation {
|
||||
condition = (
|
||||
try(var.cluster_autoscaling.upgrade_settings, null) == null || (
|
||||
try(var.cluster_autoscaling.upgrade_settings.blue_green, null) == null ? 0 : 1
|
||||
+
|
||||
try(var.cluster_autoscaling.upgrade_settings.surge, null) == null ? 0 : 1
|
||||
) == 1
|
||||
)
|
||||
error_message = "Upgrade settings can only use blue/green or surge."
|
||||
}
|
||||
}
|
||||
|
||||
variable "deletion_protection" {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_version = ">= 1.5.1"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue