# GKE nodepool module This module allows simplified creation and management of individual GKE nodepools, setting sensible defaults (eg a service account is created for nodes if none is set) and allowing for less verbose usage in most use cases. ## Example usage ### Module defaults If no specific node configuration is set via variables, the module uses the provider's defaults only setting OAuth scopes to a minimal working set and the node machine type to `n1-standard-1`. The service account set by the provider in this case is the GCE default service account. ```hcl module "cluster-1-nodepool-1" { source = "./fabric/modules/gke-nodepool" project_id = "myproject" cluster_name = "cluster-1" location = "europe-west1-b" name = "nodepool-1" } # tftest modules=1 resources=1 inventory=basic.yaml ``` ### Internally managed service account There are three different approaches to defining the nodes service account, all depending on the `service_account` variable where the `create` attribute controls creation of a new service account by this module, and the `email` attribute controls the actual service account to use. If you create a new service account, its resource and email (in both plain and IAM formats) are then available in outputs to reference it in other modules or resources. #### GCE default service account To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`. This is what the first example of this document does. #### Externally defined service account To use an existing service account, pass in just the `email` attribute. If you do this, will most likely want to use the `cloud-platform` scope. ```hcl module "cluster-1-nodepool-1" { source = "./fabric/modules/gke-nodepool" project_id = "myproject" cluster_name = "cluster-1" location = "europe-west1-b" name = "nodepool-1" service_account = { email = "foo-bar@myproject.iam.gserviceaccount.com" oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"] } } # tftest modules=1 resources=1 inventory=external-sa.yaml ``` #### Auto-created service account To have the module create a service account, set the `create` attribute to `true` and optionally pass the desired account id in `email`. ```hcl module "cluster-1-nodepool-1" { source = "./fabric/modules/gke-nodepool" project_id = "myproject" cluster_name = "cluster-1" location = "europe-west1-b" name = "nodepool-1" service_account = { create = true email = "spam-eggs" # optional oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"] } } # tftest modules=1 resources=2 inventory=create-sa.yaml ``` ### Node & node pool configuration ```hcl module "cluster-1-nodepool-1" { source = "./fabric/modules/gke-nodepool" project_id = "myproject" cluster_name = "cluster-1" location = "europe-west1-b" name = "nodepool-1" labels = { environment = "dev" } service_account = { create = true email = "nodepool-1" # optional oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"] } node_config = { machine_type = "n2-standard-2" disk_size_gb = 50 disk_type = "pd-ssd" ephemeral_ssd_count = 1 gvnic = true spot = true } nodepool_config = { autoscaling = { max_node_count = 10 min_node_count = 1 } management = { auto_repair = true auto_upgrade = false } } } # tftest modules=1 resources=2 inventory=config.yaml ``` ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [cluster_name](variables.tf#L23) | Cluster name. | string | ✓ | | | [location](variables.tf#L41) | Cluster location. | string | ✓ | | | [project_id](variables.tf#L149) | Cluster project id. | string | ✓ | | | [cluster_id](variables.tf#L17) | Cluster id. Optional, but providing cluster_id is recommended to prevent cluster misconfiguration in some of the edge cases. | string | | null | | [gke_version](variables.tf#L28) | Kubernetes nodes version. Ignored if auto_upgrade is set in management_config. | string | | null | | [labels](variables.tf#L34) | Kubernetes labels applied to each node. | map(string) | | {} | | [max_pods_per_node](variables.tf#L46) | Maximum number of pods per node. | number | | null | | [name](variables.tf#L52) | Optional nodepool name. | string | | null | | [node_config](variables.tf#L58) | Node-level configuration. | object({…}) | | {…} | | [node_count](variables.tf#L97) | Number of nodes per instance group. Initial value can only be changed by recreation, current is ignored when autoscaling is used. | object({…}) | | {…} | | [node_locations](variables.tf#L109) | Node locations. | list(string) | | null | | [nodepool_config](variables.tf#L115) | Nodepool-level configuration. | object({…}) | | null | | [pod_range](variables.tf#L137) | Pod secondary range configuration. | object({…}) | | null | | [reservation_affinity](variables.tf#L154) | Configuration of the desired reservation which instances could take capacity from. | object({…}) | | null | | [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | object({…}) | | {} | | [sole_tenant_nodegroup](variables.tf#L175) | Sole tenant node group. | string | | null | | [tags](variables.tf#L181) | Network tags applied to nodes. | list(string) | | null | | [taints](variables.tf#L187) | Kubernetes taints applied to all nodes. | list(object({…})) | | null | ## Outputs | name | description | sensitive | |---|---|:---:| | [id](outputs.tf#L17) | Fully qualified nodepool id. | | | [name](outputs.tf#L22) | Nodepool name. | | | [service_account_email](outputs.tf#L27) | Service account email. | | | [service_account_iam_email](outputs.tf#L32) | Service account email. | |