f62b9362a2
* rename infrastructure folder to networking * example WIP: VPCs * move ip forwarding to its own variable in compute-vm module * add per-instance metadata support to compute-vm module * ipip tunnels on linux savepoint * simple multinic gateways example * remove stale files * resolve conflicts * update diagram * rename folder * use a template for gw cloud config, rename some resources and files * Update README.md * Update README.md * add basic plan tests for all networking e2e examples * fix test for foundations/environments e2e example * fix shared vpc e2 example count error in gke node service account permissions * use module path for assets in onprem e2e example * use project id from module in ilb e2e example * add mising boilerplates in tests * run examples tests in ci * update module's README * rename ilb example * Update README.md * fix rp_filter configuration * README * Update README.md * Update README.md * Update README.md * update CHANGELOG * update CHANGELOG * Update README.md |
||
---|---|---|
.. | ||
README.md | ||
backend.tf.sample | ||
diagram.gcpdraw | ||
diagram.png | ||
main.tf | ||
outputs.tf | ||
variables.tf | ||
versions.tf |
README.md
Shared VPC with GKE example
This sample creates a basic Shared VPC setup using one host project and two service projects, each with a specific subnet in the shared VPC. The setup also includes the specific IAM-level configurations needed for GKE on Shared VPC to enable cluster creation in one of the two service projects.
The sample has been purposefully kept simple so that it can be used as a basis for different Shared VPC configurations. This is the high level diagram:
Applying the example
The example cannot be applied from scratch with a single terraform apply
command, as Terraform is unable to manage Shared VPC project registration for multiple projects, before those are created and exist in state. To apply the example from scratch, follow this order:
tf apply \
-target module.project-svc-gce \
-target module.project-svc-gke
tf apply
Once the first command has run successfully, the service projects exist in state and can be referenced by the multiple resource in the host project module that manages project registration.
Accessing the bastion instance and GKE cluster
The bastion VM has no public address so access is mediated via IAP, which is supported transparently in the gcloud compute ssh
command. Authentication is via OS Login set as a project default.
Cluster access from the bastion can leverage the instance service account's container.developer
role: the only configuration needed is to fetch cluster credentials via gcloud container clusters get-credentials
passing the correct cluster name, location and project via command options.
Destroying
There's a minor glitch that can surface running terraform destroy
, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove
command when terraform destroy
fails, and then relaunch the command.
Variables
name | description | type | required | default |
---|---|---|---|---|
billing_account_id | Billing account id used as default for new projects. | string |
✓ | |
prefix | Prefix used for resources that need unique names. | string |
✓ | |
root_node | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | string |
✓ | |
ip_ranges | Subnet IP CIDR ranges. | map(string) |
... |
|
ip_secondary_ranges | Secondary IP CIDR ranges. | map(string) |
... |
|
owners_gce | GCE project owners, in IAM format. | list(string) |
[] |
|
owners_gke | GKE project owners, in IAM format. | list(string) |
[] |
|
owners_host | Host project owners, in IAM format. | list(string) |
[] |
|
private_service_ranges | Private service IP CIDR ranges. | map(string) |
... |
|
project_services | Service APIs enabled by default in new projects. | list(string) |
... |
|
region | Region used. | string |
europe-west1 |
Outputs
name | description | sensitive |
---|---|---|
gke_clusters | GKE clusters information. | |
projects | Project ids. | |
service_accounts | GCE and GKE service accounts. | |
vms | GCE VMs. | |
vpc | Shared VPC. |