History

Ludovico Magnocavallo 819894d2ba IAM interface refactor (#1595 ) * IAM modules refactor proposal * policy * subheading * Update 20230816-iam-refactor.md * log Julio's +1 * data-catalog-policy-tag * dataproc * dataproc * folder * folder * folder * folder * project * better filtering in test examples * project * folder * folder * organization * fix variable descriptions * kms * net-vpc * dataplex-datascan * modules/iam-service-account * modules/source-repository/ * blueprints/cloud-operations/vm-migration/ * blueprints/third-party-solutions/wordpress * dataplex-datascan * blueprints/cloud-operations/workload-identity-federation * blueprints/data-solutions/cloudsql-multiregion/ * blueprints/data-solutions/composer-2 * Update 20230816-iam-refactor.md * Update 20230816-iam-refactor.md * capture discussion in architectural doc * update variable names and refactor proposal * project * blueprints first round * folder * organization * data-catalog-policy-tag * re-enable folder inventory * project module style fix * dataproc * source-repository * source-repository tests * dataplex-datascan * dataplex-datascan tests * net-vpc * net-vpc test examples * iam-service-account * iam-service-account test examples * kms * boilerplate * tfdoc * fix module tests * more blueprint fixes * fix typo in data blueprints * incomplete refactor of data platform foundations * tfdoc * data platform foundation * refactor data platform foundation iam locals * remove redundant example test * shielded folder fix * fix typo * project factory * project factory outputs * tfdoc * test workflow: less verbose tests, fix tf version * re-enable -vv, shorter traceback, fix action version * ignore github extension warning, re-enable action version * fast bootstrap IAM, untested * bootstrap stage IAM fixes * stage 0 tests * fast stage 1 * tenant stage 1 * minor changes to fast stage 0 and 1 * fast security stage * fast mt stage 0 * fast mt stage 0 * fast pf		2023-08-20 09:44:20 +02:00
..
README.md	Refactoring of dns module	2023-07-19 12:57:44 +02:00
backend.tf.sample	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
diagram.gcpdraw	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
diagram.png	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
main.tf	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00
outputs.tf	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
variables.tf	Normalize prefix handling in blueprints (#1003 )	2022-11-23 11:09:00 +01:00
versions.tf	Moved allow_net_admin to enable_features flag. Bumped provider version to 4.76	2023-08-07 14:27:20 +01:00

README.md

Shared VPC with optional GKE cluster

This sample creates a basic Shared VPC setup using one host project and two service projects, each with a specific subnet in the shared VPC.

The setup also includes the specific IAM-level configurations needed for GKE on Shared VPC in one of the two service projects, and optionally creates a cluster with a single nodepool.

If you only need a basic Shared VPC, or prefer creating a cluster manually, set the cluster_create variable to False.

The sample has been purposefully kept simple so that it can be used as a basis for different Shared VPC configurations. This is the high level diagram:

Accessing the bastion instance and GKE cluster

The bastion VM has no public address so access is mediated via IAP, which is supported transparently in the gcloud compute ssh command. Authentication is via OS Login set as a project default.

Cluster access from the bastion can leverage the instance service account's container.developer role: the only configuration needed is to fetch cluster credentials via gcloud container clusters get-credentials passing the correct cluster name, location and project via command options.

For convenience, Tinyproxy is installed on the bastion host, allowing kubectl use via IAP from an external client:

gcloud container clusters get-credentials "${CLUSTER_NAME}" \
  --zone "${CLUSTER_ZONE}" \
  --project "${CLUSTER_PROJECT_NAME}"

gcloud compute ssh "${BASTION_INSTANCE_NAME}" \
  --project "${CLUSTER_PROJECT_NAME}" \
  --zone "${CLUSTER_ZONE}" \
  -- -L 8888:localhost:8888 -N -q -f

# Run kubectl through the proxy
HTTPS_PROXY=localhost:8888 kubectl get pods

An alias can also be created. For example:

alias k='HTTPS_PROXY=localhost:8888 kubectl $@'

Destroying

There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command.

Variables

name	description	type	required	default
billing_account_id	Billing account id used as default for new projects.	`string`	✓
prefix	Prefix used for resource names.	`string`	✓
root_node	Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'.	`string`	✓
cluster_create	Create GKE cluster and nodepool.	`bool`		`true`
ip_ranges	Subnet IP CIDR ranges.	`map(string)`		`{…}`
ip_secondary_ranges	Secondary IP CIDR ranges.	`map(string)`		`{…}`
owners_gce	GCE project owners, in IAM format.	`list(string)`		`[]`
owners_gke	GKE project owners, in IAM format.	`list(string)`		`[]`
owners_host	Host project owners, in IAM format.	`list(string)`		`[]`
private_service_ranges	Private service IP CIDR ranges.	`map(string)`		`{…}`
project_services	Service APIs enabled by default in new projects.	`list(string)`		`[…]`
region	Region used.	`string`		`"europe-west1"`

Outputs

name	description	sensitive
gke_clusters	GKE clusters information.
projects	Project ids.
vms	GCE VMs.
vpc	Shared VPC.

Test

module "test" {
  source             = "./fabric/blueprints/gke/shared-vpc-gke"
  billing_account_id = "ABCDE-12345-ABCDE"
  prefix             = "test"
  root_node          = "organizations/0123456789"
}
# tftest modules=11 resources=46