193 lines
10 KiB
Markdown
193 lines
10 KiB
Markdown
# Workstation cluster
|
|
|
|
This module allows to create a workstation cluster with associated workstation configs and workstations. In addition to this it allows to set up IAM bindings for the workstation configs and the workstations.
|
|
|
|
<!-- BEGIN TOC -->
|
|
- [Simple example](#simple-example)
|
|
- [Private cluster](#private-cluster)
|
|
- [Custom image](#custom-image)
|
|
- [IAM](#iam)
|
|
- [Variables](#variables)
|
|
- [Outputs](#outputs)
|
|
<!-- END TOC -->
|
|
|
|
## Simple example
|
|
|
|
Simple example showing how to create a cluster with publicly accessible workstations using the default base image.
|
|
|
|
```hcl
|
|
module "workstation-cluster" {
|
|
source = "./fabric/modules/workstation-cluster"
|
|
project_id = var.project_id
|
|
id = "my-workstation-cluster"
|
|
location = var.region
|
|
network_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
}
|
|
workstation_configs = {
|
|
my-workstation-config = {
|
|
workstations = {
|
|
my-workstation = {
|
|
labels = {
|
|
team = "my-team"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3 inventory=simple.yaml
|
|
```
|
|
|
|
## Private cluster
|
|
|
|
Example showing how to create a cluster with a privately accessible workstation using the default base image.
|
|
|
|
```hcl
|
|
module "workstation-cluster" {
|
|
source = "./fabric/modules/workstation-cluster"
|
|
project_id = var.project_id
|
|
id = "my-workstation-cluster"
|
|
location = var.region
|
|
network_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
}
|
|
private_cluster_config = {
|
|
enable_private_endpoint = true
|
|
}
|
|
workstation_configs = {
|
|
my-workstation-config = {
|
|
workstations = {
|
|
my-workstation = {
|
|
labels = {
|
|
team = "my-team"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3 inventory=private-cluster.yaml
|
|
```
|
|
|
|
## Custom image
|
|
|
|
Example showing how to create a cluster with publicly accesible workstation that run a custom image.
|
|
|
|
```hcl
|
|
module "workstation-cluster" {
|
|
source = "./fabric/modules/workstation-cluster"
|
|
project_id = var.project_id
|
|
id = "my-workstation-cluster"
|
|
location = var.region
|
|
network_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
}
|
|
workstation_configs = {
|
|
my-workstation-config = {
|
|
container = {
|
|
image = "repo/my-image:v10.0.0"
|
|
args = ["--arg1", "value1", "--arg2", "value2"]
|
|
env = {
|
|
VAR1 = "VALUE1"
|
|
VAR2 = "VALUE2"
|
|
}
|
|
working_dir = "/my-dir"
|
|
}
|
|
workstations = {
|
|
my-workstation = {
|
|
labels = {
|
|
team = "my-team"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3 inventory=custom-image.yaml
|
|
```
|
|
|
|
## IAM
|
|
|
|
Example showing how to grant IAM roles on the workstation configuration or workstation.
|
|
|
|
```hcl
|
|
module "workstation-cluster" {
|
|
source = "./fabric/modules/workstation-cluster"
|
|
project_id = var.project_id
|
|
id = "my-workstation-cluster"
|
|
location = var.region
|
|
network_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
}
|
|
workstation_configs = {
|
|
my-workstation-config = {
|
|
workstations = {
|
|
my-workstation = {
|
|
labels = {
|
|
team = "my-team"
|
|
}
|
|
iam = {
|
|
"roles/workstations.user" = ["user:user1@my-org.com"]
|
|
}
|
|
}
|
|
}
|
|
iam = {
|
|
"roles/viewer" = ["group:group1@my-org.com"]
|
|
}
|
|
iam_bindings = {
|
|
workstations-config-viewer = {
|
|
role = "roles/viewer"
|
|
members = ["group:group2@my-org.com"]
|
|
condition = {
|
|
title = "limited-access"
|
|
expression = "resource.name.startsWith('my-')"
|
|
}
|
|
}
|
|
}
|
|
iam_bindings_additive = {
|
|
workstations-config-editor = {
|
|
role = "roles/editor"
|
|
member = "group:group3@my-org.com"
|
|
condition = {
|
|
title = "limited-access"
|
|
expression = "resource.name.startsWith('my-')"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=7 inventory=iam.yaml
|
|
```
|
|
<!-- BEGIN TFDOC -->
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [id](variables.tf#L35) | Workstation cluster ID. | <code>string</code> | ✓ | |
|
|
| [network_config](variables.tf#L52) | Network configuration. | <code title="object({ network = string subnetwork = string })">object({…})</code> | ✓ | |
|
|
| [project_id](variables.tf#L70) | Cluster ID. | <code>string</code> | ✓ | |
|
|
| [workstation_configs](variables.tf#L75) | Workstation configurations. | <code title="map(object({ annotations = optional(map(string)) container = optional(object({ image = optional(string) command = optional(list(string), []) args = optional(list(string), []) working_dir = optional(string) env = optional(map(string), {}) run_as_user = optional(string) })) display_name = optional(string) enable_audit_agent = optional(bool) encryption_key = optional(object({ kms_key = string kms_key_service_account = string })) gce_instance = optional(object({ machine_type = optional(string) service_account = optional(string) service_account_scopes = optional(list(string), []) pool_size = optional(number) boot_disk_size_gb = optional(number) tags = optional(list(string)) disable_public_ip_addresses = optional(bool, false) enable_nested_virtualization = optional(bool, false) shielded_instance_config = optional(object({ enable_secure_boot = optional(bool, false) enable_vtpm = optional(bool, false) enable_integrity_monitoring = optional(bool, false) })) enable_confidential_compute = optional(bool, false) accelerators = optional(list(object({ type = optional(string) count = optional(number) })), []) })) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string })), {}) idle_timeout = optional(string) labels = optional(map(string)) persistent_directories = optional(list(object({ mount_path = optional(string) gce_pd = optional(object({ size_gb = optional(number) fs_type = optional(string) disk_type = optional(string) source_snapshot = optional(string) reclaim_policy = optional(string) })) })), []) running_timeout = optional(string) replica_zones = optional(list(string)) workstations = optional(map(object({ annotations = optional(map(string)) display_name = optional(string) env = optional(map(string)) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string })), {}) labels = optional(map(string)) })), {}) }))">map(object({…}))</code> | ✓ | |
|
|
| [annotations](variables.tf#L17) | Workstation cluster annotations. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [display_name](variables.tf#L23) | Display name. | <code>string</code> | | <code>null</code> |
|
|
| [domain](variables.tf#L29) | Domain. | <code>string</code> | | <code>null</code> |
|
|
| [labels](variables.tf#L40) | Workstation cluster labels. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [location](variables.tf#L46) | Location. | <code>string</code> | | <code>null</code> |
|
|
| [private_cluster_config](variables.tf#L60) | Private cluster config. | <code title="object({ enable_private_endpoint = optional(bool, false) allowed_projects = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [cluster_hostname](outputs.tf#L17) | Cluster hostname. | |
|
|
| [id](outputs.tf#L22) | Workstation cluster id. | |
|
|
| [service_attachment_uri](outputs.tf#L27) | Workstation service attachment URI. | |
|
|
| [workstation_configs](outputs.tf#L32) | Workstation configurations. | |
|
|
| [workstations](outputs.tf#L37) | Workstations. | |
|
|
<!-- END TFDOC -->
|