infra_snippets/terraform/basic_gke/main.tf

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.74.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "3.74.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.1.0"
    }
  }
}

variable "project" {
  description = "Project ID."
  type        = string
  default     = "hip-wharf-319304"
}

variable "region" {
  description = "Region."
  type        = string
  default     = "us-central1"
}

variable "zone" {
  description = "Zone."
  type        = string
  default     = "us-central1-c"
}

provider "google" {
  project = var.project
  region  = var.region
  zone    = var.zone
}

data "google_project" "project" {
  project_id = var.project
}

#################### Networking ###########################

module "networking" {
  source  = "../modules/networking"
  project = var.project
  region  = var.region
}

#################### Workload Identity ####################

resource "random_id" "identity_pool" {
  byte_length = 4
}

resource "google_iam_workload_identity_pool" "identity_pool" {
  provider                  = google-beta
  project                   = var.project
  workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"
}

#################### KMS ##################################

resource "google_project_service" "cloudkms" {
  project                    = var.project
  service                    = "cloudkms.googleapis.com"
  disable_dependent_services = true
}

#################### GKE ##################################

module "gke" {
  source                = "../modules/gke"
  project               = var.project
  region                = var.region
  private_network_id    = module.networking.private_network_id
  private_subnetwork_id = module.networking.private_subnetwork_id
  service_cloudkms      = google_project_service.cloudkms
  machine_type          = "e2-standard-2"

  depends_on = [
    module.networking
  ]
}

output "gke_connect_command" {
  # description = "Command to run to connect to the kubernetes cluster."
  value = module.gke.gke_connect_command
}

#################### SQL ##################################

module "cloudsql" {
  source             = "../modules/cloudsql"
  project            = var.project
  region             = var.region
  private_network_id = module.networking.private_network_id

  depends_on = [
    module.networking
  ]
}

output "cloudsql_ip_address" {
  description = "IP address for cloudsql database."
  value       = module.cloudsql.instance.ip_address.0.ip_address
}

output "cloudsql_server_certificate" {
  description = "CA certificate."
  value       = module.cloudsql.certificate.server_ca_cert
  sensitive   = true
}

output "cloudsql_client_certificate" {
  description = "Client certificate."
  value       = module.cloudsql.certificate.cert
  sensitive   = true
}

output "cloudsql_client_key" {
  description = "Client key."
  value       = module.cloudsql.certificate.private_key
  sensitive   = true
}

resource "local_file" "pgserver_crt" {
  sensitive_content    = module.cloudsql.certificate.server_ca_cert
  filename             = "${path.module}/pgserver.crt"
  file_permission      = "0600"
  directory_permission = "0700"
}

resource "local_file" "pgclient_crt" {
  sensitive_content    = module.cloudsql.certificate.cert
  filename             = "${path.module}/pgclient.crt"
  file_permission      = "0600"
  directory_permission = "0700"
}

resource "local_file" "pgclient_key" {
  sensitive_content    = module.cloudsql.certificate.private_key
  filename             = "${path.module}/pgclient.key"
  file_permission      = "0600"
  directory_permission = "0700"
}

# Create a workload identity service account for IAM authentication to
# cloudsql
module "cloudsql_test_sa" {
  source              = "../modules/workload_identity_account"
  project             = var.project
  k8s_service_account = "test-sa"
}

#################### Redis ################################

module "redis" {
  source             = "../modules/redis"
  project            = var.project
  region             = var.region
  private_network_id = module.networking.private_network_id

  depends_on = [
    module.networking
  ]
}

output "redis_host" {
  description = "Hostname/IP Address for redis database."
  value       = module.redis.redis_host
}

output "redis_port" {
  description = "Port for redis database."
  value       = module.redis.redis_port
}
Database encryption working. 2021-07-09 01:54:20 +00:00			`terraform {`
			`required_providers {`
			`google = {`
			`source = "hashicorp/google"`
			`version = "3.74.0"`
			`}`
Add workload identity pool. 2021-07-09 05:54:13 +00:00			`google-beta = {`
			`source = "hashicorp/google-beta"`
			`version = "3.74.0"`
			`}`
Database encryption working. 2021-07-09 01:54:20 +00:00			`random = {`
			`source = "hashicorp/random"`
			`version = "3.1.0"`
			`}`
			`}`
			`}`

Initial cluster setup. 2021-07-09 00:30:19 +00:00			`variable "project" {`
			`description = "Project ID."`
			`type = string`
Fix cluster auto-scaling. 2021-07-09 04:50:48 +00:00			`default = "hip-wharf-319304"`
Initial cluster setup. 2021-07-09 00:30:19 +00:00			`}`

			`variable "region" {`
			`description = "Region."`
			`type = string`
			`default = "us-central1"`
			`}`

			`variable "zone" {`
			`description = "Zone."`
			`type = string`
			`default = "us-central1-c"`
			`}`

			`provider "google" {`
			`project = var.project`
			`region = var.region`
			`zone = var.zone`
			`}`

Database encryption working. 2021-07-09 01:54:20 +00:00			`data "google_project" "project" {`
Fix cluster auto-scaling. 2021-07-09 04:50:48 +00:00			`project_id = var.project`
Database encryption working. 2021-07-09 01:54:20 +00:00			`}`

Starting a networking module to get a private ip address for cloudsql. 2021-07-12 04:40:01 +00:00			`#################### Networking ###########################`

			`module "networking" {`
			`source = "../modules/networking"`
			`project = var.project`
Switch to using an explicit net/subnet. 2021-07-13 05:30:22 +00:00			`region = var.region`
Starting a networking module to get a private ip address for cloudsql. 2021-07-12 04:40:01 +00:00			`}`

Add workload identity pool. 2021-07-09 05:54:13 +00:00			`#################### Workload Identity ####################`

			`resource "random_id" "identity_pool" {`
			`byte_length = 4`
			`}`

			`resource "google_iam_workload_identity_pool" "identity_pool" {`
			`provider = google-beta`
			`project = var.project`
			`workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"`
			`}`

Start of database encryption, permissions not working. 2021-07-09 01:43:49 +00:00			`#################### KMS ##################################`

			`resource "google_project_service" "cloudkms" {`
			`project = var.project`
			`service = "cloudkms.googleapis.com"`
			`disable_dependent_services = true`
			`}`

			`#################### GKE ##################################`

Move GKE to its own module. 2021-07-13 05:10:23 +00:00			`module "gke" {`
Switch to using an explicit net/subnet. 2021-07-13 05:30:22 +00:00			`source = "../modules/gke"`
			`project = var.project`
			`region = var.region`
			`private_network_id = module.networking.private_network_id`
			`private_subnetwork_id = module.networking.private_subnetwork_id`
			`service_cloudkms = google_project_service.cloudkms`
Add machine type variable to GKE. 2021-07-18 22:27:24 +00:00			`machine_type = "e2-standard-2"`
Initial cluster setup. 2021-07-09 00:30:19 +00:00
Fix ip exhaustion by increasing services ip address range. 2021-07-14 00:50:43 +00:00			`depends_on = [`
			`module.networking`
			`]`
Initial cluster setup. 2021-07-09 00:30:19 +00:00			`}`
Fix cluster auto-scaling. 2021-07-09 04:50:48 +00:00
			`output "gke_connect_command" {`
Move GKE to its own module. 2021-07-13 05:10:23 +00:00			`# description = "Command to run to connect to the kubernetes cluster."`
			`value = module.gke.gke_connect_command`
Fix cluster auto-scaling. 2021-07-09 04:50:48 +00:00			`}`
Add a cloudsql instance. 2021-07-12 04:06:49 +00:00
			`#################### SQL ##################################`

			`module "cloudsql" {`
Only use local networking for cloudsql. 2021-07-13 02:25:12 +00:00			`source = "../modules/cloudsql"`
			`project = var.project`
			`region = var.region`
			`private_network_id = module.networking.private_network_id`

			`depends_on = [`
			`module.networking`
			`]`
Add a cloudsql instance. 2021-07-12 04:06:49 +00:00			`}`
Add a private redis instance. 2021-07-13 03:15:54 +00:00
Add cloudsql ip address output. 2021-07-19 01:26:21 +00:00			`output "cloudsql_ip_address" {`
			`description = "IP address for cloudsql database."`
			`value = module.cloudsql.instance.ip_address.0.ip_address`
			`}`

Generate a postgresql certificate. 2021-07-19 01:19:08 +00:00			`output "cloudsql_server_certificate" {`
Add cloudsql ip address output. 2021-07-19 01:26:21 +00:00			`description = "CA certificate."`
Generate a postgresql certificate. 2021-07-19 01:19:08 +00:00			`value = module.cloudsql.certificate.server_ca_cert`
			`sensitive = true`
			`}`

			`output "cloudsql_client_certificate" {`
Add cloudsql ip address output. 2021-07-19 01:26:21 +00:00			`description = "Client certificate."`
Generate a postgresql certificate. 2021-07-19 01:19:08 +00:00			`value = module.cloudsql.certificate.cert`
			`sensitive = true`
			`}`

			`output "cloudsql_client_key" {`
Add cloudsql ip address output. 2021-07-19 01:26:21 +00:00			`description = "Client key."`
Generate a postgresql certificate. 2021-07-19 01:19:08 +00:00			`value = module.cloudsql.certificate.private_key`
			`sensitive = true`
			`}`

			`resource "local_file" "pgserver_crt" {`
			`sensitive_content = module.cloudsql.certificate.server_ca_cert`
			`filename = "${path.module}/pgserver.crt"`
			`file_permission = "0600"`
			`directory_permission = "0700"`
			`}`

			`resource "local_file" "pgclient_crt" {`
			`sensitive_content = module.cloudsql.certificate.cert`
			`filename = "${path.module}/pgclient.crt"`
			`file_permission = "0600"`
			`directory_permission = "0700"`
			`}`

			`resource "local_file" "pgclient_key" {`
			`sensitive_content = module.cloudsql.certificate.private_key`
			`filename = "${path.module}/pgclient.key"`
			`file_permission = "0600"`
			`directory_permission = "0700"`
			`}`

Start a module for creating a workload identity service account. 2021-07-18 20:55:55 +00:00			`# Create a workload identity service account for IAM authentication to`
			`# cloudsql`
			`module "cloudsql_test_sa" {`
Create the google service account. 2021-07-18 21:03:14 +00:00			`source = "../modules/workload_identity_account"`
			`project = var.project`
			`k8s_service_account = "test-sa"`
Start a module for creating a workload identity service account. 2021-07-18 20:55:55 +00:00			`}`

Add a private redis instance. 2021-07-13 03:15:54 +00:00			`#################### Redis ################################`

			`module "redis" {`
			`source = "../modules/redis"`
			`project = var.project`
			`region = var.region`
			`private_network_id = module.networking.private_network_id`

			`depends_on = [`
			`module.networking`
			`]`
			`}`

			`output "redis_host" {`
			`description = "Hostname/IP Address for redis database."`
			`value = module.redis.redis_host`
			`}`

			`output "redis_port" {`
			`description = "Port for redis database."`
			`value = module.redis.redis_port`
			`}`