|
|
|
|
@ -121,12 +121,29 @@ resource "google_project_service" "container" {
|
|
|
|
|
disable_dependent_services = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_project_service" "containerregistry" {
|
|
|
|
|
project = var.project
|
|
|
|
|
service = "containerregistry.googleapis.com"
|
|
|
|
|
disable_dependent_services = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_service_account" "gke" {
|
|
|
|
|
project = var.project
|
|
|
|
|
account_id = "gke-service-account"
|
|
|
|
|
display_name = "GKE Service Account"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Allow GKE to access custom docker images in GCR
|
|
|
|
|
resource "google_storage_bucket_iam_member" "gke_gcr" {
|
|
|
|
|
bucket = "artifacts.${google_service_account.gke.project}.appspot.com"
|
|
|
|
|
role = "roles/storage.objectViewer"
|
|
|
|
|
member = "serviceAccount:${google_service_account.gke.email}"
|
|
|
|
|
|
|
|
|
|
depends_on = [
|
|
|
|
|
google_project_service.containerregistry
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_container_cluster" "primary" {
|
|
|
|
|
project = var.project
|
|
|
|
|
name = "gke-cluster"
|
|
|
|
|
@ -135,6 +152,7 @@ resource "google_container_cluster" "primary" {
|
|
|
|
|
remove_default_node_pool = true
|
|
|
|
|
initial_node_count = 1
|
|
|
|
|
enable_shielded_nodes = true
|
|
|
|
|
min_master_version = "1.19.10-gke.1000"
|
|
|
|
|
|
|
|
|
|
database_encryption {
|
|
|
|
|
state = "ENCRYPTED"
|
|
|
|
|
@ -160,6 +178,15 @@ resource "google_container_cluster" "primary" {
|
|
|
|
|
password = ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ip_allocation_policy {
|
|
|
|
|
cluster_ipv4_cidr_block = "10.1.0.0/16"
|
|
|
|
|
services_ipv4_cidr_block = "10.2.0.0/20"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
lifecycle {
|
|
|
|
|
prevent_destroy = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [
|
|
|
|
|
google_project_service.container,
|
|
|
|
|
google_kms_key_ring_iam_policy.gke_db
|
|
|
|
|
|
Tom Alexander
3 years ago
