Move GKE to its own module.
Tom Alexander
3 years ago
parent
a6c408c3c6
commit
9d8a1f2142
GPG Key ID:
D3A179C9A53C0EDE
@ -0,0 +1,198 @@
|
||||
variable "project" {
|
||||
description = "Project ID."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "service_cloudkms" {
|
||||
description = "cloudkms service."
|
||||
}
|
||||
|
||||
output "gke_connect_command" {
|
||||
description = "Command to run to connect to the kubernetes cluster."
|
||||
value = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
|
||||
}
|
||||
|
||||
data "google_project" "project" {
|
||||
project_id = var.project
|
||||
}
|
||||
|
||||
#################### KMS ##################################
|
||||
|
||||
resource "random_id" "gke_db" {
|
||||
byte_length = 4
|
||||
}
|
||||
|
||||
resource "google_kms_key_ring" "gke_db" {
|
||||
project = var.project
|
||||
name = "gke-db-${random_id.gke_db.hex}"
|
||||
location = var.region
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
var.service_cloudkms
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_kms_key_ring_iam_policy" "gke_db" {
|
||||
key_ring_id = google_kms_key_ring.gke_db.id
|
||||
policy_data = data.google_iam_policy.gke_db.policy_data
|
||||
|
||||
depends_on = [
|
||||
var.service_cloudkms
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key" "gke_db" {
|
||||
name = "gke-db-key"
|
||||
key_ring = google_kms_key_ring.gke_db.id
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
google_project_service.container
|
||||
]
|
||||
}
|
||||
|
||||
data "google_iam_policy" "gke_db" {
|
||||
binding {
|
||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||
|
||||
members = [
|
||||
"serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
#################### GKE ##################################
|
||||
|
||||
resource "google_project_service" "container" {
|
||||
project = var.project
|
||||
service = "container.googleapis.com"
|
||||
disable_dependent_services = true
|
||||
}
|
||||
|
||||
resource "google_project_service" "containerregistry" {
|
||||
project = var.project
|
||||
service = "containerregistry.googleapis.com"
|
||||
disable_dependent_services = true
|
||||
}
|
||||
|
||||
resource "google_service_account" "gke" {
|
||||
project = var.project
|
||||
account_id = "gke-service-account"
|
||||
display_name = "GKE Service Account"
|
||||
}
|
||||
|
||||
# Allow GKE to access custom docker images in GCR
|
||||
resource "google_storage_bucket_iam_member" "gke_gcr" {
|
||||
bucket = "artifacts.${google_service_account.gke.project}.appspot.com"
|
||||
role = "roles/storage.objectViewer"
|
||||
member = "serviceAccount:${google_service_account.gke.email}"
|
||||
|
||||
depends_on = [
|
||||
google_project_service.containerregistry
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_container_cluster" "primary" {
|
||||
project = var.project
|
||||
name = "gke-cluster"
|
||||
location = var.region
|
||||
|
||||
remove_default_node_pool = true
|
||||
initial_node_count = 1
|
||||
enable_shielded_nodes = true
|
||||
min_master_version = "1.19.10-gke.1000"
|
||||
|
||||
database_encryption {
|
||||
state = "ENCRYPTED"
|
||||
key_name = google_kms_crypto_key.gke_db.self_link
|
||||
}
|
||||
|
||||
maintenance_policy {
|
||||
daily_maintenance_window {
|
||||
start_time = "03:00"
|
||||
}
|
||||
}
|
||||
|
||||
workload_identity_config {
|
||||
identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
|
||||
}
|
||||
|
||||
release_channel {
|
||||
channel = "STABLE"
|
||||
}
|
||||
|
||||
master_auth {
|
||||
username = ""
|
||||
password = ""
|
||||
}
|
||||
|
||||
ip_allocation_policy {
|
||||
cluster_ipv4_cidr_block = "10.1.0.0/16"
|
||||
services_ipv4_cidr_block = "10.2.0.0/20"
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
google_project_service.container,
|
||||
google_kms_key_ring_iam_policy.gke_db
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_container_node_pool" "primary" {
|
||||
project = google_container_cluster.primary.project
|
||||
name_prefix = "node-pool"
|
||||
location = var.region
|
||||
cluster = google_container_cluster.primary.name
|
||||
initial_node_count = 1
|
||||
|
||||
autoscaling {
|
||||
min_node_count = 0
|
||||
max_node_count = 20
|
||||
}
|
||||
|
||||
node_config {
|
||||
preemptible = true
|
||||
machine_type = "e2-medium"
|
||||
|
||||
service_account = google_service_account.gke.email
|
||||
oauth_scopes = [
|
||||
"https://www.googleapis.com/auth/cloud-platform"
|
||||
]
|
||||
|
||||
metadata = {
|
||||
disable-legacy-endpoints = "true"
|
||||
}
|
||||
|
||||
tags = []
|
||||
|
||||
shielded_instance_config {
|
||||
enable_secure_boot = true
|
||||
enable_integrity_monitoring = true
|
||||
}
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
node_count
|
||||
]
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
google_project_service.container
|
||||
]
|
||||
}
|
||||
Loading…
Reference in New Issue