From 9d8a1f21426177e3c2c406d9812c84f03dabef3a Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Tue, 13 Jul 2021 01:10:23 -0400
Subject: [PATCH] Move GKE to its own module.

---
 terraform/basic_gke/main.tf  | 181 ++------------------------------
 terraform/modules/gke/gke.tf | 198 +++++++++++++++++++++++++++++++++++
 2 files changed, 208 insertions(+), 171 deletions(-)
 create mode 100644 terraform/modules/gke/gke.tf

diff --git a/terraform/basic_gke/main.tf b/terraform/basic_gke/main.tf
index 751e6b5..b3b267e 100644
--- a/terraform/basic_gke/main.tf
+++ b/terraform/basic_gke/main.tf
@@ -70,183 +70,22 @@ resource "google_project_service" "cloudkms" {
   disable_dependent_services = true
 }
 
-resource "random_id" "gke_db" {
-  byte_length = 4
-}
-
-resource "google_kms_key_ring" "gke_db" {
-  project  = var.project
-  name     = "gke-db-${random_id.gke_db.hex}"
-  location = var.region
-
-  lifecycle {
-    prevent_destroy = true
-  }
-
-  depends_on = [
-    google_project_service.cloudkms
-  ]
-}
-
-resource "google_kms_key_ring_iam_policy" "gke_db" {
-  key_ring_id = google_kms_key_ring.gke_db.id
-  policy_data = data.google_iam_policy.gke_db.policy_data
-
-  depends_on = [
-    google_project_service.cloudkms
-  ]
-}
-
-resource "google_kms_crypto_key" "gke_db" {
-  name     = "gke-db-key"
-  key_ring = google_kms_key_ring.gke_db.id
-
-  lifecycle {
-    prevent_destroy = true
-  }
-
-  depends_on = [
-    google_project_service.container
-  ]
-}
-
-data "google_iam_policy" "gke_db" {
-  binding {
-    role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-
-    members = [
-      "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
-    ]
-  }
-}
-
 #################### GKE ##################################
 
-resource "google_project_service" "container" {
-  project                    = var.project
-  service                    = "container.googleapis.com"
-  disable_dependent_services = true
-}
+module "gke" {
+  source           = "../modules/gke"
+  project          = var.project
+  region           = var.region
+  service_cloudkms = google_project_service.cloudkms
 
-resource "google_project_service" "containerregistry" {
-  project                    = var.project
-  service                    = "containerregistry.googleapis.com"
-  disable_dependent_services = true
-}
-
-resource "google_service_account" "gke" {
-  project      = var.project
-  account_id   = "gke-service-account"
-  display_name = "GKE Service Account"
-}
-
-# Allow GKE to access custom docker images in GCR
-resource "google_storage_bucket_iam_member" "gke_gcr" {
-  bucket = "artifacts.${google_service_account.gke.project}.appspot.com"
-  role   = "roles/storage.objectViewer"
-  member = "serviceAccount:${google_service_account.gke.email}"
-
-  depends_on = [
-    google_project_service.containerregistry
-  ]
-}
-
-resource "google_container_cluster" "primary" {
-  project  = var.project
-  name     = "gke-cluster"
-  location = var.region
-
-  remove_default_node_pool = true
-  initial_node_count       = 1
-  enable_shielded_nodes    = true
-  min_master_version       = "1.19.10-gke.1000"
-
-  database_encryption {
-    state    = "ENCRYPTED"
-    key_name = google_kms_crypto_key.gke_db.self_link
-  }
-
-  maintenance_policy {
-    daily_maintenance_window {
-      start_time = "03:00"
-    }
-  }
-
-  workload_identity_config {
-    identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
-  }
-
-  release_channel {
-    channel = "STABLE"
-  }
-
-  master_auth {
-    username = ""
-    password = ""
-  }
-
-  ip_allocation_policy {
-    cluster_ipv4_cidr_block  = "10.1.0.0/16"
-    services_ipv4_cidr_block = "10.2.0.0/20"
-  }
-
-  lifecycle {
-    prevent_destroy = true
-  }
-
-  depends_on = [
-    google_project_service.container,
-    google_kms_key_ring_iam_policy.gke_db
-  ]
-}
-
-resource "google_container_node_pool" "primary" {
-  project            = google_container_cluster.primary.project
-  name_prefix        = "node-pool"
-  location           = var.region
-  cluster            = google_container_cluster.primary.name
-  initial_node_count = 1
-
-  autoscaling {
-    min_node_count = 0
-    max_node_count = 20
-  }
-
-  node_config {
-    preemptible  = true
-    machine_type = "e2-medium"
-
-    service_account = google_service_account.gke.email
-    oauth_scopes = [
-      "https://www.googleapis.com/auth/cloud-platform"
-    ]
-
-    metadata = {
-      disable-legacy-endpoints = "true"
-    }
-
-    tags = []
-
-    shielded_instance_config {
-      enable_secure_boot          = true
-      enable_integrity_monitoring = true
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [
-      node_count
-    ]
-  }
-
-  depends_on = [
-    google_project_service.container
-  ]
+  # depends_on = [
+  #   module.networking
+  # ]
 }
 
 output "gke_connect_command" {
-  description = "Command to run to connect to the kubernetes cluster."
-  value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
+  # description = "Command to run to connect to the kubernetes cluster."
+  value = module.gke.gke_connect_command
 }
 
 #################### SQL ##################################
diff --git a/terraform/modules/gke/gke.tf b/terraform/modules/gke/gke.tf
new file mode 100644
index 0000000..f39e01c
--- /dev/null
+++ b/terraform/modules/gke/gke.tf
@@ -0,0 +1,198 @@
+variable "project" {
+  description = "Project ID."
+  type        = string
+}
+
+variable "region" {
+  description = "Region."
+  type        = string
+}
+
+variable "service_cloudkms" {
+  description = "cloudkms service."
+}
+
+output "gke_connect_command" {
+  description = "Command to run to connect to the kubernetes cluster."
+  value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
+}
+
+data "google_project" "project" {
+  project_id = var.project
+}
+
+#################### KMS ##################################
+
+resource "random_id" "gke_db" {
+  byte_length = 4
+}
+
+resource "google_kms_key_ring" "gke_db" {
+  project  = var.project
+  name     = "gke-db-${random_id.gke_db.hex}"
+  location = var.region
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    var.service_cloudkms
+  ]
+}
+
+resource "google_kms_key_ring_iam_policy" "gke_db" {
+  key_ring_id = google_kms_key_ring.gke_db.id
+  policy_data = data.google_iam_policy.gke_db.policy_data
+
+  depends_on = [
+    var.service_cloudkms
+  ]
+}
+
+resource "google_kms_crypto_key" "gke_db" {
+  name     = "gke-db-key"
+  key_ring = google_kms_key_ring.gke_db.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    google_project_service.container
+  ]
+}
+
+data "google_iam_policy" "gke_db" {
+  binding {
+    role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+    members = [
+      "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
+    ]
+  }
+}
+
+#################### GKE ##################################
+
+resource "google_project_service" "container" {
+  project                    = var.project
+  service                    = "container.googleapis.com"
+  disable_dependent_services = true
+}
+
+resource "google_project_service" "containerregistry" {
+  project                    = var.project
+  service                    = "containerregistry.googleapis.com"
+  disable_dependent_services = true
+}
+
+resource "google_service_account" "gke" {
+  project      = var.project
+  account_id   = "gke-service-account"
+  display_name = "GKE Service Account"
+}
+
+# Allow GKE to access custom docker images in GCR
+resource "google_storage_bucket_iam_member" "gke_gcr" {
+  bucket = "artifacts.${google_service_account.gke.project}.appspot.com"
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.gke.email}"
+
+  depends_on = [
+    google_project_service.containerregistry
+  ]
+}
+
+resource "google_container_cluster" "primary" {
+  project  = var.project
+  name     = "gke-cluster"
+  location = var.region
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+  enable_shielded_nodes    = true
+  min_master_version       = "1.19.10-gke.1000"
+
+  database_encryption {
+    state    = "ENCRYPTED"
+    key_name = google_kms_crypto_key.gke_db.self_link
+  }
+
+  maintenance_policy {
+    daily_maintenance_window {
+      start_time = "03:00"
+    }
+  }
+
+  workload_identity_config {
+    identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
+  }
+
+  release_channel {
+    channel = "STABLE"
+  }
+
+  master_auth {
+    username = ""
+    password = ""
+  }
+
+  ip_allocation_policy {
+    cluster_ipv4_cidr_block  = "10.1.0.0/16"
+    services_ipv4_cidr_block = "10.2.0.0/20"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    google_project_service.container,
+    google_kms_key_ring_iam_policy.gke_db
+  ]
+}
+
+resource "google_container_node_pool" "primary" {
+  project            = google_container_cluster.primary.project
+  name_prefix        = "node-pool"
+  location           = var.region
+  cluster            = google_container_cluster.primary.name
+  initial_node_count = 1
+
+  autoscaling {
+    min_node_count = 0
+    max_node_count = 20
+  }
+
+  node_config {
+    preemptible  = true
+    machine_type = "e2-medium"
+
+    service_account = google_service_account.gke.email
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform"
+    ]
+
+    metadata = {
+      disable-legacy-endpoints = "true"
+    }
+
+    tags = []
+
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_integrity_monitoring = true
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      node_count
+    ]
+  }
+
+  depends_on = [
+    google_project_service.container
+  ]
+}