Add workload identity pool.
This commit is contained in:
parent
447c70a271
commit
b6e9923374
54
main.tf
54
main.tf
@ -4,6 +4,10 @@ terraform {
|
||||
source = "hashicorp/google"
|
||||
version = "3.74.0"
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = "3.74.0"
|
||||
}
|
||||
random = {
|
||||
source = "hashicorp/random"
|
||||
version = "3.1.0"
|
||||
@ -39,6 +43,18 @@ data "google_project" "project" {
|
||||
project_id = var.project
|
||||
}
|
||||
|
||||
#################### Workload Identity ####################
|
||||
|
||||
resource "random_id" "identity_pool" {
|
||||
byte_length = 4
|
||||
}
|
||||
|
||||
resource "google_iam_workload_identity_pool" "identity_pool" {
|
||||
provider = google-beta
|
||||
project = var.project
|
||||
workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"
|
||||
}
|
||||
|
||||
#################### KMS ##################################
|
||||
|
||||
resource "google_project_service" "cloudkms" {
|
||||
@ -125,6 +141,25 @@ resource "google_container_cluster" "primary" {
|
||||
key_name = google_kms_crypto_key.gke_db.self_link
|
||||
}
|
||||
|
||||
maintenance_policy {
|
||||
daily_maintenance_window {
|
||||
start_time = "03:00"
|
||||
}
|
||||
}
|
||||
|
||||
workload_identity_config {
|
||||
identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
|
||||
}
|
||||
|
||||
release_channel {
|
||||
channel = "STABLE"
|
||||
}
|
||||
|
||||
master_auth {
|
||||
username = ""
|
||||
password = ""
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
google_project_service.container,
|
||||
google_kms_key_ring_iam_policy.gke_db
|
||||
@ -132,15 +167,15 @@ resource "google_container_cluster" "primary" {
|
||||
}
|
||||
|
||||
resource "google_container_node_pool" "primary" {
|
||||
project = google_container_cluster.primary.project
|
||||
name_prefix = "node-pool"
|
||||
location = var.region
|
||||
cluster = google_container_cluster.primary.name
|
||||
initial_node_count = 1
|
||||
project = google_container_cluster.primary.project
|
||||
name_prefix = "node-pool"
|
||||
location = var.region
|
||||
cluster = google_container_cluster.primary.name
|
||||
initial_node_count = 1
|
||||
|
||||
autoscaling {
|
||||
min_node_count = 0
|
||||
max_node_count = 3
|
||||
max_node_count = 20
|
||||
}
|
||||
|
||||
node_config {
|
||||
@ -157,6 +192,11 @@ resource "google_container_node_pool" "primary" {
|
||||
}
|
||||
|
||||
tags = []
|
||||
|
||||
shielded_instance_config {
|
||||
enable_secure_boot = true
|
||||
enable_integrity_monitoring = true
|
||||
}
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
@ -166,5 +206,5 @@ resource "google_container_node_pool" "primary" {
|
||||
|
||||
output "gke_connect_command" {
|
||||
description = "Command to run to connect to the kubernetes cluster."
|
||||
value = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
|
||||
value = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user