Add workload identity pool.

3 years ago · b6e9923374
parent 447c70a271
commit b6e9923374
1 changed files with 47 additions and 7 deletions
--- a/main.tf
+++ b/main.tf
@ -4,6 +4,10 @@ terraform {
      source  = "hashicorp/google"
      version = "3.74.0"
    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "3.74.0"
+    }
    random = {
      source  = "hashicorp/random"
      version = "3.1.0"
@ -39,6 +43,18 @@ data "google_project" "project" {
  project_id = var.project
 }

+#################### Workload Identity ####################
+
+resource "random_id" "identity_pool" {
+  byte_length = 4
+}
+
+resource "google_iam_workload_identity_pool" "identity_pool" {
+  provider                  = google-beta
+  project                   = var.project
+  workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"
+}
+
 #################### KMS ##################################

 resource "google_project_service" "cloudkms" {
@ -125,6 +141,25 @@ resource "google_container_cluster" "primary" {
    key_name = google_kms_crypto_key.gke_db.self_link
  }

+  maintenance_policy {
+    daily_maintenance_window {
+      start_time = "03:00"
+    }
+  }
+
+  workload_identity_config {
+    identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
+  }
+
+  release_channel {
+    channel = "STABLE"
+  }
+
+  master_auth {
+    username = ""
+    password = ""
+  }
+
  depends_on = [
    google_project_service.container,
    google_kms_key_ring_iam_policy.gke_db
@ -132,15 +167,15 @@ resource "google_container_cluster" "primary" {
 }

 resource "google_container_node_pool" "primary" {
-  project     = google_container_cluster.primary.project
-  name_prefix = "node-pool"
-  location    = var.region
-  cluster     = google_container_cluster.primary.name
-  initial_node_count       = 1
+  project            = google_container_cluster.primary.project
+  name_prefix        = "node-pool"
+  location           = var.region
+  cluster            = google_container_cluster.primary.name
+  initial_node_count = 1

  autoscaling {
    min_node_count = 0
-    max_node_count = 3
+    max_node_count = 20
  }

  node_config {
@ -157,6 +192,11 @@ resource "google_container_node_pool" "primary" {
    }

    tags = []
+
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_integrity_monitoring = true
+    }
  }

  depends_on = [
@ -166,5 +206,5 @@ resource "google_container_node_pool" "primary" {

 output "gke_connect_command" {
  description = "Command to run to connect to the kubernetes cluster."
-  value = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
+  value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
 }