From b6e99233741a71706b689660d61aa69e583ab558 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Fri, 9 Jul 2021 01:54:13 -0400
Subject: [PATCH] Add workload identity pool.

---
 main.tf | 54 +++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/main.tf b/main.tf
index 1777406..7d65f9a 100644
--- a/main.tf
+++ b/main.tf
@@ -4,6 +4,10 @@ terraform {
       source  = "hashicorp/google"
       version = "3.74.0"
     }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "3.74.0"
+    }
     random = {
       source  = "hashicorp/random"
       version = "3.1.0"
@@ -39,6 +43,18 @@ data "google_project" "project" {
   project_id = var.project
 }
 
+#################### Workload Identity ####################
+
+resource "random_id" "identity_pool" {
+  byte_length = 4
+}
+
+resource "google_iam_workload_identity_pool" "identity_pool" {
+  provider                  = google-beta
+  project                   = var.project
+  workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"
+}
+
 #################### KMS ##################################
 
 resource "google_project_service" "cloudkms" {
@@ -125,6 +141,25 @@ resource "google_container_cluster" "primary" {
     key_name = google_kms_crypto_key.gke_db.self_link
   }
 
+  maintenance_policy {
+    daily_maintenance_window {
+      start_time = "03:00"
+    }
+  }
+
+  workload_identity_config {
+    identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
+  }
+
+  release_channel {
+    channel = "STABLE"
+  }
+
+  master_auth {
+    username = ""
+    password = ""
+  }
+
   depends_on = [
     google_project_service.container,
     google_kms_key_ring_iam_policy.gke_db
@@ -132,15 +167,15 @@ resource "google_container_cluster" "primary" {
 }
 
 resource "google_container_node_pool" "primary" {
-  project     = google_container_cluster.primary.project
-  name_prefix = "node-pool"
-  location    = var.region
-  cluster     = google_container_cluster.primary.name
-  initial_node_count       = 1
+  project            = google_container_cluster.primary.project
+  name_prefix        = "node-pool"
+  location           = var.region
+  cluster            = google_container_cluster.primary.name
+  initial_node_count = 1
 
   autoscaling {
     min_node_count = 0
-    max_node_count = 3
+    max_node_count = 20
   }
 
   node_config {
@@ -157,6 +192,11 @@ resource "google_container_node_pool" "primary" {
     }
 
     tags = []
+
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_integrity_monitoring = true
+    }
   }
 
   depends_on = [
@@ -166,5 +206,5 @@ resource "google_container_node_pool" "primary" {
 
 output "gke_connect_command" {
   description = "Command to run to connect to the kubernetes cluster."
-  value = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
+  value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
 }