Add workload identity pool.

main.tf

@@ -4,6 +4,10 @@ terraform {
       source  = "hashicorp/google"
       version = "3.74.0"
     }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "3.74.0"
+    }
     random = {
       source  = "hashicorp/random"
       version = "3.1.0"
@@ -39,6 +43,18 @@ data "google_project" "project" {
   project_id = var.project
 }
 
+#################### Workload Identity ####################
+
+resource "random_id" "identity_pool" {
+  byte_length = 4
+}
+
+resource "google_iam_workload_identity_pool" "identity_pool" {
+  provider                  = google-beta
+  project                   = var.project
+  workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"
+}
+
 #################### KMS ##################################
 
 resource "google_project_service" "cloudkms" {
@@ -125,6 +141,25 @@ resource "google_container_cluster" "primary" {
     key_name = google_kms_crypto_key.gke_db.self_link
   }
 
+  maintenance_policy {
+    daily_maintenance_window {
+      start_time = "03:00"
+    }
+  }
+
+  workload_identity_config {
+    identity_namespace = "${data.google_project.project.project_id}.svc.id.goog"
+  }
+
+  release_channel {
+    channel = "STABLE"
+  }
+
+  master_auth {
+    username = ""
+    password = ""
+  }
+
   depends_on = [
     google_project_service.container,
     google_kms_key_ring_iam_policy.gke_db
@@ -140,7 +175,7 @@ resource "google_container_node_pool" "primary" {
 
   autoscaling {
     min_node_count = 0
-    max_node_count = 3
+    max_node_count = 20
   }
 
   node_config {
@@ -157,6 +192,11 @@ resource "google_container_node_pool" "primary" {
     }
 
     tags = []
+
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_integrity_monitoring = true
+    }
   }
 
   depends_on = [