From b92396d3217d060b52b817d594d1b654babe26f5 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Tue, 13 Jul 2021 01:30:22 -0400
Subject: [PATCH] Switch to using an explicit net/subnet.

---
 terraform/basic_gke/main.tf                | 11 +++---
 terraform/modules/gke/gke.tf               | 40 +++++++++++++++++++---
 terraform/modules/networking/networking.tf | 17 +++++++++
 3 files changed, 59 insertions(+), 9 deletions(-)

diff --git a/terraform/basic_gke/main.tf b/terraform/basic_gke/main.tf
index b3b267e..eb36c27 100644
--- a/terraform/basic_gke/main.tf
+++ b/terraform/basic_gke/main.tf
@@ -48,6 +48,7 @@ data "google_project" "project" {
 module "networking" {
   source  = "../modules/networking"
   project = var.project
+  region  = var.region
 }
 
 #################### Workload Identity ####################
@@ -73,10 +74,12 @@ resource "google_project_service" "cloudkms" {
 #################### GKE ##################################
 
 module "gke" {
-  source           = "../modules/gke"
-  project          = var.project
-  region           = var.region
-  service_cloudkms = google_project_service.cloudkms
+  source                = "../modules/gke"
+  project               = var.project
+  region                = var.region
+  private_network_id    = module.networking.private_network_id
+  private_subnetwork_id = module.networking.private_subnetwork_id
+  service_cloudkms      = google_project_service.cloudkms
 
   # depends_on = [
   #   module.networking
diff --git a/terraform/modules/gke/gke.tf b/terraform/modules/gke/gke.tf
index f39e01c..79a8980 100644
--- a/terraform/modules/gke/gke.tf
+++ b/terraform/modules/gke/gke.tf
@@ -12,6 +12,16 @@ variable "service_cloudkms" {
   description = "cloudkms service."
 }
 
+variable "private_network_id" {
+  description = "Private network id."
+  type        = string
+}
+
+variable "private_subnetwork_id" {
+  description = "Private subnetwork id."
+  type        = string
+}
+
 output "gke_connect_command" {
   description = "Command to run to connect to the kubernetes cluster."
   value       = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}"
@@ -104,10 +114,30 @@ resource "google_storage_bucket_iam_member" "gke_gcr" {
   ]
 }
 
+resource "google_compute_global_address" "gke_cluster_range" {
+  project       = var.project
+  name          = "gke-cluster-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = var.private_network_id
+}
+
+resource "google_compute_global_address" "gke_services_range" {
+  project       = var.project
+  name          = "gke-services-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 20
+  network       = var.private_network_id
+}
+
 resource "google_container_cluster" "primary" {
-  project  = var.project
-  name     = "gke-cluster"
-  location = var.region
+  project    = var.project
+  name       = "gke-cluster"
+  location   = var.region
+  network    = var.private_network_id
+  subnetwork = var.private_subnetwork_id
 
   remove_default_node_pool = true
   initial_node_count       = 1
@@ -139,8 +169,8 @@ resource "google_container_cluster" "primary" {
   }
 
   ip_allocation_policy {
-    cluster_ipv4_cidr_block  = "10.1.0.0/16"
-    services_ipv4_cidr_block = "10.2.0.0/20"
+    cluster_secondary_range_name  = google_compute_global_address.gke_cluster_range.name
+    services_secondary_range_name = google_compute_global_address.gke_services_range.name
   }
 
   lifecycle {
diff --git a/terraform/modules/networking/networking.tf b/terraform/modules/networking/networking.tf
index b85b96e..a4b33a7 100644
--- a/terraform/modules/networking/networking.tf
+++ b/terraform/modules/networking/networking.tf
@@ -3,11 +3,21 @@ variable "project" {
   type        = string
 }
 
+variable "region" {
+  description = "Region."
+  type        = string
+}
+
 output "private_network_id" {
   description = "Private network id."
   value       = google_compute_network.private_network.id
 }
 
+output "private_subnetwork_id" {
+  description = "Private subnetwork id."
+  value       = google_compute_subnetwork.subnet.id
+}
+
 resource "google_project_service" "servicenetworking" {
   project                    = var.project
   service                    = "servicenetworking.googleapis.com"
@@ -23,6 +33,13 @@ resource "google_compute_network" "private_network" {
   ]
 }
 
+resource "google_compute_subnetwork" "subnet" {
+  name          = "private-subnetwork"
+  ip_cidr_range = "10.100.0.0/16"
+  region        = var.region
+  network       = google_compute_network.private_network.id
+}
+
 resource "google_compute_global_address" "private_ip_address" {
   project       = google_compute_network.private_network.project
   name          = "private-ip-address"