terraform { required_providers { google = { source = "hashicorp/google" version = "3.74.0" } google-beta = { source = "hashicorp/google-beta" version = "3.74.0" } random = { source = "hashicorp/random" version = "3.1.0" } } } variable "project" { description = "Project ID." type = string default = "hip-wharf-319304" } variable "region" { description = "Region." type = string default = "us-central1" } variable "zone" { description = "Zone." type = string default = "us-central1-c" } provider "google" { project = var.project region = var.region zone = var.zone } data "google_project" "project" { project_id = var.project } #################### Workload Identity #################### resource "random_id" "identity_pool" { byte_length = 4 } resource "google_iam_workload_identity_pool" "identity_pool" { provider = google-beta project = var.project workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}" } #################### KMS ################################## resource "google_project_service" "cloudkms" { project = var.project service = "cloudkms.googleapis.com" disable_dependent_services = true } resource "random_id" "gke_db" { byte_length = 4 } resource "google_kms_key_ring" "gke_db" { project = var.project name = "gke-db-${random_id.gke_db.hex}" location = var.region lifecycle { prevent_destroy = true } depends_on = [ google_project_service.cloudkms ] } resource "google_kms_key_ring_iam_policy" "gke_db" { key_ring_id = google_kms_key_ring.gke_db.id policy_data = data.google_iam_policy.gke_db.policy_data depends_on = [ google_project_service.cloudkms ] } resource "google_kms_crypto_key" "gke_db" { name = "gke-db-key" key_ring = google_kms_key_ring.gke_db.id lifecycle { prevent_destroy = true } depends_on = [ google_project_service.container ] } data "google_iam_policy" "gke_db" { binding { role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" members = [ "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com" ] } } #################### GKE ################################## resource "google_project_service" "container" { project = var.project service = "container.googleapis.com" disable_dependent_services = true } resource "google_service_account" "gke" { project = var.project account_id = "gke-service-account" display_name = "GKE Service Account" } resource "google_container_cluster" "primary" { project = var.project name = "gke-cluster" location = var.region remove_default_node_pool = true initial_node_count = 1 enable_shielded_nodes = true database_encryption { state = "ENCRYPTED" key_name = google_kms_crypto_key.gke_db.self_link } maintenance_policy { daily_maintenance_window { start_time = "03:00" } } workload_identity_config { identity_namespace = "${data.google_project.project.project_id}.svc.id.goog" } release_channel { channel = "STABLE" } master_auth { username = "" password = "" } depends_on = [ google_project_service.container, google_kms_key_ring_iam_policy.gke_db ] } resource "google_container_node_pool" "primary" { project = google_container_cluster.primary.project name_prefix = "node-pool" location = var.region cluster = google_container_cluster.primary.name initial_node_count = 1 autoscaling { min_node_count = 0 max_node_count = 20 } node_config { preemptible = true machine_type = "e2-medium" service_account = google_service_account.gke.email oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform" ] metadata = { disable-legacy-endpoints = "true" } tags = [] shielded_instance_config { enable_secure_boot = true enable_integrity_monitoring = true } } depends_on = [ google_project_service.container ] } output "gke_connect_command" { description = "Command to run to connect to the kubernetes cluster." value = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --region ${var.region} --project ${var.project}" }