-
Notifications
You must be signed in to change notification settings - Fork 83
/
Copy pathmain.tf
171 lines (148 loc) · 5.78 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
/*
Copyright 2018 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Provides access to available Google Container Engine versions in a zone for a given project.
// https://www.terraform.io/docs/providers/google/d/google_container_engine_versions.html
data "google_container_engine_versions" "on-prem" {
location = var.zone
project = var.project
}
// https://www.terraform.io/docs/providers/google/r/google_container_cluster.html
// Create the primary cluster for this project.
module "network" {
source = "./modules/network"
project = var.project
region = var.region
vpc_name = var.vpc_name
}
module "firewall" {
source = "./modules/firewall"
project = var.project
vpc_name = module.network.network_self_link
net_tags = var.bastion_tags
}
module "bastion" {
source = "./modules/instance"
project = var.project
hostname = "gke-tutorial-admin"
machine_type = var.bastion_machine_type
zone = var.zone
tags = var.bastion_tags
cluster_subnet = module.network.subnet_self_link
cluster_name = var.cluster_name
owner_email = google_service_account.owner.email
auditor_email = google_service_account.auditor.email
service_account_email = google_service_account.admin.email
grant_cluster_admin = "1"
}
module "owner_instance" {
source = "./modules/instance"
project = var.project
hostname = "gke-tutorial-owner"
machine_type = var.bastion_machine_type
zone = var.zone
tags = var.bastion_tags
cluster_subnet = module.network.subnet_self_link
cluster_name = var.cluster_name
owner_email = google_service_account.owner.email
auditor_email = google_service_account.auditor.email
service_account_email = google_service_account.owner.email
}
module "auditor_instance" {
source = "./modules/instance"
project = var.project
hostname = "gke-tutorial-auditor"
machine_type = var.bastion_machine_type
zone = var.zone
tags = var.bastion_tags
cluster_subnet = module.network.subnet_self_link
cluster_name = var.cluster_name
owner_email = google_service_account.owner.email
auditor_email = google_service_account.auditor.email
service_account_email = google_service_account.auditor.email
}
resource "google_container_cluster" "primary" {
name = var.cluster_name
project = var.project
location = var.zone
network = module.network.network_self_link
subnetwork = module.network.subnet_self_link
min_master_version = data.google_container_engine_versions.on-prem.latest_master_version
initial_node_count = var.initial_node_count
lifecycle {
ignore_changes = [ip_allocation_policy[0].services_secondary_range_name]
}
node_locations = []
// Scopes necessary for the nodes to function correctly
node_config {
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
machine_type = var.node_machine_type
image_type = "COS"
// (Optional) The Kubernetes labels (key/value pairs) to be applied to each node.
labels = {
status = "poc"
}
// (Optional) The list of instance tags applied to all nodes.
// Tags are used to identify valid sources or targets for network firewalls.
tags = ["poc"]
}
// (Required for private cluster, optional otherwise) Configuration for cluster IP allocation.
// As of now, only pre-allocated subnetworks (custom type with
// secondary ranges) are supported. This will activate IP aliases.
ip_allocation_policy {
cluster_secondary_range_name = "secondary-range"
}
// In a private cluster, the master has two IP addresses, one public and one
// private. Nodes communicate to the master through this private IP address.
private_cluster_config {
enable_private_nodes = true
master_ipv4_cidr_block = "10.0.90.0/28"
}
// (Required for private cluster, optional otherwise) network (cidr) from which cluster is accessible
master_authorized_networks_config {
cidr_blocks {
display_name = "gke-tutorial-admin"
cidr_block = join("/", [module.bastion.external_ip, "32"])
}
cidr_blocks {
display_name = "gke-tutorial-owner"
cidr_block = join("/", [module.owner_instance.external_ip, "32"])
}
cidr_blocks {
display_name = "gke-tutorial-auditor"
cidr_block = join("/", [module.auditor_instance.external_ip, "32"])
}
}
// (Required for Calico, optional otherwise) Configuration options for the NetworkPolicy feature
network_policy {
enabled = true
provider = "CALICO"
}
// (Required for network_policy enabled cluster, optional otherwise)
// Addons config supports other options as well, see:
// https://www.terraform.io/docs/providers/google/r/container_cluster.html#addons_config
addons_config {
network_policy_config {
disabled = false
}
}
timeouts {
create = "60m"
update = "60m"
delete = "60m"
}
}