Merge branch 'master' into implicit_depends_on

Makefile

@@ -74,12 +74,7 @@ check_headers:
 # Integration tests
 .PHONY: test_integration
 test_integration:
-	bundle install
-	bundle exec kitchen create
-	bundle exec kitchen converge
-	bundle exec kitchen converge
-	bundle exec kitchen verify
-	bundle exec kitchen destroy
+	test/ci_integration.sh
 
 .PHONY: generate_docs
 generate_docs:
@@ -112,15 +107,25 @@ docker_push_kitchen_terraform:
 .PHONY: docker_run
 docker_run:
 	docker run --rm -it \
+		-e COMPUTE_ENGINE_SERVICE_ACCOUNT \
+		-e PROJECT_ID \
+		-e REGION \
+		-e ZONES \
+		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
-		/bin/bash
+		/bin/bash -c "source test/ci_integration.sh && setup_environment && exec /bin/bash"
 
 .PHONY: docker_create
 docker_create: docker_build_kitchen_terraform
 	docker run --rm -it \
+		-e COMPUTE_ENGINE_SERVICE_ACCOUNT \
+		-e PROJECT_ID \
+		-e REGION \
+		-e ZONES \
+		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
@@ -130,6 +135,11 @@ docker_create: docker_build_kitchen_terraform
 .PHONY: docker_converge
 docker_converge:
 	docker run --rm -it \
+		-e COMPUTE_ENGINE_SERVICE_ACCOUNT \
+		-e PROJECT_ID \
+		-e REGION \
+		-e ZONES \
+		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
@@ -139,6 +149,11 @@ docker_converge:
 .PHONY: docker_verify
 docker_verify:
 	docker run --rm -it \
+		-e COMPUTE_ENGINE_SERVICE_ACCOUNT \
+		-e PROJECT_ID \
+		-e REGION \
+		-e ZONES \
+		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
@@ -148,12 +163,25 @@ docker_verify:
 .PHONY: docker_destroy
 docker_destroy:
 	docker run --rm -it \
+		-e COMPUTE_ENGINE_SERVICE_ACCOUNT \
+		-e PROJECT_ID \
+		-e REGION \
+		-e ZONES \
+		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
 		/bin/bash -c "kitchen destroy"
 
 .PHONY: test_integration_docker
-test_integration_docker: docker_create docker_converge docker_verify docker_destroy
-	@echo "Running test-kitchen tests in docker"
+test_integration_docker:
+	docker run --rm -it \
+		-e COMPUTE_ENGINE_SERVICE_ACCOUNT \
+		-e PROJECT_ID \
+		-e REGION \
+		-e ZONES \
+		-e SERVICE_ACCOUNT_JSON \
+		-v $(CURDIR):/cft/workdir \
+		${DOCKER_IMAGE_KITCHEN_TERRAFORM}:${DOCKER_TAG_KITCHEN_TERRAFORM} \
+		/bin/bash -c "test/ci_integration.sh"

README.md

@@ -125,7 +125,7 @@ Then perform the following commands on the root folder:
 | region | The region to host the cluster in (required) | string | - | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `true` | no |
 | remove_default_node_pool | Remove default node pool while setting up the cluster | string | `false` | no |
-| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account | string | `` | no |
+| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account | string | `` | no |
 | stub_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | - | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
@@ -179,6 +179,7 @@ following project roles:
 - roles/compute.viewer
 - roles/container.clusterAdmin
 - roles/container.developer
+- roles/iam.serviceAccountAdmin
 - roles/iam.serviceAccountUser
 
 ### Enable APIs

autogen/README.md

@@ -1,6 +1,6 @@
 # Terraform Kubernetes Engine Module
 
-This module handles opinionated Google Cloud Platform Kubernetes Engine cluster creation and configuration with Node Pools, IP MASQ, Network Policy, etc. {% if private_cluster %}This particular submodule creates a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters){% endif %}
+This module handles opinionated Google Cloud Platform Kubernetes Engine cluster creation and configuration with Node Pools, IP MASQ, Network Policy, etc.{% if private_cluster %} This particular submodule creates a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters){% endif %}
 
 The resources/services/activations/deletions that this module will create/trigger are:
 - Create a GKE cluster with the provided addons
@@ -189,6 +189,7 @@ following project roles:
 - roles/compute.viewer
 - roles/container.clusterAdmin
 - roles/container.developer
+- roles/iam.serviceAccountAdmin
 - roles/iam.serviceAccountUser
 
 ### Enable APIs

autogen/cluster_regional.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
     }
   }
 {% if private_cluster %}
@@ -127,7 +127,7 @@ resource "google_container_node_pool" "pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

autogen/cluster_zonal.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "zonal_primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
     }
   }
 {% if private_cluster %}
@@ -127,7 +127,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

autogen/sa.tf

@@ -0,0 +1,50 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+{{ autogeneration_note }}
+
+locals {
+  service_account_list = "${compact(concat(google_service_account.cluster_service_account.*.email, list("dummy")))}"
+  service_account      = "${var.service_account == "create" ? element(local.service_account_list, 0) : var.service_account}"
+}
+
+resource "google_service_account" "cluster_service_account" {
+  count        = "${var.service_account == "create" ? 1 : 0}"
+  project      = "${var.project_id}"
+  account_id   = "tf-gke-${substr(var.name, 0, min(20, length(var.name)))}"
+  display_name = "Terraform-managed service account for cluster ${var.name}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-log_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_service_account.cluster_service_account.project}"
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-log_writer.project}"
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}
+
+resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
+  count   = "${var.service_account == "create" ? 1 : 0}"
+  project = "${google_project_iam_member.cluster_service_account-metric_writer.project}"
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account.email}"
+}

autogen/variables.tf

@@ -208,7 +208,7 @@ variable "monitoring_service" {
 }
 
 variable "service_account" {
-  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account"
+  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account. May also specify `create` to automatically create a cluster-specific service account"
   default     = ""
 }
 {% if private_cluster %}

cluster_regional.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
     }
   }
 
@@ -121,7 +121,7 @@ resource "google_container_node_pool" "pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

cluster_zonal.tf

@@ -81,7 +81,7 @@ resource "google_container_cluster" "zonal_primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
+      service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
     }
   }
 
@@ -108,7 +108,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
   management {
     auto_repair  = "${lookup(var.node_pools[count.index], "auto_repair", true)}"
-    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", false)}"
+    auto_upgrade = "${lookup(var.node_pools[count.index], "auto_upgrade", true)}"
   }
 
   node_config {
@@ -121,7 +121,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", local.service_account)}"
     preemptible     = "${lookup(var.node_pools[count.index], "preemptible", false)}"
 
     oauth_scopes = [

examples/deploy_service/main.tf

@@ -21,6 +21,7 @@ locals {
 provider "google" {
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
+  version     = "~> 1.20"
 }
 
 provider "kubernetes" {
@@ -40,6 +41,8 @@ module "gke" {
   network    = "${var.network}"
   subnetwork = "${var.subnetwork}"
 
+  kubernetes_version = "1.11.7-gke.12"
+
   ip_range_pods     = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
   service_account   = "${var.compute_engine_service_account}"

examples/node_pool/main.tf

@@ -19,24 +19,29 @@ locals {
 }
 
 provider "google" {
+  version     = "~> 1.20"
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
 }
 
 module "gke" {
-  source            = "../../"
-  project_id        = "${var.project_id}"
-  name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region            = "${var.region}"
-  network           = "${var.network}"
-  subnetwork        = "${var.subnetwork}"
-  ip_range_pods     = "${var.ip_range_pods}"
-  ip_range_services = "${var.ip_range_services}"
+  source                   = "../../"
+  project_id               = "${var.project_id}"
+  name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional                 = "false"
+  region                   = "${var.region}"
+  zones                    = "${var.zones}"
+  network                  = "${var.network}"
+  subnetwork               = "${var.subnetwork}"
+  ip_range_pods            = "${var.ip_range_pods}"
+  ip_range_services        = "${var.ip_range_services}"
+  remove_default_node_pool = "true"
 
   node_pools = [
     {
       name            = "pool-01"
       min_count       = 1
+      max_count       = 2
       service_account = "${var.compute_engine_service_account}"
     },
     {

examples/node_pool/variables.tf

@@ -31,6 +31,11 @@ variable "region" {
   description = "The region to host the cluster in"
 }
 
+variable "zones" {
+  type        = "list"
+  description = "The zone to host the cluster in (required if is a zonal cluster)"
+}
+
 variable "network" {
   description = "The VPC network to host the cluster in"
 }

examples/shared_vpc/main.tf

@@ -19,6 +19,7 @@ locals {
 }
 
 provider "google" {
+  version     = "~> 1.20"
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
 }

examples/simple_regional_private/main.tf

@@ -19,6 +19,7 @@ locals {
 }
 
 provider "google-beta" {
+  version     = "~> 1.20"
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
 }

examples/simple_zonal/README.md

@@ -10,7 +10,6 @@ This example illustrates how to create a simple cluster.
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | cluster_name_suffix | A suffix to append to the default cluster name | string | `` | no |
-| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | credentials_path | The path to the GCP credentials JSON file | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |

examples/simple_zonal/main.tf

@@ -19,6 +19,7 @@ locals {
 }
 
 provider "google" {
+  version     = "~> 1.20"
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
 }
@@ -34,7 +35,7 @@ module "gke" {
   subnetwork        = "${var.subnetwork}"
   ip_range_pods     = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
-  service_account   = "${var.compute_engine_service_account}"
+  service_account   = "create"
 }
 
 data "google_client_config" "default" {}

examples/simple_zonal/variables.tf

@@ -51,7 +51,3 @@ variable "ip_range_pods" {
 variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
-
-variable "compute_engine_service_account" {
-  description = "Service account to associate to the nodes in the cluster"
-}

examples/simple_zonal_private/main.tf

@@ -19,6 +19,7 @@ locals {
 }
 
 provider "google-beta" {
+  version     = "~> 1.20"
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
 }

examples/stub_domains/main.tf

@@ -19,6 +19,7 @@ locals {
 }
 
 provider "google" {
+  version     = "~> 1.20"
   credentials = "${file(var.credentials_path)}"
   region      = "${var.region}"
 }