Safer Cluster module

.kitchen.yml

@@ -45,6 +45,13 @@ suites:
       systems:
         - name: shared_vpc
           backend: local
+  - name: "safer_cluster"
+    driver:
+      root_module_directory: test/fixtures/safer_cluster
+    verifier:
+      systems:
+        - name: safer_cluster
+          backend: local
   - name: "simple_regional"
     driver:
       root_module_directory: test/fixtures/simple_regional

build/int.cloudbuild.yaml

@@ -64,6 +64,26 @@ steps:
     - verify shared-vpc-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy shared-vpc-local']
+- id: create safer-cluster-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create safer-cluster-local']
+- id: converge safer-cluster-local
+  waitFor:
+    - create safer-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge safer-cluster-local']
+- id: verify safer-cluster-local
+  waitFor:
+    - converge safer-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify safer-cluster-local']
+- id: destroy safer-cluster-local
+  waitFor:
+    - verify safer-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy safer-cluster-local']
 - id: create simple-regional-local
   waitFor:
     - prepare

examples/safer_cluster/README.md

@@ -0,0 +1,52 @@
+# Safer GKE Cluster
+
+This example illustrates how to instantiate the opinionated Safer Cluster module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cloudrun | Boolean to enable / disable CloudRun | bool | `"true"` | no |
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| ip\_range\_pods | The secondary ip range to use for pods | string | `"ip-range-pods"` | no |
+| ip\_range\_services | The secondary ip range to use for pods | string | `"ip-range-scv"` | no |
+| istio | Boolean to enable / disable Istio | bool | `"true"` | no |
+| master\_auth\_subnetwork | The subnetwork that has access to cluster master | string | `"master-auth-subnet"` | no |
+| master\_auth\_subnetwork\_cidr | The cidr block for the subnetwork that has access to cluster master | string | `"10.60.0.0/17"` | no |
+| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network | string | `"172.16.0.0/28"` | no |
+| network | The VPC network to host the cluster in | string | `"gke-network"` | no |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | `"us-central1"` | no |
+| subnetwork | The subnetwork to host the cluster in | string | `"gke-subnet"` | no |
+| subnetwork\_cidr | The cidr block for the subnetwork to host the cluster in | string | `"10.0.0.0/17"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | The cluster ca certificate (base64 encoded) |
+| client\_token | The bearer token for auth |
+| cluster\_name | Cluster name |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| kubernetes\_endpoint | The cluster endpoint |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| network\_name | The name of the VPC being created |
+| project\_id |  |
+| region |  |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| subnet\_names | The names of the subnet being created |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/safer_cluster/main.tf

@@ -0,0 +1,57 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "safer-cluster"
+}
+
+provider "google" {
+  version = "~> 2.18.0"
+}
+
+provider "google-beta" {
+  version = "~> 2.18.0"
+}
+
+module "gke" {
+  source                         = "../../modules/safer-cluster/"
+  project_id                     = var.project_id
+  name                           = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional                       = true
+  region                         = var.region
+  network                        = module.gcp-network.network_name
+  subnetwork                     = module.gcp-network.subnets_names[0]
+  ip_range_pods                  = var.ip_range_pods
+  ip_range_services              = var.ip_range_services
+  compute_engine_service_account = var.compute_engine_service_account
+  master_ipv4_cidr_block         = var.master_ipv4_cidr_block
+  master_authorized_networks_config = [
+    {
+      cidr_blocks = [
+        {
+          cidr_block   = var.master_auth_subnetwork_cidr
+          display_name = "VPC"
+        },
+      ]
+    },
+  ]
+  istio    = var.istio
+  cloudrun = var.cloudrun
+}
+
+data "google_client_config" "default" {
+}
+

examples/safer_cluster/network.tf

@@ -0,0 +1,48 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "gcp-network" {
+  source       = "terraform-google-modules/network/google"
+  version      = "~> 1.4.0"
+  project_id   = var.project_id
+  network_name = var.network
+
+  subnets = [
+    {
+      subnet_name   = var.subnetwork
+      subnet_ip     = var.subnetwork_cidr
+      subnet_region = var.region
+    },
+    {
+      subnet_name   = var.master_auth_subnetwork
+      subnet_ip     = var.master_auth_subnetwork_cidr
+      subnet_region = var.region
+    },
+  ]
+
+  secondary_ranges = {
+    "${var.subnetwork}" = [
+      {
+        range_name    = var.ip_range_pods
+        ip_cidr_range = "192.168.0.0/18"
+      },
+      {
+        range_name    = var.ip_range_services
+        ip_cidr_range = "192.168.64.0/18"
+      },
+    ]
+  }
+}

examples/safer_cluster/outputs.tf

@@ -0,0 +1,47 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  description = "The cluster endpoint"
+  sensitive   = true
+  value       = module.gke.endpoint
+}
+
+output "client_token" {
+  description = "The bearer token for auth"
+  sensitive   = true
+  value       = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+  description = "The cluster ca certificate (base64 encoded)"
+  value       = module.gke.ca_certificate
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = module.gke.service_account
+}
+
+output "network_name" {
+  description = "The name of the VPC being created"
+  value       = module.gcp-network.network_name
+}
+
+output "subnet_names" {
+  description = "The names of the subnet being created"
+  value       = module.gcp-network.subnets_names
+}

examples/safer_cluster/test_outputs.tf

@@ -0,0 +1 @@
+../../test/fixtures/all_examples/test_outputs.tf

examples/safer_cluster/variables.tf

@@ -0,0 +1,92 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to host the cluster in"
+}
+
+variable "cluster_name_suffix" {
+  type        = string
+  description = "A suffix to append to the default cluster name"
+  default     = ""
+}
+
+variable "region" {
+  type        = string
+  description = "The region to host the cluster in"
+  default     = "us-central1"
+}
+
+variable "network" {
+  type        = string
+  description = "The VPC network to host the cluster in"
+  default     = "gke-network"
+}
+
+variable "subnetwork" {
+  type        = string
+  description = "The subnetwork to host the cluster in"
+  default     = "gke-subnet"
+}
+variable "subnetwork_cidr" {
+  type        = string
+  description = "The cidr block for the subnetwork to host the cluster in"
+  default     = "10.0.0.0/17"
+}
+variable "master_auth_subnetwork_cidr" {
+  type        = string
+  description = "The cidr block for the subnetwork that has access to cluster master"
+  default     = "10.60.0.0/17"
+}
+variable "master_auth_subnetwork" {
+  type        = string
+  description = "The subnetwork that has access to cluster master"
+  default     = "master-auth-subnet"
+}
+variable "ip_range_pods" {
+  type        = string
+  description = "The secondary ip range to use for pods"
+  default     = "ip-range-pods"
+}
+
+variable "ip_range_services" {
+  type        = string
+  description = "The secondary ip range to use for pods"
+  default     = "ip-range-scv"
+}
+variable "istio" {
+  type        = bool
+  description = "Boolean to enable / disable Istio"
+  default     = true
+}
+
+variable "cloudrun" {
+  type        = bool
+  description = "Boolean to enable / disable CloudRun"
+  default     = true
+}
+
+variable "master_ipv4_cidr_block" {
+  type        = string
+  description = "The IP range in CIDR notation to use for the hosted master network"
+  default     = "172.16.0.0/28"
+}
+
+variable "compute_engine_service_account" {
+  type        = string
+  description = "Service account to associate to the nodes in the cluster"
+}

examples/safer_cluster/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}