Skip to content

Commit

Permalink
Added workstation-cluster module
Browse files Browse the repository at this point in the history
  • Loading branch information
@apichick
apichick committed Nov 19, 2023
1 parent c642c13 commit 2a84168
Show file tree
Hide file tree
Showing 13 changed files with 919 additions and 3 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Currently available modules:
- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [Firewall policy](./modules/net-firewall-policy), [Internal Application LB](./modules/net-lb-app-int), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
- **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan/), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run)

Expand Down
4 changes: 2 additions & 2 deletions default-versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.4.0, < 6.0.0" # tftest
version = ">= 5.6.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.4.0, < 6.0.0" # tftest
version = ">= 5.6.0, < 6.0.0" # tftest
}
}
}
Expand Down
1 change: 1 addition & 0 deletions modules/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ These modules are used in the examples included in this repository. If you are u
- [Artifact Registry](./artifact-registry)
- [Container Registry](./container-registry)
- [Cloud Source Repository](./source-repository)
- [Workstation cluster](./workstation-cluster)

## Security

Expand Down
158 changes: 158 additions & 0 deletions modules/workstation-cluster/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
# Workstation cluster

This module allows to create a workstation cluster with associated workstation configs and workstations. In addition to this it allows to set up IAM bindings for the workstation configs and the workstations.

## Examples

## Simple example
```hcl
module "workstation-cluster" {
source = "./fabric/modules/workstation-cluster"
project_id = var.project_id
workstation_cluster_id = "my-workstation-cluster"
location = var.region
network = var.vpc.self_link
subnetwork = var.subnet.self_link
workstation_configs = {
my-workstation-config = {
workstations = {
my-workstation = {
labels = {
team = "my-team"
}
}
}
}
}
}
# tftest modules=1 resources=3 inventory=simple.yaml
```

## Private Cluster
```hcl
module "workstation-cluster" {
source = "./fabric/modules/workstation-cluster"
project_id = var.project_id
workstation_cluster_id = "my-workstation-cluster"
location = var.region
network = var.vpc.self_link
subnetwork = var.subnet.self_link
private_cluster_config = {
enable_private_endpoint = true
}
workstation_configs = {
my-workstation-config = {
workstations = {
my-workstation = {
labels = {
team = "my-team"
}
}
}
}
}
}
# tftest modules=1 resources=3 inventory=private-cluster.yaml
```

## Custom container

```hcl
module "workstation-cluster" {
source = "./fabric/modules/workstation-cluster"
project_id = var.project_id
workstation_cluster_id = "my-workstation-cluster"
location = var.region
network = var.vpc.self_link
subnetwork = var.subnet.self_link
workstation_configs = {
my-workstation-config = {
container = {
image = "repo/my-image:v10.0.0"
args = ["--arg1", "value1", "--arg2", "value2"]
env = {
VAR1 = "VALUE1"
VAR2 = "VALUE2"
}
working_dir = "/my-dir"
}
workstations = {
my-workstation = {
labels = {
team = "my-team"
}
}
}
}
}
}
# tftest modules=1 resources=3 inventory=custom-container.yaml
```

## IAM

```hcl
module "workstation-cluster" {
source = "./fabric/modules/workstation-cluster"
project_id = var.project_id
workstation_cluster_id = "my-workstation-cluster"
location = var.region
network = var.vpc.self_link
subnetwork = var.subnet.self_link
workstation_configs = {
my-workstation-config = {
workstations = {
my-workstation = {
labels = {
team = "my-team"
}
iam = {
"roles/workstations.user" = ["user:user1@my-org.com"]
}
}
}
iam = {
"roles/viewer" = ["group:group1@my-org.com"]
}
iam_bindings = {
workstations-config-viewer = {
role = "roles/viewer"
members = ["group:group2@my-org.com"]
condition = {
title = "limited-access"
expression = "resource.name.startsWith('my-')"
}
}
}
iam_bindings_additive = {
workstations-config-editor = {
role = "roles/editor"
member = "group:group3@my-org.com"
condition = {
title = "limited-access"
expression = "resource.name.startsWith('my-')"
}
}
}
}
}
}
# tftest modules=1 resources=7 inventory=iam.yaml
```
<!-- BEGIN TFDOC -->
## Variables

| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [network](variables.tf#L47) | Network ID. | <code>string</code> || |
| [project_id](variables.tf#L62) | Cluster ID. | <code>string</code> || |
| [subnetwork](variables.tf#L67) | Subnet ID. | <code>string</code> || |
| [workstation_cluster_id](variables.tf#L72) | Workstation cluster ID. | <code>string</code> || |
| [workstation_configs](variables.tf#L77) | Workstation configurations. | <code title="map&#40;object&#40;&#123;&#10; annotations &#61; optional&#40;map&#40;string&#41;&#41;&#10; container &#61; optional&#40;object&#40;&#123;&#10; image &#61; optional&#40;string&#41;&#10; command &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; args &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; working_dir &#61; optional&#40;string&#41;&#10; env &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; run_as_user &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; enable_audit_agent &#61; optional&#40;bool&#41;&#10; encryption_key &#61; optional&#40;object&#40;&#123;&#10; kms_key &#61; string&#10; kms_key_service_account &#61; string&#10; &#125;&#41;&#41;&#10; gce_instance &#61; optional&#40;object&#40;&#123;&#10; machine_type &#61; optional&#40;string&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; service_account_scopes &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; pool_size &#61; optional&#40;number&#41;&#10; boot_disk_size_gb &#61; optional&#40;number&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;&#41;&#10; disable_public_ip_addresses &#61; optional&#40;bool, false&#41;&#10; enable_nested_virtualization &#61; optional&#40;bool, false&#41;&#10; shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10; enable_secure_boot &#61; optional&#40;bool, false&#41;&#10; enable_vtpm &#61; optional&#40;bool, false&#41;&#10; enable_integrity_monitoring &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; enable_confidential_compute &#61; optional&#40;bool, false&#41;&#10; accelerators &#61; optional&#40;list&#40;object&#40;&#123;&#10; type &#61; optional&#40;string&#41;&#10; count &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; members &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; member &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; idle_timeout &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; persistent_directories &#61; optional&#40;list&#40;object&#40;&#123;&#10; mount_path &#61; optional&#40;string&#41;&#10; gce_pd &#61; optional&#40;object&#40;&#123;&#10; size_gb &#61; optional&#40;number&#41;&#10; fs_type &#61; optional&#40;string&#41;&#10; disk_type &#61; optional&#40;string&#41;&#10; source_snapshot &#61; optional&#40;string&#41;&#10; reclaim_policy &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; running_timeout &#61; optional&#40;string&#41;&#10; replica_zones &#61; optional&#40;list&#40;string&#41;&#41;&#10; workstations &#61; optional&#40;map&#40;object&#40;&#123;&#10; annotations &#61; optional&#40;map&#40;string&#41;&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; env &#61; optional&#40;map&#40;string&#41;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; members &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; member &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | ✓ | |
| [annotations](variables.tf#L17) | Annotations. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [display_name](variables.tf#L23) | Display name. | <code>string</code> | | <code>null</code> |
| [domain](variables.tf#L29) | Domain. | <code>string</code> | | <code>null</code> |
| [labels](variables.tf#L35) | Labels. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [location](variables.tf#L41) | Location. | <code>string</code> | | <code>null</code> |
| [private_cluster_config](variables.tf#L52) | Private cluster config. | <code title="object&#40;&#123;&#10; enable_private_endpoint &#61; optional&#40;bool, false&#41;&#10; allowed_projects &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
<!-- END TFDOC -->

0 comments on commit 2a84168

Please sign in to comment.