Merge pull request #1871 from apichick/workstation-cluster

Added workstation-cluster module

CHANGELOG.md

@@ -90,7 +90,7 @@ All notable changes to this project will be documented in this file.
 - [[#1846](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1846)] Add support for IAM to vpc sc module ([ludoo](https://github.com/ludoo)) <!-- 2023-11-08 10:27:44+00:00 -->
 - [[#1844](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1844)] Allow disabling IAM for sink identity in resource manager modules ([apichick](https://github.com/apichick)) <!-- 2023-11-07 08:30:42+00:00 -->
 - [[#1841](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1841)] Fix modules to support new Apigee X environment types ([Teodelas](https://github.com/Teodelas)) <!-- 2023-11-06 08:56:04+00:00 -->
-- [[#1842](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1842)] Bump provider version to 5.4.0 ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-04 08:14:03+00:00 -->
+- [[#1842](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1842)] Bump provider version to 5.6.0 ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-04 08:14:03+00:00 -->
 - [[#1823](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1823)] Add end-to-end tests for project module ([wiktorn](https://github.com/wiktorn)) <!-- 2023-11-03 17:04:19+00:00 -->
 - [[#1837](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1837)] Added envoy as SNI dynamic forward proxy to cloud-config-container ([apichick](https://github.com/apichick)) <!-- 2023-11-03 07:43:15+00:00 -->
 - [[#1839](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1839)] Added create_before_destroy = true for self-managed certificates ([apichick](https://github.com/apichick)) <!-- 2023-11-02 14:14:45+00:00 -->

README.md

@@ -33,7 +33,7 @@ Currently available modules:
 - **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [Firewall policy](./modules/net-firewall-policy), [Internal Application LB](./modules/net-lb-app-int), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
 - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
 - **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan/), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
-- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)
+- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
 - **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
 - **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run)
 

blueprints/gke/binauthz/app/app.yaml

@@ -0,0 +1,45 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: storage-api-sa
+  namespace: apis
+  annotations:
+    iam.gke.io/gcp-service-account: sa-storage-api@ba-g-prj-cd-sb-binauthz-001.iam.gserviceaccount.com
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: storage-api-deployment
+  namespace: apis
+spec:
+  selector:
+    matchLabels:
+      app: storage-api
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: storage-api
+    spec:
+      serviceAccountName: storage-api-sa
+      containers:
+      - name: storage-api
+        image: europe-west1-docker.pkg.dev/ba-g-prj-cd-sb-binauthz-001/ba-registry/storage-api:DIGEST
+        ports:
+        - containerPort: 3000
+      nodeSelector:
+        iam.gke.io/gke-metadata-server-enabled: "true"

blueprints/gke/binauthz/tenant-setup.yaml

@@ -0,0 +1,54 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: apis
+---  
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: app-deployment-manager
+  namespace: apis
+rules:
+- apiGroups: 
+    - ''
+    - 'extensions'
+    - 'apps'
+  resources: 
+    - 'namespaces'
+    - 'serviceaccounts'
+    - 'deployments'
+  verbs: 
+    - 'get'
+    - 'list'
+    - 'watch'
+    - 'create'
+    - 'update'
+    - 'patch'
+    - 'delete'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: app-deployment-manager
+  namespace: apis
+subjects:
+- kind: User
+  name: sa-cb-app@ba-g-prj-cd-sb-binauthz-001.iam.gserviceaccount.com
+roleRef:
+  kind: Role
+  name: app-deployment-manager
+  apiGroup: rbac.authorization.k8s.io

default-versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/README.md

@@ -92,6 +92,7 @@ These modules are used in the examples included in this repository. If you are u
 - [Artifact Registry](./artifact-registry)
 - [Container Registry](./container-registry)
 - [Cloud Source Repository](./source-repository)
+- [Workstation cluster](./workstation-cluster)
 
 ## Security
 

modules/__experimental/alloydb-instance/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/__experimental/net-neg/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/api-gateway/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/apigee/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/artifact-registry/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/bigquery-dataset/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/bigtable-instance/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/billing-account/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/binauthz/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/__need_fixing/onprem/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/coredns/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/cos-generic-metadata/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/envoy-traffic-director/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/mysql/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/nginx-tls/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/nginx/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/simple-nva/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.4.0, < 6.0.0" # tftest
+      version = ">= 5.6.0, < 6.0.0" # tftest
     }
   }
 }