Skip to content

finos/terraform-google-cfi-gke

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.config
.config
 
 
.github
.github
 
 
docs
docs
 
 
examples
examples
 
 
modules
modules
 
 
tests/defaults
tests/defaults
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
LICENSE.spdx
LICENSE.spdx
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
data.tf
data.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
renovate.json
renovate.json
 
 
saa_gcp_gke.md
saa_gcp_gke.md
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Terraform Child Module Template

README

This terraform script deploys the following resources (The script deploys resources in the 'europe-west2' a.k.a London DC region):

  1. Custom VPC with 2 subnets (1 subnet for Bastion Host and other administrative machines, the other subnet for hosting the k8s nodes).

  2. Firewall rule to allow IAP (Identity Aware Proxy) for securely logging in to Bastion Host VM

  3. Bastion Host for communicating with Kube API server

  4. Security Hardened Private GKE Cluster with minimal permissions and privileges. This cluster will only be accessible via the Bastion host which is whitelisted to use it. (

Notes:

-> This script does not include the creation of service accounts nor roles -> This script does not include the creation of Key Rings and Encryption Keys -> This script does not include the creation and configuration of NAT Gateway, it is recommended to setup CloudNAT and configure it for the VPC where your cluster is hosted, else the private K8s nodes will not be able to access the internet. -> Any access from pods/jobs to Google Cloud Services that are not part of the K8s nodes service account permissions need to be granted granular permissions via Workload Identity

Pre-requisites:

  1. service account for terraform with the following roles:

-> Editor

  1. service account for bastion host with the following roles:

-> Monitoring Viewer -> Monitoring Metric Writer -> Logs Writer -> Storage Object Viewer -> Kubernetes Engine Developer

  1. service account for k8s nodes with the following roles:

-> Monitoring Viewer -> Monitoring Metric Writer -> Logs Writer -> Storage Object Viewer

  1. encryption key in cloud KMS for encrypting ETCD

Edits required before terraform apply:

  1. root/variables.tf:

-> Line 4: Add path to credentials file -> Line 16: Add project ID -> Line 122: Add service acount ID of k8s-nodes -> Line 123 (optional): Change node pool machine type -> line 130: Add encryption key name for ETCD

  1. modules/kubernetes/main.tf

-> Line 31 (optional): Change GKE master version -> Line 57: Add key ID where encryption key for ETCD is contained (the full resource ID must be mentioned for this, not just the key name) -> Set maintenance window and maintenance exclusions based on your time zone (I have intentionally left this out consdiering that different organizations have different peak traffic hours and varying time zones)

  1. modules/Bastion_Host/main.tf

-> Line 30: Add service account ID of Bastion Host VM

FINOS - Incubating website build

terraform-provider-function

This terraform module produces blah

Usage example

module "iam" {
  source  = "terraform-aws-modules/iam/aws"
  version = "5.3.0"
}

Providers

No providers.

Requirements

No requirements.

Inputs

Name Description Type Default Required
bastion_host The Bastion host config for production 
object({
    internal_ip_address = string
    vm_name             = string
    machine_type        = string
    zone                = string
    machine_image       = string
    tags                = list(string)
    bastion_subnet_name = string
    region              = string
  })
 
{
  "bastion_subnet_name": "admin-subnet",
  "internal_ip_address": "10.0.1.2",
  "machine_image": "ubuntu-1604-lts",
  "machine_type": "n1-standard-1",
  "region": "europe-west2",
  "tags": [
    "allow-iap"
  ],
  "vm_name": "prod-bastion-host",
  "zone": "europe-west2-a"
}
 no
bastion_subnet_name name of the subnet to deploy bastion host on string "admin-subnet" no
cluster_name Cluster name for the GCP Cluster. string "gke-cluster" no
cred_url Your service account full URL string "<path to json key credentials of service account that tf uses>" no
encryption_key_name Name of the encryption key for ETCD string "<encryption-key-id>" no
gke-cluster The GKE app cluster for production 
object({
    region                  = string
    cluster_name            = string
    master_cidr             = string
    cluster_ipv4_cidr_block = string
    service_account_name    = string
    machine_type            = string
  })
 
{
  "cluster_ipv4_cidr_block": "10.1.0.0/16",
  "cluster_name": "gke-cluster",
  "machine_type": "e2-standard-4",
  "master_cidr": "172.168.10.0/28",
  "region": "europe-west2",
  "service_account_name": ""
}
 no
gke-vpc The name of the production VPC 
object({
    name = string
    subnets = list(object({
      name          = string
      description   = string
      ip_cidr_range = string
      region        = string
    }))
  })
 
{
  "name": "gke-vpc",
  "subnets": [
    {
      "description": "Subnet for bastion host and other administrative VMs",
      "ip_cidr_range": "10.0.1.0/24",
      "name": "admin-subnet",
      "region": "europe-west2"
    },
    {
      "description": "Subnet for GKE nodes ",
      "ip_cidr_range": "10.0.2.0/24",
      "name": "k8s-nodes-subnet",
      "region": "europe-west2"
    }
  ]
}
 no
master_cidr CIDR block address of GKE master. string "172.16.0.0/28" no
project_id Your project id in GCP string "<project-id>" no
region The region of the project resources in GCP string "europe-west2" no
service_account_name The service account name string "<ID of K8s nodes service account>" no
zone The zone of the project resources in GCP string "a" no

Outputs

No outputs.

Resources

No resources.

Installation

OS X & Linux:

npm install my-crazy-module --save

Windows:

edit autoexec.bat

Development setup

Describe how to install all development dependencies and how to run an automated test-suite of some kind. Potentially do this for multiple platforms.

make install
npm test

Roadmap

List the roadmap steps; alternatively link the Confluence Wiki page where the project roadmap is published.

  1. Item 1
  2. Item 2
  3. ....

Contributing

  1. Fork it (https://github.com/finos/cfi-terraform-template-child-module/fork)
  2. Create your feature branch (git checkout -b feature/fooBar)
  3. Read our contribution guidelines and Community Code of Conduct
  4. Commit your changes (git commit -am 'Add some fooBar')
  5. Push to the branch (git push origin feature/fooBar)
  6. Create a new Pull Request

_NOTE:_ Commits and pull requests to FINOS repositories will only be accepted from those contributors with an active, executed Individual Contributor License Agreement (ICLA) with FINOS OR who are covered under an existing and active Corporate Contribution License Agreement (CCLA) executed with FINOS. Commits from individuals not covered under an ICLA or CCLA will be flagged and blocked by the FINOS Clabot tool (or EasyCLA). Please note that some CCLAs require individuals/employees to be explicitly named on the CCLA.

Need an ICLA? Unsure if you are covered under an existing CCLA? Email help@finos.org

License

Copyright 2022 FINOS

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

About

Terraform child module deploying compliant GKE instance.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages