Add infra for deploy-gke (#66)

Closes #65 Already applied --------- Co-authored-by: JeromeJu <jeromeju@google.com>
google-github-actions · May 1, 2024 · 1253792 · 1253792
1 parent 4356c34
commit 1253792
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 22 deletions.
diff --git a/main.tf b/main.tf
@@ -113,8 +113,9 @@ resource "google_compute_network" "network" {
   name        = "github-actions-network"
   description = "Network for GitHub Actions infrastructure."
 
-  auto_create_subnetworks = false
-  routing_mode            = "GLOBAL"
+  auto_create_subnetworks  = false
+  enable_ula_internal_ipv6 = true
+  routing_mode             = "GLOBAL"
 
   depends_on = [
     google_project_service.services["compute.googleapis.com"],

diff --git a/project_deploy-gke.tf b/project_deploy-gke.tf
@@ -28,6 +28,15 @@ module "deploy-gke" {
     "deployment",
   ], local.common_topics)
 
+  repo_variables = {
+    "IMAGE"          = "nginx:latest"
+    "APP_NAME"       = "deploy-gke-app"
+    "CLUSTER_REGION" = google_container_cluster.deploy_gke.location
+    "CLUSTER_NAME"   = google_container_cluster.deploy_gke.name
+    "NAMESPACE"      = "deploy-gke-ns"
+    "EXPOSE"         = "80"
+  }
+
   repo_collaborators = {
     teams = {
       "deploy-gke-maintainers" : "push",
@@ -39,10 +48,67 @@ module "deploy-gke" {
     google_project_service.services,
   ]
 }
+
+resource "google_compute_subnetwork" "deploy-gke" {
+  name    = "deploy-gke"
+  region  = "us-central1"
+  network = google_compute_network.network.id
+
+  ip_cidr_range    = "10.0.2.0/24"
+  stack_type       = "IPV4_IPV6"
+  ipv6_access_type = "INTERNAL"
+
+  private_ip_google_access = true
+
+  secondary_ip_range {
+    range_name    = "deploy-gke-pods"
+    ip_cidr_range = "192.168.20.0/24"
+  }
+
+  secondary_ip_range {
+    range_name    = "deploy-gke-services"
+    ip_cidr_range = "192.168.21.0/24"
+  }
+}
+
+resource "google_container_cluster" "deploy_gke" {
+  name     = "deploy-gke-cluster"
+  location = google_compute_subnetwork.deploy-gke.region
+  network  = google_compute_network.network.id
+
+  enable_autopilot         = true
+  enable_l4_ilb_subsetting = true
+  deletion_protection      = false
+
+  subnetwork = google_compute_subnetwork.deploy-gke.id
+
+  ip_allocation_policy {
+    stack_type                    = "IPV4_IPV6"
+    cluster_secondary_range_name  = google_compute_subnetwork.deploy-gke.secondary_ip_range[0].range_name
+    services_secondary_range_name = google_compute_subnetwork.deploy-gke.secondary_ip_range[1].range_name
+  }
+
+  release_channel {
+    channel = "REGULAR"
+  }
+
+  timeouts {
+    create = "15m"
+    update = "15m"
+  }
+
+  depends_on = [
+    google_project_service.services["container.googleapis.com"],
+  ]
+}
+
 # Grant the custom service account permissions to manage gke resources.
 resource "google_project_iam_member" "deploy-gke-roles" {
   for_each = toset([
     "roles/container.developer",
+
+    # For verifying deployments in the gke cluster
+    "roles/container.clusterViewer",
   ])
 
   project = data.google_project.project.project_id

diff --git a/project_get-gke-credentials.tf b/project_get-gke-credentials.tf
@@ -57,35 +57,40 @@ resource "google_project_iam_member" "get-gke-credentials" {
 
 # Public GKE cluster
 resource "google_compute_subnetwork" "get-gke-credentials-public" {
-  name          = "get-gke-credentials-public"
-  ip_cidr_range = "10.0.0.0/17"
-  region        = "us-central1"
-  network       = google_compute_network.network.id
+  name    = "get-gke-credentials-public"
+  region  = "us-central1"
+  network = google_compute_network.network.id
+
+  ip_cidr_range    = "10.0.0.0/24"
+  stack_type       = "IPV4_IPV6"
+  ipv6_access_type = "INTERNAL"
 
   private_ip_google_access = true
 
   secondary_ip_range {
     range_name    = "get-gke-credentials-public-pods"
-    ip_cidr_range = "192.168.0.0/18"
+    ip_cidr_range = "192.168.0.0/24"
   }
 
   secondary_ip_range {
     range_name    = "get-gke-credentials-public-services"
-    ip_cidr_range = "192.168.64.0/18"
+    ip_cidr_range = "192.168.1.0/24"
   }
 }
 
 resource "google_container_cluster" "get-gke-credentials-public" {
   name     = "get-gke-credentials-public"
   location = google_compute_subnetwork.get-gke-credentials-public.region
 
-  enable_autopilot   = true
-  initial_node_count = 1
+  enable_autopilot         = true
+  enable_l4_ilb_subsetting = true
+  deletion_protection      = false
 
   network    = google_compute_network.network.id
   subnetwork = google_compute_subnetwork.get-gke-credentials-public.id
 
   ip_allocation_policy {
+    stack_type                    = "IPV4_IPV6"
     cluster_secondary_range_name  = google_compute_subnetwork.get-gke-credentials-public.secondary_ip_range[0].range_name
     services_secondary_range_name = google_compute_subnetwork.get-gke-credentials-public.secondary_ip_range[1].range_name
   }
@@ -106,30 +111,34 @@ resource "google_container_cluster" "get-gke-credentials-public" {
 
 # Private GKE cluster
 resource "google_compute_subnetwork" "get-gke-credentials-private" {
-  name          = "get-gke-credentials-private"
-  ip_cidr_range = "10.0.128.0/17"
-  region        = "us-central1"
-  network       = google_compute_network.network.id
+  name    = "get-gke-credentials-private"
+  region  = "us-central1"
+  network = google_compute_network.network.id
+
+  ip_cidr_range    = "10.0.1.0/24"
+  stack_type       = "IPV4_IPV6"
+  ipv6_access_type = "INTERNAL"
 
   private_ip_google_access = true
 
   secondary_ip_range {
     range_name    = "get-gke-credentials-private-pods"
-    ip_cidr_range = "192.168.128.0/18"
+    ip_cidr_range = "192.168.10.0/24"
   }
 
   secondary_ip_range {
     range_name    = "get-gke-credentials-private-services"
-    ip_cidr_range = "192.168.192.0/18"
+    ip_cidr_range = "192.168.11.0/24"
   }
 }
 
 resource "google_container_cluster" "get-gke-credentials-private" {
   name     = "get-gke-credentials-private"
   location = google_compute_subnetwork.get-gke-credentials-private.region
 
-  enable_autopilot   = true
-  initial_node_count = 1
+  enable_autopilot         = true
+  enable_l4_ilb_subsetting = true
+  deletion_protection      = false
 
   network    = google_compute_network.network.id
   subnetwork = google_compute_subnetwork.get-gke-credentials-private.id
@@ -148,6 +157,7 @@ resource "google_container_cluster" "get-gke-credentials-private" {
   }
 
   ip_allocation_policy {
+    stack_type                    = "IPV4_IPV6"
     cluster_secondary_range_name  = google_compute_subnetwork.get-gke-credentials-private.secondary_ip_range[0].range_name
     services_secondary_range_name = google_compute_subnetwork.get-gke-credentials-private.secondary_ip_range[1].range_name
   }
@@ -182,6 +192,7 @@ resource "google_gke_hub_membership" "get-get-credentials-private" {
 
 resource "google_gke_hub_membership_iam_member" "get-gke-credentials-private" {
   project       = data.google_project.project.project_id
+  location      = google_gke_hub_membership.get-get-credentials-private.location
   membership_id = google_gke_hub_membership.get-get-credentials-private.membership_id
   role          = "roles/viewer"
   member        = "serviceAccount:${module.get-gke-credentials.service_account_email}"

diff --git a/project_ssh-compute.tf b/project_ssh-compute.tf
@@ -67,10 +67,13 @@ resource "tls_private_key" "ssh-compute" {
 }
 
 resource "google_compute_subnetwork" "ssh-compute" {
-  name          = "ssh-compute"
-  ip_cidr_range = "10.127.0.0/24"
-  region        = "us-central1"
-  network       = google_compute_network.network.id
+  name    = "ssh-compute"
+  region  = "us-central1"
+  network = google_compute_network.network.id
+
+  ip_cidr_range    = "10.1.0.0/24"
+  stack_type       = "IPV4_IPV6"
+  ipv6_access_type = "INTERNAL"
 
   private_ip_google_access = true
 }