kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into google_gkehub_feature_membership

Browse Source
This commit is contained in:
Julio Castillo
2023-01-23 09:11:49 +01:00
committed by GitHub
parent 0ea769e70f 20826d0ef5
commit 551d45760f
95 changed files with 2222 additions and 1453 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
modules/api-gateway/README.md
View File

@@ -1,4 +1,4 @@
# Api Gateway
# API Gateway
This module allows creating an API with its associated API config and API gateway. It also allows you grant IAM roles on the created resources.
# Examples
@@ -15,46 +15,46 @@ module "gateway" {
# ...
EOT
}
# tftest modules=1 resources=4
# tftest modules=1 resources=4 inventory=basic.yaml
```
## Basic example + customer service account
## Use existing service account
```hcl
module "gateway" {
source = "./fabric/modules/api-gateway"
project_id = "my-project"
api_id = "api"
region = "europe-west1"
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
service_account_email = "sa@my-project.iam.gserviceaccount.com"
iam = {
"roles/apigateway.admin" = ["user:user@example.com"]
}
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
}
# tftest modules=1 resources=7
# tftest modules=1 resources=7 inventory=existing-sa.yaml
```
## Basic example + service account creation
## Create service account
```hcl
module "gateway" {
source = "./fabric/modules/api-gateway"
project_id = "my-project"
api_id = "api"
region = "europe-west1"
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
service_account_create = true
iam = {
"roles/apigateway.admin" = ["user:mirene@google.com"]
"roles/apigateway.viewer" = ["user:mirene@google.com"]
}
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
}
# tftest modules=1 resources=11
# tftest modules=1 resources=11 inventory=create-sa.yaml
```
<!-- BEGIN TFDOC -->

29
modules/dns/README.md
View File

@@ -21,7 +21,7 @@ module "private-dns" {
"A myhost" = { ttl = 600, records = ["10.0.0.120"] }
}
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=private-zone.yaml
```
### Forwarding Zone
@@ -36,7 +36,7 @@ module "private-dns" {
client_networks = [var.vpc.self_link]
forwarders = { "10.0.1.1" = null, "1.2.3.4" = "private" }
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=forwarding-zone.yaml
```
### Peering Zone
@@ -47,11 +47,12 @@ module "private-dns" {
project_id = "myproject"
type = "peering"
name = "test-example"
domain = "test.example."
domain = "."
description = "Forwarding zone for ."
client_networks = [var.vpc.self_link]
peer_network = var.vpc2.self_link
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=peering-zone.yaml
```
### Routing Policies
@@ -84,7 +85,7 @@ module "private-dns" {
}
}
}
# tftest modules=1 resources=4
# tftest modules=1 resources=4 inventory=routing-policies.yaml
```
### Reverse Lookup Zone
@@ -98,7 +99,23 @@ module "private-dns" {
domain = "0.0.10.in-addr.arpa."
client_networks = [var.vpc.self_link]
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=reverse-zone.yaml
```
### Public Zone
```hcl
module "public-dns" {
source = "./fabric/modules/dns"
project_id = "myproject"
type = "public"
name = "example"
domain = "example.com."
recordsets = {
"A myhost" = { ttl = 300, records = ["127.0.0.1"] }
}
}
# tftest modules=1 resources=3 inventory=public-zone.yaml
```
<!-- BEGIN TFDOC -->

2
modules/dns/main.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

37
modules/gcs/README.md
View File

@@ -8,50 +8,46 @@ module "bucket" {
project_id = "myproject"
prefix = "test"
name = "my-bucket"
versioning = true
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
labels = {
cost-center = "devops"
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=2 inventory=simple.yaml
```
### Example with Cloud KMS
```hcl
module "bucket" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
source = "./fabric/modules/gcs"
project_id = "myproject"
name = "my-bucket"
encryption_key = "my-encryption-key"
}
# tftest modules=1 resources=2
# tftest modules=1 resources=1 inventory=cmek.yaml
```
### Example with retention policy
### Example with retention policy and logging
```hcl
module "bucket" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
retention_policy = {
retention_period = 100
is_locked = true
}
logging_config = {
log_bucket = var.bucket
log_bucket = "log-bucket"
log_object_prefix = null
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=1 inventory=retention-logging.yaml
```
### Example with lifecycle rule
@@ -60,11 +56,7 @@ module "bucket" {
module "bucket" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
lifecycle_rules = {
lr-0 = {
action = {
@@ -77,7 +69,7 @@ module "bucket" {
}
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=1 inventory=lifecycle.yaml
```
### Minimal example with GCS notifications
@@ -86,7 +78,6 @@ module "bucket" {
module "bucket-gcs-notification" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
notification_config = {
enabled = true
@@ -97,7 +88,7 @@ module "bucket-gcs-notification" {
custom_attributes = {}
}
}
# tftest modules=1 resources=4
# tftest modules=1 resources=4 inventory=notification.yaml
```
<!-- BEGIN TFDOC -->

34
modules/gke-cluster/README.md
View File

@@ -33,7 +33,7 @@ module "cluster-1" {
environment = "dev"
}
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=basic.yaml
```
### GKE Cluster with Dataplane V2 enabled
@@ -42,7 +42,7 @@ module "cluster-1" {
module "cluster-1" {
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-1"
name = "cluster-dataplane-v2"
location = "europe-west1-b"
vpc_config = {
network = var.vpc.self_link
@@ -68,8 +68,36 @@ module "cluster-1" {
environment = "dev"
}
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=dataplane-v2.yaml
```
### Autopilot Cluster
```hcl
module "cluster-autopilot" {
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-autopilot"
location = "europe-west1-b"
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_names = {
pods = "pods"
services = "services"
}
master_authorized_ranges = {
internal-vms = "10.0.0.0/8"
}
master_ipv4_cidr_block = "192.168.0.0/28"
}
enable_features = {
autopilot = true
}
}
# tftest modules=1 resources=1 inventory=autopilot.yaml
```
<!-- BEGIN TFDOC -->
## Variables

68
modules/gke-nodepool/README.md
View File

@@ -16,7 +16,7 @@ module "cluster-1-nodepool-1" {
location = "europe-west1-b"
name = "nodepool-1"
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=basic.yaml
```
### Internally managed service account
@@ -27,22 +27,11 @@ If you create a new service account, its resource and email (in both plain and I
#### GCE default service account
To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`.
```hcl
module "cluster-1-nodepool-1" {
source = "./fabric/modules/gke-nodepool"
project_id = "myproject"
cluster_name = "cluster-1"
location = "europe-west1-b"
name = "nodepool-1"
}
# tftest modules=1 resources=1
```
To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`. This is what the first example of this document does.
#### Externally defined service account
To use an existing service account, pass in just the `email` attribute.
To use an existing service account, pass in just the `email` attribute. If you do this, will most likely want to use the `cloud-platform` scope.
```hcl
module "cluster-1-nodepool-1" {
@@ -52,10 +41,11 @@ module "cluster-1-nodepool-1" {
location = "europe-west1-b"
name = "nodepool-1"
service_account = {
email = "foo-bar@myproject.iam.gserviceaccount.com"
email = "foo-bar@myproject.iam.gserviceaccount.com"
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=external-sa.yaml
```
#### Auto-created service account
@@ -70,12 +60,48 @@ module "cluster-1-nodepool-1" {
location = "europe-west1-b"
name = "nodepool-1"
service_account = {
create = true
# optional
email = "spam-eggs"
create = true
email = "spam-eggs" # optional
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=2 inventory=create-sa.yaml
```
### Node & node pool configuration
```hcl
module "cluster-1-nodepool-1" {
source = "./fabric/modules/gke-nodepool"
project_id = "myproject"
cluster_name = "cluster-1"
location = "europe-west1-b"
name = "nodepool-1"
labels = { environment = "dev" }
service_account = {
create = true
email = "nodepool-1" # optional
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
node_config = {
machine_type = "n2-standard-2"
disk_size_gb = 50
disk_type = "pd-ssd"
ephemeral_ssd_count = 1
gvnic = true
spot = true
}
nodepool_config = {
autoscaling = {
max_node_count = 10
min_node_count = 1
}
management = {
auto_repair = true
auto_upgrade = false
}
}
}
# tftest modules=1 resources=2 inventory=config.yaml
```
<!-- BEGIN TFDOC -->
@@ -97,7 +123,7 @@ module "cluster-1-nodepool-1" {
| [nodepool_config](variables.tf#L115) | Nodepool-level configuration. | <code title="object&#40;&#123;&#10; autoscaling &#61; optional&#40;object&#40;&#123;&#10; location_policy &#61; optional&#40;string&#41;&#10; max_node_count &#61; optional&#40;number&#41;&#10; min_node_count &#61; optional&#40;number&#41;&#10; use_total_nodes &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; management &#61; optional&#40;object&#40;&#123;&#10; auto_repair &#61; optional&#40;bool&#41;&#10; auto_upgrade &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; upgrade_settings &#61; optional&#40;object&#40;&#123;&#10; max_surge &#61; number&#10; max_unavailable &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [pod_range](variables.tf#L137) | Pod secondary range configuration. | <code title="object&#40;&#123;&#10; secondary_pod_range &#61; object&#40;&#123;&#10; cidr &#61; optional&#40;string&#41;&#10; create &#61; optional&#40;bool&#41;&#10; name &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [reservation_affinity](variables.tf#L154) | Configuration of the desired reservation which instances could take capacity from. | <code title="object&#40;&#123;&#10; consume_reservation_type &#61; string&#10; key &#61; optional&#40;string&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, false&#41;&#10; email &#61; optional&#40;string, null&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, false&#41;&#10; email &#61; optional&#40;string&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [sole_tenant_nodegroup](variables.tf#L175) | Sole tenant node group. | <code>string</code> | | <code>null</code> |
| [tags](variables.tf#L181) | Network tags applied to nodes. | <code>list&#40;string&#41;</code> | | <code>null</code> |
| [taints](variables.tf#L187) | Kubernetes taints applied to all nodes. | <code title="list&#40;object&#40;&#123;&#10; key &#61; string&#10; value &#61; string&#10; effect &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>null</code> |

6
modules/gke-nodepool/variables.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -165,8 +165,8 @@ variable "service_account" {
description = "Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used."
type = object({
create = optional(bool, false)
email = optional(string, null)
oauth_scopes = optional(list(string), null)
email = optional(string)
oauth_scopes = optional(list(string))
})
default = {}
nullable = false

145
modules/net-vpc/README.md
View File

@@ -30,7 +30,88 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=simple.yaml
```
### Subnet Options
```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = [
# simple subnet
{
name = "simple"
region = "europe-west1"
ip_cidr_range = "10.0.0.0/24"
},
# custom description and PGA disabled
{
name = "no-pga"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24",
description = "Subnet b"
enable_private_access = false
},
# secondary ranges
{
name = "with-secondary-ranges"
region = "europe-west1"
ip_cidr_range = "10.0.2.0/24"
secondary_ip_ranges = {
a = "192.168.0.0/24"
b = "192.168.1.0/24"
}
},
# enable flow logs
{
name = "with-flow-logs"
region = "europe-west1"
ip_cidr_range = "10.0.3.0/24"
flow_logs_config = {
flow_sampling = 0.5
aggregation_interval = "INTERVAL_10_MIN"
}
}
]
}
# tftest modules=1 resources=5 inventory=subnet-options.yaml
```
### Subnet IAM
```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = [
{
name = "subnet-1"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24"
},
{
name = "subnet-2"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24"
}
]
subnet_iam = {
"europe-west1/subnet-1" = {
"roles/compute.networkUser" = [
"user:user1@example.com", "group:group1@example.com"
]
}
"europe-west1/subnet-2" = {
"roles/compute.networkUser" = [
"user:user2@example.com", "group:group2@example.com"
]
}
}
}
# tftest modules=1 resources=5 inventory=subnet-iam.yaml
```
### Peering
@@ -65,7 +146,7 @@ module "vpc-spoke-1" {
import_routes = true
}
}
# tftest modules=2 resources=6
# tftest modules=2 resources=6 inventory=peering.yaml
```
### Shared VPC
@@ -116,7 +197,7 @@ module "vpc-host" {
}
}
}
# tftest modules=1 resources=7
# tftest modules=1 resources=7 inventory=shared-vpc.yaml
```
### Private Service Networking
@@ -137,7 +218,7 @@ module "vpc" {
ranges = { myrange = "10.0.1.0/24" }
}
}
# tftest modules=1 resources=5
# tftest modules=1 resources=5 inventory=psc.yaml
```
### Private Service Networking with peering routes
@@ -162,7 +243,7 @@ module "vpc" {
import_routes = true
}
}
# tftest modules=1 resources=5
# tftest modules=1 resources=5 inventory=psc-routes.yaml
```
### Subnets for Private Service Connect, Proxy-only subnets
@@ -194,7 +275,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml
```
### DNS Policies
@@ -219,7 +300,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=dns-policies.yaml
```
### Subnet Factory
@@ -233,11 +314,17 @@ module "vpc" {
name = "my-network"
data_folder = "config/subnets"
}
# tftest modules=1 resources=2 files=subnets
# tftest modules=1 resources=3 files=subnet-simple,subnet-detailed inventory=factory.yaml
```
```yaml
# tftest-file id=subnets path=config/subnets/subnet-name.yaml
# tftest-file id=subnet-simple path=config/subnets/subnet-simple.yaml
region: europe-west4
ip_cidr_range: 10.0.1.0/24
```
```yaml
# tftest-file id=subnet-detailed path=config/subnets/subnet-detailed.yaml
region: europe-west1
description: Sample description
ip_cidr_range: 10.0.0.0/24
@@ -254,7 +341,45 @@ flow_logs: # enable, set to empty map to use defaults
metadata: "INCLUDE_ALL_METADATA"
filter_expression: null
```
<!-- BEGIN TFDOC -->
### Custom Routes
VPC routes can be configured through the `routes` variable.
```hcl
locals {
route_types = {
gateway = "global/gateways/default-internet-gateway"
instance = "zones/europe-west1-b/test"
ip = "192.168.0.128"
ilb = "regions/europe-west1/forwardingRules/test"
vpn_tunnel = "regions/europe-west1/vpnTunnels/foo"
}
}
module "vpc" {
source = "./fabric/modules/net-vpc"
for_each = local.route_types
project_id = "my-project"
name = "my-network-with-route-${replace(each.key, "_", "-")}"
routes = {
next-hop = {
dest_range = "192.168.128.0/24"
tags = null
next_hop_type = each.key
next_hop = each.value
}
gateway = {
dest_range = "0.0.0.0/0",
priority = 100
tags = ["tag-a"]
next_hop_type = "gateway",
next_hop = "global/gateways/default-internet-gateway"
}
}
}
# tftest modules=5 resources=15 inventory=routes.yaml
```
## Variables

6
modules/net-vpc/main.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -109,7 +109,7 @@ resource "google_dns_policy" "default" {
)
iterator = ns
content {
ipv4_address = ns.key
ipv4_address = ns.value
forwarding_path = "private"
}
}
@@ -121,7 +121,7 @@ resource "google_dns_policy" "default" {
)
iterator = ns
content {
ipv4_address = ns.key
ipv4_address = ns.value
}
}
}