7b6c152755
* implement proper validation for tag value names in schema * fix unrelated typos surfaced by new spell check
Cloud Workstations Cluster
This simple setup allows creating and configuring one Cloud Workstation Cluster, and an arbitrary number of workstation configurations and workstations via a dedicated factory.
Prerequisites
The project.yaml file describes the project-level configuration needed in terms of API activation and IAM bindings.
If you are deploying this inside a FAST-enabled organization, the file can be lightly edited to match your configuration, and then used directly in the project factory.
This Terraform can of course be deployed using any pre-existing project. In that case use the YAML file to determine the configuration you need to set on the project:
- enable the APIs listed under
services - grant the permissions listed under
iamto the principal running Terraform, either machine (service account) or human
VPC-SC Integration
This example assumes a private cluster is needed, and provisions a PSC Endpoint for private connectivity. For more details on private clusters and VPC-SC see this documentation page.
An additional egress policy is needed to allow monitoring traffic for the cluster to the tenant project on the Google side. The following snippet can be added to the egress policy factory in the VPC-SC stage, and edited so that project numbers match. It should of course also be enabled in the perimeter definition.
from:
identities:
- serviceAccount:service-1234567890@gcp-sa-workstations.iam.gserviceaccount.com
resources:
- projects/3456789012
to:
operations:
- service_name: monitoring.googleapis.com
method_selectors:
- "*"
resources:
- projects/1234567890
Additional Configuration Steps
The workstations are accessible via the PSC Endpoint, once a DNS record for the cluster hostname has been configured. The cluster hostname is available from this example's outputs.
Variable Configuration
This is an example of running this stage. Note that the apt_remote_registries has a default value that can be used when no IAM is needed at the registry level, and the default set of remotes is fine.
project_id = "my-project"
location = "europe-west3"
network_config = {
network = "projects/ldj-prod-net-landing-0/global/networks/prod-landing-0"
subnetwork = "projects/ldj-prod-net-landing-0/regions/europe-west8/subnetworks/ws"
psc_endpoint_address = "10.0.18.10"
}
# tftest skip
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| network_config | VPC and subnet for the cluster. | object({…}) |
✓ | |
| project_id | Project id where the cluster will be created. | string |
✓ | |
| annotations | Workstation cluster annotations. | map(string) |
{} |
|
| context | Context-specific interpolations. | object({…}) |
{} |
|
| display_name | Display name. | string |
null |
|
| domain | Domain. | string |
null |
|
| factories_config | Path to folder with YAML resource description data files. | object({…}) |
{} |
|
| id | Workstation cluster ID. | string |
"ws-cluster-0" |
|
| labels | Workstation cluster labels. | map(string) |
{} |
|
| private_cluster_config | Private cluster config. | object({…}) |
{} |
|
| service_accounts | Project factory managed service accounts to populate context. | map(object({…})) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| hostname | Cluster hostname. |
Test
module "test" {
source = "./fabric/fast/project-templates/os-apt-registries"
project_id = "my-project"
location = "europe-west3"
apt_remote_registries = [
{ path = "DEBIAN debian/dists/bookworm" },
{
path = "DEBIAN debian-security/dists/bookworm-security"
# grant specific access permissions to this registry
writer_principals = [
"serviceAccount:vm-default@prod-proj-0.iam.gserviceaccount.com"
]
}
]
}
# tftest modules=3 resources=4