Initial commit
Some checks failed
Continuous Integration - Pull Request / code-tests (pull_request) Has been cancelled
Continuous Integration - Pull Request / deployment-tests (local-code) (pull_request) Has been cancelled
helm-chart-ci / helm-chart-ci (pull_request) Has been cancelled
kubevious-manifests-ci / kubevious-manifests-ci (pull_request) Has been cancelled
kustomize-build-ci / kustomize-build-ci (pull_request) Has been cancelled
terraform-validate-ci / terraform-validate-ci (pull_request) Has been cancelled
Clean up deployment / cleanup-namespace (pull_request) Has been cancelled
Continuous Integration - Main/Release / code-tests (push) Has been cancelled
Continuous Integration - Main/Release / deployment-tests (local-code) (push) Has been cancelled
helm-chart-ci / helm-chart-ci (push) Has been cancelled
kubevious-manifests-ci / kubevious-manifests-ci (push) Has been cancelled
kustomize-build-ci / kustomize-build-ci (push) Has been cancelled
terraform-validate-ci / terraform-validate-ci (push) Has been cancelled
Some checks failed
Continuous Integration - Pull Request / code-tests (pull_request) Has been cancelled
Continuous Integration - Pull Request / deployment-tests (local-code) (pull_request) Has been cancelled
helm-chart-ci / helm-chart-ci (pull_request) Has been cancelled
kubevious-manifests-ci / kubevious-manifests-ci (pull_request) Has been cancelled
kustomize-build-ci / kustomize-build-ci (pull_request) Has been cancelled
terraform-validate-ci / terraform-validate-ci (pull_request) Has been cancelled
Clean up deployment / cleanup-namespace (pull_request) Has been cancelled
Continuous Integration - Main/Release / code-tests (push) Has been cancelled
Continuous Integration - Main/Release / deployment-tests (local-code) (push) Has been cancelled
helm-chart-ci / helm-chart-ci (push) Has been cancelled
kubevious-manifests-ci / kubevious-manifests-ci (push) Has been cancelled
kustomize-build-ci / kustomize-build-ci (push) Has been cancelled
terraform-validate-ci / terraform-validate-ci (push) Has been cancelled
This commit is contained in:
116
.github/terraform/main.tf
vendored
Normal file
116
.github/terraform/main.tf
vendored
Normal file
@@ -0,0 +1,116 @@
|
||||
/**
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# Set defaults for the google Terraform provider.
|
||||
provider "google" {
|
||||
project = var.project_id
|
||||
region = "us-central1"
|
||||
zone = "us-central1-a"
|
||||
}
|
||||
|
||||
terraform {
|
||||
# Store the state inside a Google Cloud Storage bucket.
|
||||
backend "gcs" {
|
||||
bucket = "cicd-terraform-state"
|
||||
prefix = "terraform-state"
|
||||
}
|
||||
}
|
||||
|
||||
# Enable Google Cloud APIs.
|
||||
module "enable_google_apis" {
|
||||
source = "terraform-google-modules/project-factory/google//modules/project_services"
|
||||
version = "~> 18.0"
|
||||
disable_services_on_destroy = false
|
||||
activate_apis = [
|
||||
"cloudresourcemanager.googleapis.com",
|
||||
"container.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"storage.googleapis.com",
|
||||
]
|
||||
project_id = var.project_id
|
||||
}
|
||||
|
||||
# Google Cloud Storage for storing Terraform state (.tfstate).
|
||||
resource "google_storage_bucket" "terraform_state_storage_bucket" {
|
||||
name = "cicd-terraform-state"
|
||||
location = "us"
|
||||
storage_class = "STANDARD"
|
||||
force_destroy = false
|
||||
public_access_prevention = "enforced"
|
||||
uniform_bucket_level_access = true
|
||||
versioning {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
|
||||
# Google Cloud IAM service account for GKE clusters.
|
||||
# We avoid using the Compute Engine default service account because it's too permissive.
|
||||
resource "google_service_account" "gke_clusters_service_account" {
|
||||
account_id = "gke-clusters-service-account"
|
||||
display_name = "My Service Account"
|
||||
depends_on = [
|
||||
module.enable_google_apis
|
||||
]
|
||||
}
|
||||
|
||||
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
||||
resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" {
|
||||
project = var.project_id
|
||||
role = "roles/monitoring.metricWriter"
|
||||
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
||||
}
|
||||
|
||||
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
||||
resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" {
|
||||
project = var.project_id
|
||||
role = "roles/logging.logWriter"
|
||||
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
||||
}
|
||||
|
||||
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
||||
resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" {
|
||||
project = var.project_id
|
||||
role = "roles/monitoring.viewer"
|
||||
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
||||
}
|
||||
|
||||
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
||||
resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" {
|
||||
project = var.project_id
|
||||
role = "roles/stackdriver.resourceMetadata.writer"
|
||||
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
||||
}
|
||||
|
||||
# The GKE cluster used for pull-request (PR) staging deployments.
|
||||
resource "google_container_cluster" "prs_gke_cluster" {
|
||||
name = "prs-gke-cluster"
|
||||
location = "us-central1"
|
||||
enable_autopilot = true
|
||||
project = var.project_id
|
||||
deletion_protection = true
|
||||
depends_on = [
|
||||
module.enable_google_apis
|
||||
]
|
||||
cluster_autoscaling {
|
||||
auto_provisioning_defaults {
|
||||
service_account = google_service_account.gke_clusters_service_account.email
|
||||
}
|
||||
}
|
||||
# Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints.
|
||||
# Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630
|
||||
ip_allocation_policy {
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user