Subodh
dafcd9777f
Some checks failed
Continuous Integration - Pull Request / code-tests (pull_request) Has been cancelled
Continuous Integration - Pull Request / deployment-tests (local-code) (pull_request) Has been cancelled
helm-chart-ci / helm-chart-ci (pull_request) Has been cancelled
kubevious-manifests-ci / kubevious-manifests-ci (pull_request) Has been cancelled
kustomize-build-ci / kustomize-build-ci (pull_request) Has been cancelled
terraform-validate-ci / terraform-validate-ci (pull_request) Has been cancelled
Clean up deployment / cleanup-namespace (pull_request) Has been cancelled
Continuous Integration - Main/Release / code-tests (push) Has been cancelled
Continuous Integration - Main/Release / deployment-tests (local-code) (push) Has been cancelled
helm-chart-ci / helm-chart-ci (push) Has been cancelled
kubevious-manifests-ci / kubevious-manifests-ci (push) Has been cancelled
kustomize-build-ci / kustomize-build-ci (push) Has been cancelled
terraform-validate-ci / terraform-validate-ci (push) Has been cancelled
117 lines
4.2 KiB
HCL
117 lines
4.2 KiB
HCL
/**
|
|
* Copyright 2024 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
# Set defaults for the google Terraform provider.
|
|
provider "google" {
|
|
project = var.project_id
|
|
region = "us-central1"
|
|
zone = "us-central1-a"
|
|
}
|
|
|
|
terraform {
|
|
# Store the state inside a Google Cloud Storage bucket.
|
|
backend "gcs" {
|
|
bucket = "cicd-terraform-state"
|
|
prefix = "terraform-state"
|
|
}
|
|
}
|
|
|
|
# Enable Google Cloud APIs.
|
|
module "enable_google_apis" {
|
|
source = "terraform-google-modules/project-factory/google//modules/project_services"
|
|
version = "~> 18.0"
|
|
disable_services_on_destroy = false
|
|
activate_apis = [
|
|
"cloudresourcemanager.googleapis.com",
|
|
"container.googleapis.com",
|
|
"iam.googleapis.com",
|
|
"storage.googleapis.com",
|
|
]
|
|
project_id = var.project_id
|
|
}
|
|
|
|
# Google Cloud Storage for storing Terraform state (.tfstate).
|
|
resource "google_storage_bucket" "terraform_state_storage_bucket" {
|
|
name = "cicd-terraform-state"
|
|
location = "us"
|
|
storage_class = "STANDARD"
|
|
force_destroy = false
|
|
public_access_prevention = "enforced"
|
|
uniform_bucket_level_access = true
|
|
versioning {
|
|
enabled = true
|
|
}
|
|
}
|
|
|
|
# Google Cloud IAM service account for GKE clusters.
|
|
# We avoid using the Compute Engine default service account because it's too permissive.
|
|
resource "google_service_account" "gke_clusters_service_account" {
|
|
account_id = "gke-clusters-service-account"
|
|
display_name = "My Service Account"
|
|
depends_on = [
|
|
module.enable_google_apis
|
|
]
|
|
}
|
|
|
|
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
|
resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" {
|
|
project = var.project_id
|
|
role = "roles/monitoring.metricWriter"
|
|
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
|
}
|
|
|
|
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
|
resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" {
|
|
project = var.project_id
|
|
role = "roles/logging.logWriter"
|
|
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
|
}
|
|
|
|
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
|
resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" {
|
|
project = var.project_id
|
|
role = "roles/monitoring.viewer"
|
|
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
|
}
|
|
|
|
# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
|
|
resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" {
|
|
project = var.project_id
|
|
role = "roles/stackdriver.resourceMetadata.writer"
|
|
member = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
|
|
}
|
|
|
|
# The GKE cluster used for pull-request (PR) staging deployments.
|
|
resource "google_container_cluster" "prs_gke_cluster" {
|
|
name = "prs-gke-cluster"
|
|
location = "us-central1"
|
|
enable_autopilot = true
|
|
project = var.project_id
|
|
deletion_protection = true
|
|
depends_on = [
|
|
module.enable_google_apis
|
|
]
|
|
cluster_autoscaling {
|
|
auto_provisioning_defaults {
|
|
service_account = google_service_account.gke_clusters_service_account.email
|
|
}
|
|
}
|
|
# Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints.
|
|
# Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630
|
|
ip_allocation_policy {
|
|
}
|
|
}
|