fmt and only vpc

Florencia Comuzzi · Florencia Comuzzi · commit 1beb22e76cce · 2025-03-09T17:10:29.000-04:00
diff --git a/main.tf b/main.tf
@@ -1,59 +1,39 @@
-module "gke_public" {
-  source     = "terraform-google-modules/kubernetes-engine/google"
-  project_id = var.project_id
-  name       = var.cluster_name
-  region     = var.region
-  network    = var.network_name
-  subnetwork = var.subnet_name
-
-  ip_range_pods     = "gke-pods"
-  ip_range_services = "gke-services"
-
-  # enable_private_nodes     = false # Public cluster
-  # enable_private_endpoint  = false # Public API endpoint
-  # enable_ip_masq_agent     = true
-  remove_default_node_pool = true
-
-  node_pools = [
-    {
-      name         = "default-pool"
-      machine_type = "e2-medium"
-      min_count    = 1
-      max_count    = 3
-      disk_size_gb = 50
-      autoscaling  = true
-    }
-  ]
-
-  node_pools_oauth_scopes = {
-    all = [
-      "https://www.googleapis.com/auth/cloud-platform"
-    ]
-  }
-}
-
 module "vpc" {
-  source       = "terraform-google-modules/network/google"
-  project_id   = var.project_id
-  network_name = var.network_name
-  subnets = [
-    {
-      subnet_name   = var.subnet_name
-      subnet_ip     = var.subnet_cidr
-      subnet_region = var.region
-    }
-  ]
-  secondary_ranges = {
-    subnet-01 = [
-      {
-        range_name    = "services"
-        ip_cidr_range = "192.168.0.0/24"
-      },
-      {
-        range_name    = "pods"
-        ip_cidr_range = "192.168.64.0/24"
-      },
-    ]
-    subnet-02 = []
-  }
+  source                        = "modules/vpc"
+  network_name                  = var.network_name
+  subnet_cidr                   = var.subnet_cidr
+  subnet_name                   = var.subnet_name
+  cluster_secondary_range_name  = var.cluster_secondary_range_name
+  cluster_secondary_range_cidr  = var.cluster_secondary_range_cidr
+  services_secondary_range_name = var.services_secondary_range_name
+  services_secondary_range_cidr = var.services_secondary_range_cidr
 }
+
+
+# Optional: Create a GKE Cluster
+# resource "google_container_cluster" "gke_cluster" {
+#   name               = "gke-cluster"
+#   location           = "us-central1"
+#   network            = var.network_name
+#   subnetwork        = var.subnet_name
+#   remove_default_node_pool = true
+#
+#   ip_allocation_policy {
+#     cluster_secondary_range_name  = var.cluster_secondary_range_name
+#     services_secondary_range_name = var.services_secondary_range_name
+#   }
+# }
+#
+# # Node pool for GKE Cluster
+# resource "google_container_node_pool" "gke_nodes" {
+#   name       = "gke-node-pool"
+#   location   = "us-central1"
+#   cluster    = google_container_cluster.gke_cluster.name
+#   node_count = 3
+#
+#   node_config {
+#     machine_type = "e2-standard-4"
+#     disk_size_gb = 100
+#     oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+#   }
+# }
diff --git a/modules/vpc/README.md b/modules/vpc/README.md
@@ -0,0 +1,38 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_firewall.allow-health-checks](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.allow-internal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_network.vpc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) | resource |
+| [google_compute_subnetwork.gke_subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_network_name"></a> [network\_name](#input\_network\_name) | The name of the VPC network | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP project id | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | GCP region | `string` | `"us-east1"` | no |
+| <a name="input_subnet_cidr"></a> [subnet\_cidr](#input\_subnet\_cidr) | The CIDR block for the subnet | `string` | n/a | yes |
+| <a name="input_subnet_name"></a> [subnet\_name](#input\_subnet\_name) | The name of the subnet | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
@@ -0,0 +1,58 @@
+# Create a VPC Network
+resource "google_compute_network" "vpc" {
+  name                    = var.network_name
+  auto_create_subnetworks = false
+}
+
+# Create a Subnet for GKE with Secondary Ranges
+resource "google_compute_subnetwork" "gke_subnet" {
+  name          = var.subnet_name
+  network       = google_compute_network.vpc.id
+  ip_cidr_range = var.subnet_cidr
+  region        = var.region
+
+  secondary_ip_range {
+    range_name    = var.cluster_secondary_range_name
+    ip_cidr_range = var.cluster_secondary_range_cidr
+  }
+
+  secondary_ip_range {
+    range_name    = var.services_secondary_range_name
+    ip_cidr_range = var.services_secondary_range_cidr
+  }
+}
+
+# Firewall rules for GKE communication
+resource "google_compute_firewall" "allow-internal" {
+  name    = "gke-allow-internal"
+  network = google_compute_network.vpc.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "icmp"
+  }
+
+  source_ranges = [var.subnet_cidr]
+}
+
+# Firewall rule to allow health checks
+resource "google_compute_firewall" "allow-health-checks" {
+  name    = "gke-allow-health-checks"
+  network = google_compute_network.vpc.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["10256", "15017"] # Common ports for health checks
+  }
+
+  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"] # Google Cloud health check IPs
+}
diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf
@@ -0,0 +1,49 @@
+variable "project_id" {
+  type        = string
+  description = "GCP project id"
+}
+
+variable "region" {
+  type        = string
+  default     = "us-east1"
+  description = "GCP region"
+}
+
+variable "network_name" {
+  description = "The name of the VPC network"
+  type        = string
+}
+
+variable "subnet_name" {
+  description = "The name of the subnet"
+  type        = string
+}
+
+variable "subnet_cidr" {
+  description = "The CIDR block for the subnet"
+  type        = string
+}
+
+variable "cluster_secondary_range_name" {
+  type        = string
+  default     = "gke-pods"
+  description = "The name of the secondary range to use for pods"
+}
+
+variable "services_secondary_range_name" {
+  type        = string
+  default     = "gke-services"
+  description = "The name of the secondary range to use for services"
+}
+
+variable "cluster_secondary_range_cidr" {
+  type        = string
+  default     = "10.20.0.0/16"
+  description = "The secondary range to use for pods"
+}
+
+variable "services_secondary_range_cidr" {
+  type        = string
+  default     = "10.30.0.0/16"
+  description = "The name of the secondary range to use for services"
+}
diff --git a/variables.tf b/variables.tf
@@ -25,7 +25,30 @@ variable "subnet_cidr" {
   type        = string
 }
 
-variable "cluster_name" {
-  description = "The name of the GKE cluster"
+# variable "cluster_name" {
+#   description = "The name of the GKE cluster"
+#   type        = string
+# }
+
+variable "cluster_secondary_range_name" {
+  type        = string
+  default     = "gke-pods"
+  description = "The name of the secondary range to use for pods"
+}
+
+variable "services_secondary_range_name" {
+  type        = string
+  default     = "gke-services"
+  description = "The name of the secondary range to use for services"
+}
+
+variable "cluster_secondary_range_cidr" {
+  type        = string
+  description = "The secondary range to use for pods"
+}
+
+variable "services_secondary_range_cidr" {
   type        = string
+  default     = "10.30.0.0/16"
+  description = "The name of the secondary range to use for services"
 }
diff --git a/variables/prod.auto.tfvars b/variables/prod.auto.tfvars
@@ -2,5 +2,9 @@ project_id = "florenciacomuzzi"
 region = "us-east1"
 network_name = "florenciacomuzzi-vpc-prod"
 cluster_name = "florenciacomuzzi-cluster-prod"
-subnet_cidr = "10.0.0.0/12"
-subnet_name  = "my-subnet"
+subnet_cidr = "10.10.0.0/16"
+subnet_name  = "my-subnet"
+cluster_secondary_range_name="gke-pods"
+cluster_secondary_range_cidr="10.20.0.0/16"
+services_secondary_range_name="gke-services"
+services_secondary_range_cidr="10.30.0.0/16"
