create public cluster module

Florencia Comuzzi · Florencia Comuzzi · commit 1f96ef7b76c1 · 2025-03-09T15:53:02.000-04:00
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -18,11 +18,6 @@ on:
 env:
  # verbosity setting for Terraform logs
  TF_LOG: INFO
-# # Credentials for deployment to AWS
-# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-# # S3 bucket for the Terraform state
-# BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE}}
 
 jobs:
  terraform:
diff --git a/docs/NETWORKING.md b/docs/NETWORKING.md
@@ -0,0 +1,28 @@
+# Networking Concerns
+GCP offers two GKE cluster modes: Standard and Autopilot. You cannot control the nodes in Autopilot 
+mode so this module uses the Standard mode. In Standard clusters, you have full control over the 
+nodes, and thus, you manage the networking aspects yourself.
+
+
+
+The subnet should accommodate the maximum number of nodes that you expect in the cluster and the 
+internal load balancer IP addresses across the cluster using the subnet.
+
+You can use the cluster autoscaler to limit the maximum number of nodes.
+The Pod and service IP address ranges are represented as distinct secondary ranges of your subnet, 
+implemented as alias IP addresses in VPC-native clusters.
+
+Choose wide enough IP address ranges so that you can accommodate all nodes, Pods, and Services for 
+the cluster.
+
+Consider the following limitations:
+
+* You can expand primary IP address ranges but you cannot shrink them. These IP address ranges cannot 
+be discontiguous.
+* You can expand the Pod range by appending additional Pod ranges to the cluster or creating new node 
+pools with other secondary Pod ranges.
+* The secondary IP address range for Services cannot be expanded or changed over the life of the 
+cluster.
+* Review the limitations for the secondary IP address range for Pods and Services.
+
+https://cloud.google.com/kubernetes-engine/docs/best-practices/networking
diff --git a/docs/SETUP.md b/docs/SETUP.md
@@ -1,4 +1,4 @@
-# florenciacomuzzi-site-terraform
+# k8s-environment-terraform
 This repository contains Terraform code to create a Linode instance and deploy a website to it.
 The infrastructure is managed using Hashicorp Terraform Cloud. 
 Deployments are triggered from GitHub Actions workflows.
@@ -9,7 +9,6 @@ Deployments are triggered from GitHub Actions workflows.
 * Login to GCP account.
 * Create a service account like `k8s-environment-terraform-cicd` to use for CICD.
 * Create a service account JSON file.
-* Add as a repository secret by going to Settings > Secrets and variables > Actions. Name it GCP_CREDENTIALS and paste in the credentials JSON.
 * Create the buckets for Terraform state like `prod-tf-state-bucket`. The bucket names are specified in the `backend/{env}.tfvars` file.
 * Go to the bucket > Permissions > Add Member > Service Account > k8s-environment-terraform-cicd@florenciacomuzzi.iam.gserviceaccount.com > Role > 
   * Storage Object Admin
@@ -25,7 +24,7 @@ like `454824995744-compute@developer.gserviceaccount.com`. Go to IAM & Admin > S
 
 ### GitHub
 * Clone this repository. Name it like "mysite-site-terraform".
-* Create a TF_API_TOKEN repository secret by going to Settings > Secrets and variables > Actions. This secret is used by GitHub Actions to authenticate to Hashicorp Terraform Cloud during runs.
+* Add as a repository secret by going to Settings > Secrets and variables > Actions. Name it GCP_CREDENTIALS and paste in the credentials JSON.
 * Change the values of TF_CLOUD_ORGANIZATION and TF_WORKSPACE in .github/workflows/terraform-apply.yml and .github/workflows/terraform-plan.yml.
 
 
diff --git a/docs/TODO.md b/docs/TODO.md
diff --git a/docs/test-deployment.sh b/docs/test-deployment.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# installing kubectx and kubens is recommended
+# use gcloud to authenticate to kubernetes cluster
+# like gcloud container clusters get-credentials florenciacomuzzi-cluster-prod --region us-east1 --project florenciacomuzzi
+kubectl create deployment pingtest --image=busybox --replicas=3 -- sleep infinity
diff --git a/main.tf b/main.tf
@@ -1,47 +1,46 @@
-resource "google_compute_network" "default" {
-  name                     = var.vpc_name
-  auto_create_subnetworks  = false
-  enable_ula_internal_ipv6 = true
-}
-
-resource "google_compute_subnetwork" "default" {
-  name = "example-subnetwork"
-
-  ip_cidr_range = "10.0.0.0/16"
-  region        = var.region
-
-  stack_type       = "IPV4_IPV6"
-  ipv6_access_type = "INTERNAL" # Change to "EXTERNAL" if creating an external loadbalancer
-
-  network = google_compute_network.default.id
-  secondary_ip_range {
-    range_name    = "services-range"
-    ip_cidr_range = "192.168.0.0/24"
-  }
-
-  secondary_ip_range {
-    range_name    = "pod-ranges"
-    ip_cidr_range = "192.168.1.0/24"
+module "gke_public" {
+  source     = "terraform-google-modules/kubernetes-engine/google"
+  project_id = var.project_id
+  name       = var.cluster_name
+  region     = var.region
+  network    = module.vpc.network_name
+  subnetwork = module.vpc.subnet_name
+
+  ip_range_pods     = "gke-pods"
+  ip_range_services = "gke-services"
+
+  enable_private_nodes     = false # Public cluster
+  enable_private_endpoint  = false # Public API endpoint
+  enable_ip_masq_agent     = true
+  remove_default_node_pool = true
+
+  node_pools = [
+    {
+      name         = "default-pool"
+      machine_type = "e2-medium"
+      min_count    = 1
+      max_count    = 3
+      disk_size_gb = 50
+      autoscaling  = true
+    }
+  ]
+
+  node_pools_oauth_scopes = {
+    all = [
+      "https://www.googleapis.com/auth/cloud-platform"
+    ]
   }
 }
 
-resource "google_container_cluster" "default" {
-  name = var.cluster_name
-
-  location                 = var.region
-  enable_autopilot         = true
-  enable_l4_ilb_subsetting = true
-
-  network    = google_compute_network.default.id
-  subnetwork = google_compute_subnetwork.default.id
-
-  ip_allocation_policy {
-    stack_type                    = "IPV4_IPV6"
-    services_secondary_range_name = google_compute_subnetwork.default.secondary_ip_range[0].range_name
-    cluster_secondary_range_name  = google_compute_subnetwork.default.secondary_ip_range[1].range_name
-  }
-
-  # Set `deletion_protection` to `true` will ensure that one cannot
-  # accidentally delete this instance by use of Terraform.
-  deletion_protection = false
-}
+module "vpc" {
+  source       = "terraform-google-modules/network/google"
+  project_id   = var.project_id
+  network_name = var.network_name
+  subnets = [
+    {
+      subnet_name   = var.subnet_name
+      subnet_ip     = var.subnet_cidr
+      subnet_region = var.region
+    }
+  ]
+}
diff --git a/providers.tf b/providers.tf
@@ -9,12 +9,12 @@ terraform {
   }
 }
 
-# Configure the Linode Provider
-# set google provider knowing that auth is handled by environment variable
-# provider "linode" {
-#   # token = var.token
-# }
 provider "google" {
   project = var.project_id
   region  = var.region
+  default_labels = {
+    infrastructure = "crossing-the-narrow-bridge"
+  }
+  add_terraform_attribution_label               = true
+  terraform_attribution_label_addition_strategy = "PROACTIVE"
 }
diff --git a/variables.tf b/variables.tf
@@ -1,9 +1,3 @@
-# variable "token" {
-#   sensitive   = true
-#   type        = string
-#   description = "Linode API Token"
-# }
-
 variable "project_id" {
   type        = string
   default     = "florenciacomuzzi"
@@ -16,12 +10,22 @@ variable "region" {
   description = "GCP region"
 }
 
-variable "vpc_name" {
+variable "network_name" {
+  description = "The name of the VPC network"
+  type        = string
+}
+
+variable "subnet_name" {
+  description = "The name of the subnet"
+  type        = string
+}
+
+variable "subnet_cidr" {
+  description = "The CIDR block for the subnet"
   type        = string
-  description = "VPC network name"
 }
 
 variable "cluster_name" {
+  description = "The name of the GKE cluster"
   type        = string
-  description = "GKE cluster name"
 }
diff --git a/variables/dev.auto.tfvars b/variables/dev.auto.tfvars
@@ -1,4 +1,6 @@
 project_id = "florenciacomuzzi"
 region     = "us-east1"
-vpc_name   = "florenciacomuzzi-vpc-dev"
-cluster_name = "florenciacomuzzi-cluster-dev"
+network_name   = "florenciacomuzzi-vpc-dev"
+subnet_name  = "my-subnet"
+cluster_name = "florenciacomuzzi-cluster-dev"
+subnet_cidr = "10.0.0.0/12"
diff --git a/variables/prod.auto.tfvars b/variables/prod.auto.tfvars
@@ -1,4 +1,5 @@
 project_id = "florenciacomuzzi"
 region = "us-east1"
-vpc_name = "prod"
-cluster_name = "florenciacomuzzi-cluster-prod"
+vpc_name = "florenciacomuzzi-vpc-prod"
+cluster_name = "florenciacomuzzi-cluster-prod"
+ip_cidr_range = "10.0.0.0/12"

Original file line number	Diff line number	Diff line change
`@@ -9,12 +9,12 @@ terraform {`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`
`12`		`-# Configure the Linode Provider`
`13`		`-# set google provider knowing that auth is handled by environment variable`
`14`		`-# provider "linode" {`
`15`		`-# # token = var.token`
`16`		`-# }`
`17`	`12`	`provider "google" {`
`18`	`13`	`project = var.project_id`
`19`	`14`	`region = var.region`
	`15`	`+ default_labels = {`
	`16`	`+ infrastructure = "crossing-the-narrow-bridge"`
	`17`	`+ }`
	`18`	`+ add_terraform_attribution_label = true`
	`19`	`+ terraform_attribution_label_addition_strategy = "PROACTIVE"`
`20`	`20`	`}`