ksatirli · bschaatsbergen · Mar 6, 2024
diff --git a/clusters/gke/.terraform.lock.hcl b/clusters/gke/.terraform.lock.hcl
diff --git a/clusters/gke/README.md b/clusters/gke/README.md
@@ -21,4 +21,4 @@ data "google_container_cluster" "cluster" {
 
 ## Notes
 
-The implementation of this GKE Cluster is based on previous work carried out by [Rosemary Wang](https://github.com/joatmon08/expense-report/tree/main/terraform).
+The implementation of this GKE Cluster is based on previous work carried out by [Bruno Schaatsbergen](https://github.com/bschaatsbergen/proxying-your-way-into-gke).
diff --git a/clusters/gke/gke.tf b/clusters/gke/gke.tf
@@ -0,0 +1,151 @@
+resource "google_service_account" "cluster" {
+  account_id = "cluster-${var.tfe_workspaces_prefix}"
+  project    = var.google_project
+}
+
+resource "google_project_iam_member" "cluster_log_writer" {
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cluster.email}"
+  project = var.google_project
+}
+
+resource "google_project_iam_member" "cluster_metric_writer" {
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cluster.email}"
+  project = var.google_project
+}
+
+resource "google_project_iam_member" "cluster_monitoring_viewer" {
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.cluster.email}"
+  project = var.google_project
+}
+
+resource "google_project_iam_member" "cluster_resource_metadata_writer" {
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster.email}"
+  project = var.google_project
+}
+
+resource "google_project_iam_member" "cluster_metrics_writer" {
+  role    = "roles/autoscaling.metricsWriter"
+  member  = "serviceAccount:${google_service_account.cluster.email}"
+  project = var.google_project
+}
+
+resource "google_container_cluster" "default" {
+  #checkov:skip=CKV_GCP_66: Binary Authorization does not work well
+  #checkov:skip=CKV_GCP_24: Pod Security Policy is not available after 1.25
+  #checkov:skip=CKV_GCP_65: Google Group for GKE RBAC is not available (yet)
+  provider            = google-beta
+  name                = var.tfe_workspaces_prefix
+  project             = var.google_project
+  location            = var.google_region
+  deletion_protection = false
+
+  network                     = google_compute_network.default.id
+  subnetwork                  = google_compute_subnetwork.default.id
+  enable_intranode_visibility = true
+  networking_mode             = "VPC_NATIVE"
+
+  # create the smallest possible default node pool and immediately delete it
+  initial_node_count       = 1
+  remove_default_node_pool = true
+
+  # use native monitoring services
+  monitoring_service = "monitoring.googleapis.com/kubernetes"
+  logging_service    = "logging.googleapis.com/kubernetes"
+
+  # use stable release channel for automatic upgrades
+  release_channel {
+    channel = "STABLE"
+  }
+
+  # vpc-native networking (used for NEG ingress)
+  ip_allocation_policy {
+    cluster_secondary_range_name  = "gke-pods"
+    services_secondary_range_name = "gke-services"
+  }
+
+  # disable certificate auth (only allow GCP-native auth)
+  master_auth {
+    client_certificate_config {
+      issue_client_certificate = false
+    }
+  }
+
+  # do not create external IP addresses
+  private_cluster_config {
+    enable_private_nodes    = true
+    enable_private_endpoint = false
+    master_ipv4_cidr_block  = "10.3.0.0/28"
+  }
+
+  workload_identity_config {
+    workload_pool = "${var.google_project}.svc.id.goog"
+  }
+
+  network_policy {
+    enabled = true
+  }
+
+  # enable shielded nodes (although we only have a default node for a short period of time)
+  node_config {
+    machine_type    = "n2-standard-4"
+    image_type      = "COS_CONTAINERD"
+    service_account = google_service_account.cluster.email
+    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
+
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
+
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_integrity_monitoring = true
+    }
+  }
+}
+
+resource "google_container_node_pool" "default" {
+  name               = var.tfe_workspaces_prefix
+  project            = var.google_project
+  cluster            = google_container_cluster.default.id
+  initial_node_count = 1 # per zone
+
+  node_config {
+    machine_type    = "n2-standard-4"
+    image_type      = "COS_CONTAINERD"
+    service_account = google_service_account.cluster.email
+    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
+
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
+
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_integrity_monitoring = true
+    }
+  }
+
+  network_config {
+    enable_private_nodes = true
+  }
+
+  autoscaling {
+    min_node_count = 1
+    max_node_count = 1
+  }
+
+  management {
+    auto_repair  = true
+    auto_upgrade = true
+  }
+
+  lifecycle {
+    ignore_changes = [
+      version, # prevent conflicts when GKE is automatically patched
+    ]
+  }
+}
diff --git a/clusters/gke/main.tf b/clusters/gke/main.tf
diff --git a/clusters/gke/outputs.tf b/clusters/gke/outputs.tf
@@ -6,19 +6,19 @@ output "console_url" {
 # see https://www.terraform.io/docs/language/values/outputs.html
 output "cluster_id" {
   description = "GKE Cluster ID."
-  value       = google_container_cluster.cluster.id
+  value       = google_container_cluster.default.id
 }
 
 # see https://www.terraform.io/docs/language/values/outputs.html
 output "cluster_name" {
   description = "GKE Cluster Name."
-  value       = google_container_cluster.cluster.name
+  value       = google_container_cluster.default.name
 }
 
 # see https://www.terraform.io/docs/language/values/outputs.html
 output "cluster_region" {
   description = "GKE Cluster Region."
-  value       = google_container_cluster.cluster.location
+  value       = google_container_cluster.default.location
 }
 
 # this variable is used for testing purposes and has no bearing on the demo

diff --git a/clusters/gke/providers.tf b/clusters/gke/providers.tf
@@ -1,5 +1,4 @@
 # see https://registry.terraform.io/providers/hashicorp/google/latest/docs
 provider "google" {
-  project = var.tfe_workspaces_prefix
-  region  = var.google_region
+  project = var.google_project
 }
diff --git a/clusters/gke/service_accounts.tf b/clusters/gke/service_accounts.tf
diff --git a/clusters/gke/services.tf b/clusters/gke/services.tf
@@ -0,0 +1,19 @@
+locals {
+  services = [
+    "serviceusage.googleapis.com",
+    "container.googleapis.com",
+    "compute.googleapis.com",
+    "networking.googleapis.com",
+    "cloudkms.googleapis.com",
+    "dns.googleapis.com",
+    "servicenetworking.googleapis.com",
+  ]
+}
+
+# see https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_service
+resource "google_project_service" "default" {
+  for_each                   = toset(local.services)
+  service                    = each.value
+  disable_on_destroy         = false
+  project                    = var.google_project
+}
diff --git a/clusters/gke/setup/.terraform.lock.hcl b/clusters/gke/setup/.terraform.lock.hcl
diff --git a/clusters/gke/setup/README.md b/clusters/gke/setup/README.md
diff --git a/clusters/gke/setup/main.tf b/clusters/gke/setup/main.tf