GKE cluster module

This module allows simplified creation and management of GKE clusters and should be used together with the GKE nodepool module, as the default nodepool is turned off here and cannot be re-enabled. Some sensible defaults are set initially, in order to allow less verbose usage for most use cases.

Example

GKE Cluster

module "cluster-1" {
  source                    = "github.com/dapperlabs-platform/terraform-google-gke-cluster?ref=tag"
  project_id                = "myproject"
  name                      = "cluster-1"
  location                  = "europe-west1-b"
  network                   = var.vpc.self_link
  subnetwork                = var.subnet.self_link
  secondary_range_pods      = "pods"
  secondary_range_services  = "services"
  default_max_pods_per_node = 32
  master_authorized_ranges = {
    internal-vms = "10.0.0.0/8"
  }
  private_cluster_config = {
    enable_private_nodes    = true
    enable_private_endpoint = true
    master_ipv4_cidr_block  = "192.168.0.0/28"
    master_global_access    = false
  }
  labels = {
    environment = "dev"
  }
}
# tftest:modules=1:resources=1

GKE Cluster with Dataplane V2 enabled

module "cluster-1" {
  source                    = "github.com/dapperlabs-platform/terraform-google-gke-cluster?ref=tag"
  project_id                = "myproject"
  name                      = "cluster-1"
  location                  = "europe-west1-b"
  network                   = var.vpc.self_link
  subnetwork                = var.subnet.self_link
  secondary_range_pods      = "pods"
  secondary_range_services  = "services"
  default_max_pods_per_node = 32
  enable_dataplane_v2       = true
  master_authorized_ranges = {
    internal-vms = "10.0.0.0/8"
  }
  private_cluster_config = {
    enable_private_nodes    = true
    enable_private_endpoint = true
    master_ipv4_cidr_block  = "192.168.0.0/28"
    master_global_access    = false
  }
  labels = {
    environment = "dev"
  }
}
# tftest:modules=1:resources=1

Backup for GKE

Note

Although Backup for GKE can be enabled as an add-on when configuring your GKE clusters, it is a separate service from GKE.

Backup for GKE is a service for backing up and restoring workloads in GKE clusters. It has two components:

• A Google Cloud API that serves as the control plane for the service.
• A GKE add-on (the Backup for GKE agent) that must be enabled in each cluster for which you wish to perform backup and restore operations.

This example shows how to enable Backup for GKE on a new zonal GKE Standard cluster and plan a set of backups.

module "cluster-1" {
  source     = "./fabric/modules/gke-cluster-standard"
  project_id = var.project_id
  name       = "cluster-1"
  location   = "europe-west1-b"
  vpc_config = {
    network               = var.vpc.self_link
    subnetwork            = var.subnet.self_link
    secondary_range_names = {}
  }
  backup_configs = {
    enable_backup_agent = true
    backup_plans = {
      "backup-1" = {
        region   = "europe-west2"
        schedule = "0 9 * * 1"
        applications = {
          namespace-1 = ["app-1", "app-2"]
        }
      }
    }
  }
}
# tftest modules=1 resources=2 inventory=backup.yaml

Copyright 2021 Google LLC

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Requirements

Name	Version
terraform	>= 1.3.8
google	>= 4.0.0
google-beta	>= 4.0.0
kubernetes	>= 2.19

Providers

Name	Version
google	>= 4.0.0
google-beta	>= 4.0.0
kubernetes	>= 2.19

Modules

Name	Source	Version
enable_asm	github.com/dapperlabs-platform/terraform-asm	v1.1

Resources

Name	Type
google-beta_google_container_cluster.cluster	resource
google_compute_network_peering_routes_config.gke_master	resource
google_gke_backup_backup_plan.backup_plan	resource
google_service_account_iam_member.main	resource
kubernetes_namespace.namespaces	resource
kubernetes_secret_v1.tokens	resource
kubernetes_service_account.service_accounts	resource
kubernetes_storage_class.example	resource

Inputs

Name	Description	Type	Default	Required
addons	Addons enabled in the cluster (true means enabled).	object({ cloudrun_config = optional(bool, false) dns_cache_config = optional(bool, false) horizontal_pod_autoscaling = optional(bool, true) http_load_balancing = optional(bool, true) istio_config = optional(object({ enabled = optional(bool, false) tls = optional(bool, false) }), {}) network_policy_config = optional(bool, true) gce_persistent_disk_csi_driver_config = optional(bool, true) gcp_filestore_csi_driver_config = optional(object({ enabled = optional(bool, false) tier = optional(string, "standard") }), {}) })	{}	no
authenticator_security_group	RBAC security group for Google Groups for GKE, format is [email protected].	string	null	no
backup_configs	Configuration for Backup for GKE.	object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ region = string applications = optional(map(list(string))) encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) labels = optional(map(string)) namespaces = optional(list(string)) schedule = optional(string) retention_policy_days = optional(number) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(number) })), {}) })	{}	no
cluster_autoscaling	Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler.	object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })	{ "cpu_max": 0, "cpu_min": 0, "enabled": false, "memory_max": 0, "memory_min": 0 }	no
create_cpr	Determines if the control plane revision should be installed	bool	false	no
database_encryption	Enable and configure GKE application-layer secrets encryption.	object({ enabled = bool state = string key_name = string })	{ "enabled": false, "key_name": null, "state": "DECRYPTED" }	no
default_max_pods_per_node	Maximum number of pods per node in this cluster.	number	110	no
description	Cluster description.	string	null	no
enable_asm	Determines if Anthos Service Mesh should be enabled	bool	false	no
enable_autopilot	Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)	bool	false	no
enable_dataplane_v2	Enable Dataplane V2 on the cluster, will disable network_policy addons config	bool	false	no
enable_intranode_visibility	Enable intra-node visibility to make same node pod to pod traffic visible.	bool	null	no
enable_shielded_nodes	Enable Shielded Nodes features on all nodes in this cluster.	bool	null	no
enable_tpu	Enable Cloud TPU resources in this cluster.	bool	null	no
labels	Cluster resource labels.	map(string)	null	no
location	Cluster zone or region.	string	n/a	yes
logging_service	Logging service (disable with an empty string).	string	"none"	no
maintenance_start_time	Maintenance start time in RFC3339 format 'HH:MM', where HH is [00-23] and MM is [00-59] GMT.	string	"03:00"	no
master_authorized_ranges	External Ip address ranges that can access the Kubernetes cluster master through HTTPS.	map(string)	{}	no
min_master_version	Minimum version of the master, defaults to the version of the most recent official release.	string	null	no
monitoring_service	Monitoring service	string	"none"	no
name	Cluster name.	string	n/a	yes
namespace_protection	If true - mark namespace with annotation so it can't be deleted see: https://github.com/dapperlabs/kyverno-policies/tree/main/policies/deny-protected-deletes	bool	true	no
namespaces	Namespaces to add to the cluster	list(string)	[]	no
network	Name or self link of the VPC used for the cluster. Use the self link for Shared VPC.	string	n/a	yes
node_locations	Zones in which the cluster's nodes are located.	list(string)	[]	no
peering_config	Configure peering with the master VPC for private clusters.	object({ export_routes = bool import_routes = bool project_id = string })	null	no
pod_security_policy	Enable the PodSecurityPolicy feature.	bool	null	no
private_cluster_config	Enable and configure private cluster, private nodes must be true if used.	object({ enable_private_nodes = bool enable_private_endpoint = bool master_ipv4_cidr_block = string master_global_access = bool })	null	no
project_id	Cluster project id.	string	n/a	yes
release_channel	Release channel for GKE upgrades.	string	null	no
resource_usage_export_config	Configure the ResourceUsageExportConfig feature.	object({ enabled = bool dataset = string })	{ "dataset": null, "enabled": null }	no
secondary_range_pods	Subnet secondary range name used for pods.	string	n/a	yes
secondary_range_services	Subnet secondary range name used for services.	string	n/a	yes
subnetwork	VPC subnetwork name or self link.	string	n/a	yes
vertical_pod_autoscaling	Enable the Vertical Pod Autoscaling feature.	bool	null	no
workload_identity	Enable the Workload Identity feature.	bool	true	no
workload_identity_profiles	Namespace-keyed map of GCP Service Account to create K8S Service Accounts for.	map( list( object( { email = string create_service_account_token = optional(bool, false) automount_service_account_token = optional(bool, false) } ) ) )	{}	no

Outputs

Name	Description
ca_certificate	Public certificate of the cluster (base64-encoded).
cluster	Cluster resource.
endpoint	Cluster endpoint.
location	Cluster location.
master_version	Master version.
name	Cluster name.