diff --git a/examples/gke-basic-tiller/main.tf b/examples/gke-basic-tiller/main.tf index a6ba3c1..2369556 100644 --- a/examples/gke-basic-tiller/main.tf +++ b/examples/gke-basic-tiller/main.tf @@ -65,17 +65,22 @@ provider "helm" { module "gke_cluster" { # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-cluster?ref=v0.0.1" + # source = "git::git@github.com:gruntwork-io/terraform-google-gke.git//modules/gke-cluster?ref=v0.0.5" source = "../../modules/gke-cluster" name = "${var.cluster_name}" - project = "${var.project}" - location = "${var.location}" - network = "${google_compute_network.main.name}" - subnetwork = "${google_compute_subnetwork.main.self_link}" + project = "${var.project}" + location = "${var.location}" + + # We're deploying the cluster in the 'public' subnetwork to allow outbound internet access + # See the network access tier table for full details: + # https://github.com/gruntwork-io/terraform-google-network/tree/master/modules/vpc-network#access-tier + network = "${module.vpc_network.network}" + + subnetwork = "${module.vpc_network.public_subnetwork}" - cluster_secondary_range_name = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}" + cluster_secondary_range_name = "${module.vpc_network.public_subnetwork_secondary_range_name}" } # --------------------------------------------------------------------------------------------------------------------- @@ -110,7 +115,13 @@ resource "google_container_node_pool" "node_pool" { all-pools-example = "true" } - tags = ["main-pool-example"] + # Add a public tag to the instances. See the network access tier table for full details: + # https://github.com/gruntwork-io/terraform-google-network/tree/master/modules/vpc-network#access-tier + tags = [ + "${module.vpc_network.public}", + "tiller-example", + ] + disk_size_gb = "30" disk_type = "pd-standard" preemptible = false @@ -140,7 +151,7 @@ resource "google_container_node_pool" "node_pool" { module "gke_service_account" { # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" + # source = "git::git@github.com:gruntwork-io/terraform-google-gke.git//modules/gke-service-account?ref=v0.0.5" source = "../../modules/gke-service-account" name = "${var.cluster_service_account_name}" @@ -148,28 +159,25 @@ module "gke_service_account" { description = "${var.cluster_service_account_description}" } -# TODO(rileykarson): Add proper VPC network config once we've made a VPC module +# --------------------------------------------------------------------------------------------------------------------- +# CREATE A NETWORK TO DEPLOY THE CLUSTER TO +# --------------------------------------------------------------------------------------------------------------------- + resource "random_string" "suffix" { length = 4 special = false upper = false } -resource "google_compute_network" "main" { - name = "${var.cluster_name}-network-${random_string.suffix.result}" - auto_create_subnetworks = "false" -} +module "vpc_network" { + source = "git::git@github.com:gruntwork-io/terraform-google-network.git//modules/vpc-network?ref=v0.0.2" -resource "google_compute_subnetwork" "main" { - name = "${var.cluster_name}-subnetwork-${random_string.suffix.result}" - ip_cidr_range = "10.0.0.0/17" - region = "${var.region}" - network = "${google_compute_network.main.self_link}" + name = "${var.cluster_name}-network-${random_string.suffix.result}" + project = "${var.project}" + region = "${var.region}" - secondary_ip_range { - range_name = "cluster-pods" - ip_cidr_range = "10.1.0.0/18" - } + cidr_block = "${var.vpc_cidr_block}" + secondary_cidr_block = "${var.vpc_secondary_cidr_block}" } # --------------------------------------------------------------------------------------------------------------------- diff --git a/examples/gke-basic-tiller/variables.tf b/examples/gke-basic-tiller/variables.tf index 987fcb3..ade77c9 100644 --- a/examples/gke-basic-tiller/variables.tf +++ b/examples/gke-basic-tiller/variables.tf @@ -93,3 +93,17 @@ variable "undeploy_releases" { description = "If true, will delete deployed releases from the Tiller instance before undeploying Tiller." default = false } + +# For the example, we recommend a /16 network for the VPC. Note that when changing the size of the network, +# you will have to adjust the 'cidr_subnetwork_width_delta' in the 'vpc_network' -module accordingly. +variable "vpc_cidr_block" { + description = "The IP address range of the VPC in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27." + default = "10.1.0.0/16" +} + +# For the example, we recommend a /16 network for the secondary range. Note that when changing the size of the network, +# you will have to adjust the 'cidr_subnetwork_width_delta' in the 'vpc_network' -module accordingly. +variable "vpc_secondary_cidr_block" { + description = "The IP address range of the VPC's secondary address range in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27." + default = "10.2.0.0/16" +} diff --git a/examples/gke-private-cluster/README.md b/examples/gke-private-cluster/README.md index 28ed075..7c8b16d 100644 --- a/examples/gke-private-cluster/README.md +++ b/examples/gke-private-cluster/README.md @@ -42,7 +42,20 @@ Currently, you cannot use a proxy to reach the cluster master of a regional clus 1. Run `terraform get`. 1. Run `terraform plan`. 1. If the plan looks good, run `terraform apply`. + +#### Optional: Deploy a sample application + 1. To setup `kubectl` to access the deployed cluster, run `gcloud beta container clusters get-credentials $CLUSTER_NAME --region $REGION --project $PROJECT`, where `CLUSTER_NAME`, `REGION` and `PROJECT` correspond to what you set for the input variables. +1. Run `kubectl apply -f example-app/nginx.yml` to create a deployment in your cluster. +1. Run `kubectl get pods` to view the pod status and check that it is ready. +1. Run `kubectl get deployment` to view the deployment status. +1. Run `kubectl port-forward deployment/nginx 8080:80` + +Now you should be able to access your `nginx` deployment on http://localhost:8080 + +#### Destroy the created resources +1. If you deployed the sample application, run `kubectl delete -f example-app/nginx.yml`. +1. Run `terraform destroy`. diff --git a/examples/gke-private-cluster/example-app/nginx.yml b/examples/gke-private-cluster/example-app/nginx.yml new file mode 100644 index 0000000..e4b2476 --- /dev/null +++ b/examples/gke-private-cluster/example-app/nginx.yml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment + +metadata: + name: nginx + labels: + app: nginx + tier: backend +spec: + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + tier: backend + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 diff --git a/examples/gke-private-cluster/main.tf b/examples/gke-private-cluster/main.tf index a1c45cd..2f72efb 100644 --- a/examples/gke-private-cluster/main.tf +++ b/examples/gke-private-cluster/main.tf @@ -32,18 +32,22 @@ provider "google-beta" { module "gke_cluster" { # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-cluster?ref=v0.0.4" + # source = "git::git@github.com:gruntwork-io/terraform-google-gke.git//modules/gke-cluster?ref=v0.0.5" source = "../../modules/gke-cluster" name = "${var.cluster_name}" - project = "${var.project}" - location = "${var.location}" - network = "${google_compute_network.main.name}" - subnetwork = "${google_compute_subnetwork.main.self_link}" + project = "${var.project}" + location = "${var.location}" + network = "${module.vpc_network.network}" + + # We're deploying the cluster in the 'public' subnetwork to allow outbound internet access + # See the network access tier table for full details: + # https://github.com/gruntwork-io/terraform-google-network/tree/master/modules/vpc-network#access-tier + subnetwork = "${module.vpc_network.public_subnetwork}" # When creating a private cluster, the 'master_ipv4_cidr_block' has to be defined and the size must be /28 - master_ipv4_cidr_block = "10.5.0.0/28" + master_ipv4_cidr_block = "${var.master_ipv4_cidr_block}" # This setting will make the cluster private enable_private_nodes = "true" @@ -60,7 +64,7 @@ module "gke_cluster" { }] }] - cluster_secondary_range_name = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}" + cluster_secondary_range_name = "${module.vpc_network.public_subnetwork_secondary_range_name}" } # --------------------------------------------------------------------------------------------------------------------- @@ -95,7 +99,13 @@ resource "google_container_node_pool" "node_pool" { private-pools-example = "true" } - tags = ["private-pool-example"] + # Add a private tag to the instances. See the network access tier table for full details: + # https://github.com/gruntwork-io/terraform-google-network/tree/master/modules/vpc-network#access-tier + tags = [ + "${module.vpc_network.private}", + "private-pool-example", + ] + disk_size_gb = "30" disk_type = "pd-standard" preemptible = false @@ -125,7 +135,7 @@ resource "google_container_node_pool" "node_pool" { module "gke_service_account" { # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" + # source = "git::git@github.com:gruntwork-io/terraform-google-gke.git//modules/gke-service-account?ref=v0.0.5" source = "../../modules/gke-service-account" name = "${var.cluster_service_account_name}" @@ -137,26 +147,20 @@ module "gke_service_account" { # CREATE A NETWORK TO DEPLOY THE CLUSTER TO # --------------------------------------------------------------------------------------------------------------------- -# TODO(rileykarson): Add proper VPC network config once we've made a VPC module +module "vpc_network" { + source = "git::git@github.com:gruntwork-io/terraform-google-network.git//modules/vpc-network?ref=v0.0.2" + + name = "${var.cluster_name}-network-${random_string.suffix.result}" + project = "${var.project}" + region = "${var.region}" + + cidr_block = "${var.vpc_cidr_block}" + secondary_cidr_block = "${var.vpc_secondary_cidr_block}" +} + +# Use a random suffix to prevent overlap in network names resource "random_string" "suffix" { length = 4 special = false upper = false } - -resource "google_compute_network" "main" { - name = "${var.cluster_name}-network-${random_string.suffix.result}" - auto_create_subnetworks = "false" -} - -resource "google_compute_subnetwork" "main" { - name = "${var.cluster_name}-subnetwork-${random_string.suffix.result}" - ip_cidr_range = "10.3.0.0/17" - region = "${var.region}" - network = "${google_compute_network.main.self_link}" - - secondary_ip_range { - range_name = "private-cluster-pods" - ip_cidr_range = "10.4.0.0/18" - } -} diff --git a/examples/gke-private-cluster/variables.tf b/examples/gke-private-cluster/variables.tf index d0ad1eb..b57ecb2 100644 --- a/examples/gke-private-cluster/variables.tf +++ b/examples/gke-private-cluster/variables.tf @@ -34,3 +34,22 @@ variable "cluster_service_account_description" { description = "A description of the custom service account used for the GKE cluster." default = "Example GKE Cluster Service Account managed by Terraform" } + +variable "master_ipv4_cidr_block" { + description = "The IP range in CIDR notation (size must be /28) to use for the hosted master network. This range will be used for assigning internal IP addresses to the master or set of masters, as well as the ILB VIP. This range must not overlap with any other ranges in use within the cluster's network." + default = "10.5.0.0/28" +} + +# For the example, we recommend a /16 network for the VPC. Note that when changing the size of the network, +# you will have to adjust the 'cidr_subnetwork_width_delta' in the 'vpc_network' -module accordingly. +variable "vpc_cidr_block" { + description = "The IP address range of the VPC in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27." + default = "10.3.0.0/16" +} + +# For the example, we recommend a /16 network for the secondary range. Note that when changing the size of the network, +# you will have to adjust the 'cidr_subnetwork_width_delta' in the 'vpc_network' -module accordingly. +variable "vpc_secondary_cidr_block" { + description = "The IP address range of the VPC's secondary address range in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27." + default = "10.4.0.0/16" +} diff --git a/examples/gke-public-cluster/main.tf b/examples/gke-public-cluster/main.tf index e16d998..52bb2f1 100644 --- a/examples/gke-public-cluster/main.tf +++ b/examples/gke-public-cluster/main.tf @@ -33,17 +33,22 @@ provider "google-beta" { module "gke_cluster" { # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-cluster?ref=v0.0.3" + # source = "git::git@github.com:gruntwork-io/terraform-google-gke.git//modules/gke-cluster?ref=v0.0.5" source = "../../modules/gke-cluster" name = "${var.cluster_name}" - project = "${var.project}" - location = "${var.location}" - network = "${google_compute_network.main.name}" - subnetwork = "${google_compute_subnetwork.main.self_link}" + project = "${var.project}" + location = "${var.location}" + + # We're deploying the cluster in the 'public' subnetwork to allow outbound internet access + # See the network access tier table for full details: + # https://github.com/gruntwork-io/terraform-google-network/tree/master/modules/vpc-network#access-tier + network = "${module.vpc_network.network}" - cluster_secondary_range_name = "${google_compute_subnetwork.main.secondary_ip_range.0.range_name}" + subnetwork = "${module.vpc_network.public_subnetwork}" + + cluster_secondary_range_name = "${module.vpc_network.public_subnetwork_secondary_range_name}" } # --------------------------------------------------------------------------------------------------------------------- @@ -78,7 +83,13 @@ resource "google_container_node_pool" "node_pool" { all-pools-example = "true" } - tags = ["main-pool-example"] + # Add a public tag to the instances. See the network access tier table for full details: + # https://github.com/gruntwork-io/terraform-google-network/tree/master/modules/vpc-network#access-tier + tags = [ + "${module.vpc_network.public}", + "public-pool-example", + ] + disk_size_gb = "30" disk_type = "pd-standard" preemptible = false @@ -108,7 +119,7 @@ resource "google_container_node_pool" "node_pool" { module "gke_service_account" { # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you # to a specific version of the modules, such as the following example: - # source = "git::git@github.com:gruntwork-io/gke-cluster.git//modules/gke-service-account?ref=v0.0.1" + # source = "git::git@github.com:gruntwork-io/terraform-google-gke.git//modules/gke-service-account?ref=v0.0.5" source = "../../modules/gke-service-account" name = "${var.cluster_service_account_name}" @@ -119,26 +130,20 @@ module "gke_service_account" { # --------------------------------------------------------------------------------------------------------------------- # CREATE A NETWORK TO DEPLOY THE CLUSTER TO # --------------------------------------------------------------------------------------------------------------------- -# TODO(rileykarson): Add proper VPC network config once we've made a VPC module + resource "random_string" "suffix" { length = 4 special = false upper = false } -resource "google_compute_network" "main" { - name = "${var.cluster_name}-network-${random_string.suffix.result}" - auto_create_subnetworks = "false" -} +module "vpc_network" { + source = "git::git@github.com:gruntwork-io/terraform-google-network.git//modules/vpc-network?ref=v0.0.2" -resource "google_compute_subnetwork" "main" { - name = "${var.cluster_name}-subnetwork-${random_string.suffix.result}" - ip_cidr_range = "10.0.0.0/17" - region = "${var.region}" - network = "${google_compute_network.main.self_link}" + name = "${var.cluster_name}-network-${random_string.suffix.result}" + project = "${var.project}" + region = "${var.region}" - secondary_ip_range { - range_name = "cluster-pods" - ip_cidr_range = "10.1.0.0/18" - } + cidr_block = "${var.vpc_cidr_block}" + secondary_cidr_block = "${var.vpc_secondary_cidr_block}" } diff --git a/examples/gke-public-cluster/variables.tf b/examples/gke-public-cluster/variables.tf index 47fe283..1673660 100644 --- a/examples/gke-public-cluster/variables.tf +++ b/examples/gke-public-cluster/variables.tf @@ -34,3 +34,17 @@ variable "cluster_service_account_description" { description = "A description of the custom service account used for the GKE cluster." default = "Example GKE Cluster Service Account managed by Terraform" } + +# For the example, we recommend a /16 network for the VPC. Note that when changing the size of the network, +# you will have to adjust the 'cidr_subnetwork_width_delta' in the 'vpc_network' -module accordingly. +variable "vpc_cidr_block" { + description = "The IP address range of the VPC in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27." + default = "10.6.0.0/16" +} + +# For the example, we recommend a /16 network for the secondary range. Note that when changing the size of the network, +# you will have to adjust the 'cidr_subnetwork_width_delta' in the 'vpc_network' -module accordingly. +variable "vpc_secondary_cidr_block" { + description = "The IP address range of the VPC's secondary address range in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27." + default = "10.7.0.0/16" +} diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index b33689e..ab1f035 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -14,8 +14,8 @@ resource "google_container_cluster" "cluster" { project = "${var.project}" location = "${var.location}" - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" - subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${var.network}" + subnetwork = "${var.subnetwork}" logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" @@ -109,15 +109,6 @@ locals { # Pull in data # --------------------------------------------------------------------------------------------------------------------- -data "google_compute_network" "gke_network" { - name = "${var.network}" - project = "${local.network_project}" -} - -data "google_compute_subnetwork" "gke_subnetwork" { - self_link = "${var.subnetwork}" -} - // Get available master versions in our location to determine the latest version data "google_container_engine_versions" "location" { location = "${var.location}" diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf index a79fe1a..41b6d70 100644 --- a/modules/gke-cluster/variables.tf +++ b/modules/gke-cluster/variables.tf @@ -16,7 +16,7 @@ variable "name" { } variable "network" { - description = "The VPC network to host the cluster in" + description = "A reference (self link) to the VPC network to host the cluster in" } variable "subnetwork" { @@ -77,8 +77,6 @@ variable "master_ipv4_cidr_block" { default = "" } -// TODO(robmorgan): Are we using these values below? We should understand them more fully before adding them to configs. - variable "network_project" { description = "The project ID of the shared VPC's host (for shared vpc support)" default = ""