From 2e9730db148005b4c42b603c0f3f2028549479cd Mon Sep 17 00:00:00 2001 From: James Ellwood Date: Thu, 28 Nov 2024 08:21:32 -0500 Subject: [PATCH] Move GKE node group modules into main terraform project (#87) --- gke/README.md | 12 +- gke/terraform/README.md | 13 +- gke/terraform/main.tf | 182 +++++++++++++++- .../modules/broker-node-pool/README.md | 3 +- .../modules/broker-node-pool/main.tf | 8 +- .../modules/broker-node-pool/variables.tf | 7 +- gke/terraform/modules/cluster/README.md | 19 +- gke/terraform/modules/cluster/main.tf | 203 ------------------ gke/terraform/modules/cluster/outputs.tf | 11 + gke/terraform/modules/cluster/variables.tf | 24 --- .../modules/system-node-pool/README.md | 43 ++++ .../modules/system-node-pool/main.tf | 43 ++++ .../modules/system-node-pool/variables.tf | 49 +++++ .../modules/system-node-pool/versions.tf | 10 + 14 files changed, 366 insertions(+), 261 deletions(-) create mode 100644 gke/terraform/modules/system-node-pool/README.md create mode 100644 gke/terraform/modules/system-node-pool/main.tf create mode 100644 gke/terraform/modules/system-node-pool/variables.tf create mode 100644 gke/terraform/modules/system-node-pool/versions.tf diff --git a/gke/README.md b/gke/README.md index 5c5eb00..6724364 100644 --- a/gke/README.md +++ b/gke/README.md @@ -161,10 +161,16 @@ Create a Storage Class with these recommended settings: kubectl apply -f kubernetes/storage-class.yaml ``` -## Breaking Changes +## Changelog -### v1 to v2 +### v2 -The v2 version of this terraform project introduces a breaking change in the way that the secondary CIDRs are configured for services and pods in the clusters. In the v1 project, this was done via the cluster itself but there are limitations in the size of the CIDRs that make it impossible to run very small GKE clusters. The v2 project updates this to create secondary ranges directly in the cluster's subnetwork, which provides the flexibility to tailor the ranges to support smaller clusters that are more efficient in their use of IPs. +#### Breaking Changes + +The v2 version of this Terraform project introduces a breaking change in the way that the secondary CIDRs are configured for services and pods in the clusters. In the v1 project, this was done via the cluster itself but there are limitations in the size of the CIDRs that make it impossible to run very small GKE clusters. The v2 project updates this to create secondary ranges directly in the cluster's subnetwork, which provides the flexibility to tailor the ranges to support smaller clusters that are more efficient in their use of IPs. The impact of this change is that v1-based clusters cannot be migrated easily to v2 clusters. + +#### Other Changes + +The v2 version of this Terraform project has moved the use of the node pool modules from the cluster module to the main project. diff --git a/gke/terraform/README.md b/gke/terraform/README.md index 776774e..25b2839 100644 --- a/gke/terraform/README.md +++ b/gke/terraform/README.md @@ -8,7 +8,9 @@ ## Providers -No providers. +| Name | Version | +|------|---------| +| [google](#provider\_google) | ~> 6.0 | ## Modules @@ -17,10 +19,17 @@ No providers. | [bastion](#module\_bastion) | ./modules/bastion | n/a | | [cluster](#module\_cluster) | ./modules/cluster | n/a | | [network](#module\_network) | ./modules/network | n/a | +| [node\_pool\_monitoring](#module\_node\_pool\_monitoring) | ./modules/broker-node-pool | n/a | +| [node\_pool\_prod100k](#module\_node\_pool\_prod100k) | ./modules/broker-node-pool | n/a | +| [node\_pool\_prod10k](#module\_node\_pool\_prod10k) | ./modules/broker-node-pool | n/a | +| [node\_pool\_prod1k](#module\_node\_pool\_prod1k) | ./modules/broker-node-pool | n/a | +| [node\_pool\_system](#module\_node\_pool\_system) | ./modules/system-node-pool | n/a | ## Resources -No resources. +| Name | Type | +|------|------| +| [google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source | ## Inputs diff --git a/gke/terraform/main.tf b/gke/terraform/main.tf index 033d52c..94a99f3 100644 --- a/gke/terraform/main.tf +++ b/gke/terraform/main.tf @@ -48,17 +48,185 @@ module "cluster" { master_ipv4_cidr_block = var.master_ipv4_cidr_block - max_pods_per_node_system = var.max_pods_per_node_system - max_pods_per_node_messaging = var.max_pods_per_node_messaging - node_pool_max_size = var.node_pool_max_size - kubernetes_api_public_access = var.kubernetes_api_public_access kubernetes_api_authorized_networks = var.create_bastion && var.create_network ? concat(var.kubernetes_api_authorized_networks, [var.network_cidr_range]) : var.kubernetes_api_authorized_networks network_name = var.create_network ? module.network.network_name : var.network_name subnetwork_name = var.create_network ? module.network.subnetwork_name : var.subnetwork_name - secondary_range_name_services = var.create_network ? module.network.secondary_range_name_services : var.secondary_range_name_services - secondary_range_name_pods = var.create_network ? module.network.secondary_cidr_range_name_pods : var.secondary_range_name_pods - secondary_range_name_messaging_pods = var.create_network ? module.network.secondary_range_name_messaging_pods : var.secondary_range_name_messaging_pods + secondary_range_name_services = var.create_network ? module.network.secondary_range_name_services : var.secondary_range_name_services + secondary_range_name_pods = var.create_network ? module.network.secondary_cidr_range_name_pods : var.secondary_range_name_pods +} + +################################################################################ +# Node Pools +################################################################################ + +locals { + system_machine_type = "n2-standard-2" + prod1k_machine_type = "n2-highmem-2" + prod10k_machine_type = "n2-highmem-4" + prod100k_machine_type = "n2-highmem-8" + monitoring_machine_type = "e2-standard-2" +} + +data "google_compute_zones" "available" {} + +module "node_pool_system" { + source = "./modules/system-node-pool" + + region = var.region + cluster_name = module.cluster.cluster_name + common_labels = var.common_labels + node_pool_name = "system" + kubernetes_version = module.cluster.master_version + availability_zones = data.google_compute_zones.available.names + + worker_node_machine_type = local.system_machine_type + worker_node_service_account = module.cluster.worker_node_service_account + + max_pods_per_node = var.max_pods_per_node_system + node_pool_size = 1 +} + +module "node_pool_prod1k" { + source = "./modules/broker-node-pool" + + region = var.region + cluster_name = module.cluster.cluster_name + common_labels = var.common_labels + node_pool_name = "prod1k" + availability_zones = data.google_compute_zones.available.names + kubernetes_version = module.cluster.master_version + + secondary_range_name = var.create_network ? module.network.secondary_range_name_messaging_pods : var.secondary_range_name_messaging_pods + + worker_node_machine_type = local.prod1k_machine_type + worker_node_service_account = module.cluster.worker_node_service_account + + max_pods_per_node = var.max_pods_per_node_messaging + node_pool_max_size = var.node_pool_max_size + + node_pool_labels = { + nodeType = "messaging" + serviceClass = "prod1k" + } + + node_pool_taints = [ + { + key = "nodeType" + value = "messaging" + effect = "NO_EXECUTE" + }, + { + key = "serviceClass" + value = "prod1k" + effect = "NO_EXECUTE" + } + ] +} + +module "node_pool_prod10k" { + source = "./modules/broker-node-pool" + + region = var.region + cluster_name = module.cluster.cluster_name + common_labels = var.common_labels + node_pool_name = "prod10k" + availability_zones = data.google_compute_zones.available.names + kubernetes_version = module.cluster.master_version + + secondary_range_name = var.create_network ? module.network.secondary_range_name_messaging_pods : var.secondary_range_name_messaging_pods + + worker_node_machine_type = local.prod10k_machine_type + worker_node_service_account = module.cluster.worker_node_service_account + + max_pods_per_node = var.max_pods_per_node_messaging + node_pool_max_size = var.node_pool_max_size + + node_pool_labels = { + nodeType = "messaging" + serviceClass = "prod10k" + } + + node_pool_taints = [ + { + key = "nodeType" + value = "messaging" + effect = "NO_EXECUTE" + }, + { + key = "serviceClass" + value = "prod10k" + effect = "NO_EXECUTE" + } + ] +} + +module "node_pool_prod100k" { + source = "./modules/broker-node-pool" + + region = var.region + cluster_name = module.cluster.cluster_name + common_labels = var.common_labels + node_pool_name = "prod100k" + availability_zones = data.google_compute_zones.available.names + kubernetes_version = module.cluster.master_version + + secondary_range_name = var.create_network ? module.network.secondary_range_name_messaging_pods : var.secondary_range_name_messaging_pods + + worker_node_machine_type = local.prod100k_machine_type + worker_node_service_account = module.cluster.worker_node_service_account + + max_pods_per_node = var.max_pods_per_node_messaging + node_pool_max_size = var.node_pool_max_size + + node_pool_labels = { + nodeType = "messaging" + serviceClass = "prod100k" + } + + node_pool_taints = [ + { + key = "nodeType" + value = "messaging" + effect = "NO_EXECUTE" + }, + { + key = "serviceClass" + value = "prod100k" + effect = "NO_EXECUTE" + } + ] +} + +module "node_pool_monitoring" { + source = "./modules/broker-node-pool" + + region = var.region + cluster_name = module.cluster.cluster_name + common_labels = var.common_labels + node_pool_name = "monitoring" + availability_zones = data.google_compute_zones.available.names + kubernetes_version = module.cluster.master_version + + secondary_range_name = var.create_network ? module.network.secondary_range_name_messaging_pods : var.secondary_range_name_messaging_pods + + worker_node_machine_type = local.monitoring_machine_type + worker_node_service_account = module.cluster.worker_node_service_account + + max_pods_per_node = var.max_pods_per_node_messaging + node_pool_max_size = var.node_pool_max_size + + node_pool_labels = { + nodeType = "monitoring" + } + + node_pool_taints = [ + { + key = "nodeType" + value = "monitoring" + effect = "NO_EXECUTE" + } + ] } \ No newline at end of file diff --git a/gke/terraform/modules/broker-node-pool/README.md b/gke/terraform/modules/broker-node-pool/README.md index 1767161..8f68570 100644 --- a/gke/terraform/modules/broker-node-pool/README.md +++ b/gke/terraform/modules/broker-node-pool/README.md @@ -33,12 +33,11 @@ No modules. | [max\_pods\_per\_node](#input\_max\_pods\_per\_node) | The maximum number of pods per worker node for the node pool. | `number` | n/a | yes | | [node\_pool\_labels](#input\_node\_pool\_labels) | Kubernetes labels added to worker nodes in the node pool. | `map(string)` | n/a | yes | | [node\_pool\_max\_size](#input\_node\_pool\_max\_size) | The maximum number of worker nodes for the node pool. | `string` | n/a | yes | -| [node\_pool\_name](#input\_node\_pool\_name) | The name prefix the node pool. | `string` | n/a | yes | +| [node\_pool\_name](#input\_node\_pool\_name) | The name the node pool. | `string` | n/a | yes | | [node\_pool\_taints](#input\_node\_pool\_taints) | Kubernetes taints added to worker nodes in the node pool. | `list(map(string))` | n/a | yes | | [region](#input\_region) | n/a | `string` | n/a | yes | | [secondary\_range\_name](#input\_secondary\_range\_name) | The name of the secondary CIDR range for the node pool. | `string` | n/a | yes | | [worker\_node\_machine\_type](#input\_worker\_node\_machine\_type) | The machine type used for the worker nodes in this node pool. | `string` | n/a | yes | -| [worker\_node\_oauth\_scopes](#input\_worker\_node\_oauth\_scopes) | The OAuth scopes that will be assigned to the worker nodes in this node pool. | `list(string)` | n/a | yes | | [worker\_node\_service\_account](#input\_worker\_node\_service\_account) | The service account that will be assigned to the worker nodes in this node pool. | `string` | n/a | yes | ## Outputs diff --git a/gke/terraform/modules/broker-node-pool/main.tf b/gke/terraform/modules/broker-node-pool/main.tf index 1f2ca58..42ab571 100644 --- a/gke/terraform/modules/broker-node-pool/main.tf +++ b/gke/terraform/modules/broker-node-pool/main.tf @@ -1,3 +1,9 @@ +locals { + worker_node_oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] +} + resource "google_container_node_pool" "this" { name = var.node_pool_name location = var.region @@ -15,7 +21,7 @@ resource "google_container_node_pool" "this" { node_config { machine_type = var.worker_node_machine_type image_type = "UBUNTU_CONTAINERD" #checkov:skip=CKV_GCP_22:Ubuntu is required for XFS support - oauth_scopes = var.worker_node_oauth_scopes + oauth_scopes = local.worker_node_oauth_scopes service_account = var.worker_node_service_account resource_labels = var.common_labels diff --git a/gke/terraform/modules/broker-node-pool/variables.tf b/gke/terraform/modules/broker-node-pool/variables.tf index 721eb27..816e03b 100644 --- a/gke/terraform/modules/broker-node-pool/variables.tf +++ b/gke/terraform/modules/broker-node-pool/variables.tf @@ -15,7 +15,7 @@ variable "common_labels" { variable "node_pool_name" { type = string - description = "The name prefix the node pool." + description = "The name the node pool." } variable "availability_zones" { @@ -28,11 +28,6 @@ variable "worker_node_machine_type" { description = "The machine type used for the worker nodes in this node pool." } -variable "worker_node_oauth_scopes" { - type = list(string) - description = "The OAuth scopes that will be assigned to the worker nodes in this node pool." -} - variable "worker_node_service_account" { type = string description = "The service account that will be assigned to the worker nodes in this node pool." diff --git a/gke/terraform/modules/cluster/README.md b/gke/terraform/modules/cluster/README.md index dfe739f..b75b4ae 100644 --- a/gke/terraform/modules/cluster/README.md +++ b/gke/terraform/modules/cluster/README.md @@ -14,21 +14,14 @@ ## Modules -| Name | Source | Version | -|------|--------|---------| -| [node\_group\_monitoring](#module\_node\_group\_monitoring) | ../broker-node-pool | n/a | -| [node\_group\_prod100k](#module\_node\_group\_prod100k) | ../broker-node-pool | n/a | -| [node\_group\_prod10k](#module\_node\_group\_prod10k) | ../broker-node-pool | n/a | -| [node\_group\_prod1k](#module\_node\_group\_prod1k) | ../broker-node-pool | n/a | +No modules. ## Resources | Name | Type | |------|------| | [google_container_cluster.cluster](https://registry.terraform.io/providers/hashicorp/google/6.10.0/docs/resources/container_cluster) | resource | -| [google_container_node_pool.system](https://registry.terraform.io/providers/hashicorp/google/6.10.0/docs/resources/container_node_pool) | resource | | [google_service_account.cluster](https://registry.terraform.io/providers/hashicorp/google/6.10.0/docs/resources/service_account) | resource | -| [google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google/6.10.0/docs/data-sources/compute_zones) | data source | | [google_container_engine_versions.this](https://registry.terraform.io/providers/hashicorp/google/6.10.0/docs/data-sources/container_engine_versions) | data source | ## Inputs @@ -41,18 +34,18 @@ | [kubernetes\_api\_public\_access](#input\_kubernetes\_api\_public\_access) | When set to true, the Kubernetes API is accessible publicly from the provided authorized networks. | `bool` | `false` | no | | [kubernetes\_version](#input\_kubernetes\_version) | The kubernetes version to use. Only used a creation time, ignored once the cluster exists. | `string` | n/a | yes | | [master\_ipv4\_cidr\_block](#input\_master\_ipv4\_cidr\_block) | The CIDR used to assign IPs to the Kubernetes API endpoints. | `string` | n/a | yes | -| [max\_pods\_per\_node\_messaging](#input\_max\_pods\_per\_node\_messaging) | The maximum number of pods per worker node for the messaging node pools. | `number` | `8` | no | -| [max\_pods\_per\_node\_system](#input\_max\_pods\_per\_node\_system) | The maximum number of pods per worker node for the system node pool. | `number` | `16` | no | | [network\_name](#input\_network\_name) | The name of the network where the cluster will reside. | `string` | n/a | yes | -| [node\_pool\_max\_size](#input\_node\_pool\_max\_size) | The maximum number of worker nodes for the messaging node pools. | `string` | `20` | no | | [project](#input\_project) | The GCP project that the cluster will reside in. | `string` | n/a | yes | | [region](#input\_region) | The GCP region that the cluster will reside in. | `string` | n/a | yes | -| [secondary\_range\_name\_messaging\_pods](#input\_secondary\_range\_name\_messaging\_pods) | The name of the secondary CIDR range for the cluster's messaging node pools, if provided. | `string` | `null` | no | | [secondary\_range\_name\_pods](#input\_secondary\_range\_name\_pods) | The name of the secondary CIDR range for the cluster's node pools. If a separate CIDR range is provided for messaging pods, this range will be used for just the system (default) node pool. | `string` | n/a | yes | | [secondary\_range\_name\_services](#input\_secondary\_range\_name\_services) | The name of the secondary CIDR range for the cluster's services. | `string` | n/a | yes | | [subnetwork\_name](#input\_subnetwork\_name) | The name of the subnetwork where the cluster will reside. | `string` | n/a | yes | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [cluster\_name](#output\_cluster\_name) | n/a | +| [master\_version](#output\_master\_version) | n/a | +| [worker\_node\_service\_account](#output\_worker\_node\_service\_account) | n/a | \ No newline at end of file diff --git a/gke/terraform/modules/cluster/main.tf b/gke/terraform/modules/cluster/main.tf index 12dd6b5..2d5f468 100644 --- a/gke/terraform/modules/cluster/main.tf +++ b/gke/terraform/modules/cluster/main.tf @@ -1,15 +1,3 @@ -locals { - worker_node_oauth_scopes = [ - "https://www.googleapis.com/auth/cloud-platform" - ] - - system_machine_type = "n2-standard-2" - prod1k_machine_type = "n2-highmem-2" - prod10k_machine_type = "n2-highmem-4" - prod100k_machine_type = "n2-highmem-8" - monitoring_machine_type = "e2-standard-2" -} - resource "google_service_account" "cluster" { account_id = var.cluster_name display_name = "Service account for ${var.cluster_name} worker nodes" @@ -102,195 +90,4 @@ resource "google_container_cluster" "cluster" { lifecycle { ignore_changes = [min_master_version] } -} - -################################################################################ -# Node Pools -################################################################################ - -data "google_compute_zones" "available" { - -} - -resource "google_container_node_pool" "system" { - name = "system" - location = var.region - cluster = google_container_cluster.cluster.name - - max_pods_per_node = var.max_pods_per_node_system - - network_config { - enable_private_nodes = true - } - - node_config { - machine_type = local.system_machine_type - image_type = "COS_CONTAINERD" - oauth_scopes = local.worker_node_oauth_scopes - service_account = google_service_account.cluster.email - resource_labels = var.common_labels - - shielded_instance_config { - enable_secure_boot = true - enable_integrity_monitoring = true - } - - workload_metadata_config { - mode = "GKE_METADATA" - } - } - - management { - #checkov:skip=CKV_GCP_10:Auto-upgrade disabled - Solace recommends that clusters be upgraded manually - auto_upgrade = false - auto_repair = true - } - - node_count = 1 -} - -module "node_group_prod1k" { - source = "../broker-node-pool" - - region = var.region - cluster_name = google_container_cluster.cluster.name - common_labels = var.common_labels - node_pool_name = "prod1k" - availability_zones = data.google_compute_zones.available.names - kubernetes_version = google_container_cluster.cluster.master_version - - secondary_range_name = var.secondary_range_name_messaging_pods - - worker_node_machine_type = local.prod1k_machine_type - worker_node_oauth_scopes = local.worker_node_oauth_scopes - worker_node_service_account = google_service_account.cluster.email - - max_pods_per_node = var.max_pods_per_node_messaging - node_pool_max_size = var.node_pool_max_size - - node_pool_labels = { - nodeType = "messaging" - serviceClass = "prod1k" - } - - node_pool_taints = [ - { - key = "nodeType" - value = "messaging" - effect = "NO_EXECUTE" - }, - { - key = "serviceClass" - value = "prod1k" - effect = "NO_EXECUTE" - } - ] -} - -module "node_group_prod10k" { - source = "../broker-node-pool" - - region = var.region - cluster_name = google_container_cluster.cluster.name - common_labels = var.common_labels - node_pool_name = "prod10k" - availability_zones = data.google_compute_zones.available.names - kubernetes_version = google_container_cluster.cluster.master_version - - secondary_range_name = var.secondary_range_name_messaging_pods - - worker_node_machine_type = local.prod10k_machine_type - worker_node_oauth_scopes = local.worker_node_oauth_scopes - worker_node_service_account = google_service_account.cluster.email - - max_pods_per_node = var.max_pods_per_node_messaging - node_pool_max_size = var.node_pool_max_size - - node_pool_labels = { - nodeType = "messaging" - serviceClass = "prod10k" - } - - node_pool_taints = [ - { - key = "nodeType" - value = "messaging" - effect = "NO_EXECUTE" - }, - { - key = "serviceClass" - value = "prod10k" - effect = "NO_EXECUTE" - } - ] -} - -module "node_group_prod100k" { - source = "../broker-node-pool" - - region = var.region - cluster_name = google_container_cluster.cluster.name - common_labels = var.common_labels - node_pool_name = "prod100k" - availability_zones = data.google_compute_zones.available.names - kubernetes_version = google_container_cluster.cluster.master_version - - secondary_range_name = var.secondary_range_name_messaging_pods - - worker_node_machine_type = local.prod100k_machine_type - worker_node_oauth_scopes = local.worker_node_oauth_scopes - worker_node_service_account = google_service_account.cluster.email - - max_pods_per_node = var.max_pods_per_node_messaging - node_pool_max_size = var.node_pool_max_size - - node_pool_labels = { - nodeType = "messaging" - serviceClass = "prod100k" - } - - node_pool_taints = [ - { - key = "nodeType" - value = "messaging" - effect = "NO_EXECUTE" - }, - { - key = "serviceClass" - value = "prod100k" - effect = "NO_EXECUTE" - } - ] -} - -module "node_group_monitoring" { - source = "../broker-node-pool" - - region = var.region - cluster_name = google_container_cluster.cluster.name - common_labels = var.common_labels - node_pool_name = "monitoring" - availability_zones = data.google_compute_zones.available.names - kubernetes_version = google_container_cluster.cluster.master_version - - secondary_range_name = var.secondary_range_name_messaging_pods - - worker_node_machine_type = local.monitoring_machine_type - worker_node_oauth_scopes = local.worker_node_oauth_scopes - worker_node_service_account = google_service_account.cluster.email - - max_pods_per_node = var.max_pods_per_node_messaging - node_pool_max_size = var.node_pool_max_size - - node_pool_labels = { - nodeType = "monitoring" - } - - node_pool_taints = [ - { - key = "nodeType" - value = "monitoring" - effect = "NO_EXECUTE" - } - ] } \ No newline at end of file diff --git a/gke/terraform/modules/cluster/outputs.tf b/gke/terraform/modules/cluster/outputs.tf index e69de29..d3056c8 100644 --- a/gke/terraform/modules/cluster/outputs.tf +++ b/gke/terraform/modules/cluster/outputs.tf @@ -0,0 +1,11 @@ +output "cluster_name" { + value = google_container_cluster.cluster.name +} + +output "master_version" { + value = google_container_cluster.cluster.master_version +} + +output "worker_node_service_account" { + value = google_service_account.cluster.email +} \ No newline at end of file diff --git a/gke/terraform/modules/cluster/variables.tf b/gke/terraform/modules/cluster/variables.tf index 40d6ba3..2fb2350 100644 --- a/gke/terraform/modules/cluster/variables.tf +++ b/gke/terraform/modules/cluster/variables.tf @@ -49,35 +49,11 @@ variable "secondary_range_name_pods" { description = "The name of the secondary CIDR range for the cluster's node pools. If a separate CIDR range is provided for messaging pods, this range will be used for just the system (default) node pool." } -variable "secondary_range_name_messaging_pods" { - type = string - default = null - description = "The name of the secondary CIDR range for the cluster's messaging node pools, if provided." -} - variable "master_ipv4_cidr_block" { type = string description = "The CIDR used to assign IPs to the Kubernetes API endpoints." } -variable "max_pods_per_node_system" { - type = number - default = 16 - description = "The maximum number of pods per worker node for the system node pool." -} - -variable "max_pods_per_node_messaging" { - type = number - default = 8 - description = "The maximum number of pods per worker node for the messaging node pools." -} - -variable "node_pool_max_size" { - type = string - default = 20 - description = "The maximum number of worker nodes for the messaging node pools." -} - variable "kubernetes_api_public_access" { type = bool default = false diff --git a/gke/terraform/modules/system-node-pool/README.md b/gke/terraform/modules/system-node-pool/README.md new file mode 100644 index 0000000..e60ed74 --- /dev/null +++ b/gke/terraform/modules/system-node-pool/README.md @@ -0,0 +1,43 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.3 | +| [google](#requirement\_google) | 6.10.0 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 6.10.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google_container_node_pool.this](https://registry.terraform.io/providers/hashicorp/google/6.10.0/docs/resources/container_node_pool) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [availability\_zones](#input\_availability\_zones) | The availability zones for the node pool. | `list(string)` | n/a | yes | +| [cluster\_name](#input\_cluster\_name) | The name of the cluster and name (or name prefix) for all other infrastructure. | `string` | n/a | yes | +| [common\_labels](#input\_common\_labels) | Labels that are added to all resources created by this module. | `map(string)` | `{}` | no | +| [kubernetes\_version](#input\_kubernetes\_version) | The Kubernetes version for the node pool. | `string` | n/a | yes | +| [max\_pods\_per\_node](#input\_max\_pods\_per\_node) | The maximum number of pods per worker node for the node pool. | `number` | n/a | yes | +| [node\_pool\_name](#input\_node\_pool\_name) | The name the node pool. | `string` | n/a | yes | +| [node\_pool\_size](#input\_node\_pool\_size) | The number of worker nodes for the node pool (per zone). | `string` | n/a | yes | +| [region](#input\_region) | n/a | `string` | n/a | yes | +| [worker\_node\_machine\_type](#input\_worker\_node\_machine\_type) | The machine type used for the worker nodes in this node pool. | `string` | n/a | yes | +| [worker\_node\_service\_account](#input\_worker\_node\_service\_account) | The service account that will be assigned to the worker nodes in this node pool. | `string` | n/a | yes | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/gke/terraform/modules/system-node-pool/main.tf b/gke/terraform/modules/system-node-pool/main.tf new file mode 100644 index 0000000..fd60361 --- /dev/null +++ b/gke/terraform/modules/system-node-pool/main.tf @@ -0,0 +1,43 @@ +locals { + worker_node_oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] +} + +resource "google_container_node_pool" "this" { + name = var.node_pool_name + location = var.region + cluster = var.cluster_name + max_pods_per_node = var.max_pods_per_node + node_locations = var.availability_zones + version = var.kubernetes_version + + network_config { + enable_private_nodes = true + } + + node_config { + machine_type = var.worker_node_machine_type + image_type = "COS_CONTAINERD" + oauth_scopes = local.worker_node_oauth_scopes + service_account = var.worker_node_service_account + resource_labels = var.common_labels + + shielded_instance_config { + enable_secure_boot = true + enable_integrity_monitoring = true + } + + workload_metadata_config { + mode = "GKE_METADATA" + } + } + + management { + #checkov:skip=CKV_GCP_10:Auto-upgrade disabled - Solace recommends that clusters be upgraded manually + auto_upgrade = false + auto_repair = true + } + + node_count = var.node_pool_size +} \ No newline at end of file diff --git a/gke/terraform/modules/system-node-pool/variables.tf b/gke/terraform/modules/system-node-pool/variables.tf new file mode 100644 index 0000000..273f662 --- /dev/null +++ b/gke/terraform/modules/system-node-pool/variables.tf @@ -0,0 +1,49 @@ +variable "region" { + type = string +} + +variable "cluster_name" { + type = string + description = "The name of the cluster and name (or name prefix) for all other infrastructure." +} + +variable "common_labels" { + type = map(string) + default = {} + description = "Labels that are added to all resources created by this module." +} + +variable "node_pool_name" { + type = string + description = "The name the node pool." +} + +variable "availability_zones" { + type = list(string) + description = "The availability zones for the node pool." +} + +variable "worker_node_machine_type" { + type = string + description = "The machine type used for the worker nodes in this node pool." +} + +variable "worker_node_service_account" { + type = string + description = "The service account that will be assigned to the worker nodes in this node pool." +} + +variable "max_pods_per_node" { + type = number + description = "The maximum number of pods per worker node for the node pool." +} + +variable "node_pool_size" { + type = string + description = "The number of worker nodes for the node pool (per zone)." +} + +variable "kubernetes_version" { + type = string + description = "The Kubernetes version for the node pool." +} \ No newline at end of file diff --git a/gke/terraform/modules/system-node-pool/versions.tf b/gke/terraform/modules/system-node-pool/versions.tf new file mode 100644 index 0000000..5154ab5 --- /dev/null +++ b/gke/terraform/modules/system-node-pool/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + google = { + source = "hashicorp/google" + version = "6.10.0" + } + } +} \ No newline at end of file