{"id":22214019,"url":"https://github.com/xmlking/gcp-terraform","last_synced_at":"2026-03-19T22:07:35.694Z","repository":{"id":36980412,"uuid":"439407215","full_name":"xmlking/gcp-terraform","owner":"xmlking","description":"terraform DebOps for GCP","archived":false,"fork":false,"pushed_at":"2023-03-06T04:00:05.000Z","size":57,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-30T05:43:23.205Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xmlking.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-12-17T17:14:48.000Z","updated_at":"2021-12-19T17:32:40.000Z","dependencies_parsed_at":"2024-02-15T05:43:57.725Z","dependency_job_id":null,"html_url":"https://github.com/xmlking/gcp-terraform","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xmlking%2Fgcp-terraform","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xmlking%2Fgcp-terraform/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xmlking%2Fgcp-terraform/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xmlking%2Fgcp-terraform/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xmlking","download_url":"https://codeload.github.com/xmlking/gcp-terraform/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245409581,"owners_count":20610556,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-02T21:13:00.344Z","updated_at":"2026-01-05T09:07:59.499Z","avatar_url":"https://github.com/xmlking.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gcp-terraform\n\nterraform DevOps for GCP\n\nBased mostly on [Hardening your cluster's security](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster) and [GKE's Security overview](https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview).\n\n\n## Prerequisites\n\n- Install `gcloud`\n- Install `kubectl`\n- Install `docker`\n\n```\nprojectName=mygke\nrandomSuffix=$(shuf -i 100-999 -n 1)\nprojectId=$projectName-$randomSuffix\nregion=us-east4\nzone=us-east4-a\nclusterName=$projectName\n\n## Setup Project\n\nfolderId=FIXME\ngcloud projects create $projectId \\\n    --folder $folderId \\\n    --name $projectName\ngcloud config set project $projectId\n# Get the billingAccountId from `gcloud beta billing accounts list`\nbillingAccountId=FIXME\ngcloud beta billing projects link $projectId \\\n    --billing-account $billingAccountId\n```\n\nHere are the exhaustive list of the security best practices with your GKE clusters you should look at:\n- [X] [Use least privilege Google service accounts](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa)\n- [ ] [Creating a Private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters)\n- [X] [Adding authorized networks for cluster master access](https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks)\n- [X] [Nodes auto-upgrades](https://cloud.google.com/kubernetes-engine/docs/concepts/node-auto-upgrades)\n- [X] [Container-Optimized OS](https://cloud.google.com/container-optimized-os/docs/concepts/features-and-benefits)\n- [X] [Using Shielded GKE Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes)\n- [ ] [RBAC](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control)\n- [X] [Enable network policy](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy)\n- [X] [Enable Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)\n- [X] [Enable Binary Authorization](https://cloud.google.com/binary-authorization/docs/overview)\n- [X] [Enable Vulnerability scanning on container registry](https://cloud.google.com/container-registry/docs/vulnerability-scanning)\n- [ ] [Application-layer Secrets Encryption](https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets)\n- [X] [Using network policy logging with Dataplane V2/eBPF](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy-logging)\n- [X] [(beta) Confidential VMs](https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms)\n\nHere are actions you may want to do once your GKE clusters are deployed to help solidify your security posture:\n- [Having a GitOps approach to deploy your app in GKE](https://www.weave.works/blog/what-is-gitops-really) or for example [Anthos Config Management](https://cloud.google.com/anthos/config-management)\n- [Observing your GKE clusters with Google Cloud Ops Suite](https://cloud.google.com/stackdriver/docs/solutions/gke/observing)\n- [Control plane IP rotation](https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation)\n- [Credential rotation](https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation)\n- [Configure Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n- [Harden workload isolation with GKE Sandbox](https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods)\n- Cloud Armor (DDOS + WAF) - FIXME\n\n##  Terraform code structure\n\n![code-structure](docs/images/code-structure.png)\n- _modules :_ This folder should contain terraform code for resource creation . Examples : vpc,rds,subnets etc. Creating modules promotes reusability, hence reducing code duplication. Also each of the sub-folders/resources in modules should contain a structure like : main.tf , variables.tf , output.tf\n- _policy :_ This folder should contain policy documents such as IAM role policies as json files .So this folder should act as a collection of policies which would be used by the modules folder. Examples : rds_iam_role_polcy.json , etc.\n- _scripts :_ The folder should contain any scripts such as shells scripts or python scripts used for any resource handling or creation . Hence it acts a common place of any kind of script we write for our infra.\n- _templates :_ In terraform we can use “.tpl” files for various purpose , in such a case we can keep those files in this folder for clarity.\n- _main.tf :_ This file acts the entry point when we call terraform commands like init, validate , plan ,deploy and destroy.\n- _output.tf :_ The outputs which need to be written to the state should be present here.\n- _variables.tf :_ The variables used should be present in this file.\n- _{env}-{region}.tfvars :_ Examples of such files are :\n  - For dev and region — eu-central-1 , the expected file name should be : dev-eu-central-1.tfvars .\n  - For int and region — eu-central-1 , the expected file name should be : int-eu-central-1.tfvars and so on.\n  The files contain initialized values for the variables declared in variables.tf file.\n\nComplementary resources:\n- [Infrastructure as a code best practices : Terraform](https://medium.com/@ranjana-jha/infrastructure-as-a-code-best-practices-terraform-d7ae4291d621)\n- [The Unofficial Google Kubernetes Engine (GKE) Security Guide](https://gkesecurity.guide/)\n- [Best practices for enterprise multi-tenancy with GKE](https://cloud.google.com/kubernetes-engine/docs/best-practices/enterprise-multitenancy)\n- [Security blueprint: PCI on GKE](https://cloud.google.com/architecture/blueprints/gke-pci-dss-blueprint)\n- [Security in KubeCon Europe 2020](https://blog.aquasec.com/kubecon-2020-europe)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxmlking%2Fgcp-terraform","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxmlking%2Fgcp-terraform","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxmlking%2Fgcp-terraform/lists"}