Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/devgurusio/terraform-gcp-gke-ecommerce

Google Kubernetes Engine starter kit to bootstrap an e-commerce site based on microservices
https://github.com/devgurusio/terraform-gcp-gke-ecommerce

bootstrap bucket ecommerce-site gke microservices registry template terraform

Last synced: 3 months ago
JSON representation

Google Kubernetes Engine starter kit to bootstrap an e-commerce site based on microservices

Host: GitHub
URL: https://github.com/devgurusio/terraform-gcp-gke-ecommerce
Owner: Devgurusio
License: apache-2.0
Created: 2019-11-03T09:59:17.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2023-02-28T11:16:35.000Z (almost 2 years ago)
Last Synced: 2023-05-23T18:29:14.757Z (over 1 year ago)
Topics: bootstrap, bucket, ecommerce-site, gke, microservices, registry, template, terraform
Language: HCL
Homepage:
Size: 59.6 KB
Stars: 4
Watchers: 6
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

[![GitHub Super-Linter](https://github.com/Devgurusio/terraform-gcp-gke-ecommerce/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter)

# Google Kubernetes Engine (GKE)

This is an opinionated terraform module to bootstrap a GKE Cluster using Terraform. Based on our
needs and following
[GKE security best practices](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster),
we've enabled/disabled some features by default.

Features enabled:

* Default node pool removed
* Logging and Monitoring using Cloud Operations for GKE
* GKE Shielded nodes (with secure boot enabled)
* Workload identity
* VPC Native cluster
* Storage classes using CSI driver
* Prevent cluster destroy
* Updatable nodes (new node pool created before destroying the old one)
* non-default SA for nodes
* Usage of containerd as runtime

Features disabled:

* Basic auth for API server
* Client certificate issuing for API server
* Istio addon

## Usage

### Usage example

```hcl
variable "project_id" {
default = "my-project"
}

module "gke-ecommerce" {
source = "Devgurusio/gke-ecommerce/gcp"
version = "1.4.0"

project_id = var.project_id
}

provider "google" {
project_id = var.project_id
}

provider "google-beta" {
project_id = var.project_id
}
```

### Requirements

| Name | Version |
| --------- | ------- |
| terraform | ~> 0.14 |

### Providers

| Name | Version |
| ----------- | -------- |
| google | >= 3.60 |
| google-beta | >= 3.60 |
| random | >= 3.1.0 |

### Inputs

| Name
| --------------------------------
| boot_disk_kms_key
| cluster_ipv4_cidr_block
| cluster_name_suffix
| daily_maintenance_window_start
| database_encryption
| enable_hpa
| enable_netpol
| environment
| gke_auto_max_count
| gke_auto_min_count
| gke_initial_node_count
| gke_instance_type
| gke_preemptible
| icmp_idle_timeout_sec
| master_ipv4_cidr_block
| min_kubernetes_version
| min_ports_per_vm
| nat_ip_count
| netpol_provider
| node_auto_upgrade
| node_auto_repair
| node_pool_disk_size
| node_pool_disk_type
| project_id
| project_name_override
| regional
| region
| release_channel
| services_ipv4_cidr_block
| subnet_ip_cidr_range
| tcp_established_idle_timeout_sec
| tcp_transitory_idle_timeout_sec
| udp_idle_timeout_sec
| zones | Description | Type | Default | Required | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- | -------------------------------------------------- | -------- | | CloudKMS key_name to use to encrypt the nodes boot disk. Default: null (encryption disabled) | string | null | no | | IPv4 CIDR Block for Kubernetes Pods | string | 192.168.0.0/18 | no | | A suffix to append to the default cluster name | string | "" | no | | Time window specified for daily maintenance operations in RFC3339 format | string | 03:00 | no | | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key | object({ state = string, key_name = string }) | `{ state = "DECRYPTED", key_name = "" }` | no | | Toggles horizontal pod autoscaling addon | bool | true | no | | Toggles network policies enforcement feature | bool | false | no | | The environment name | string | dev | no | | The maximum number of VMs in the pool per zone | number | 2 | no | | The minimum number of VMs in the pool per zone | number | 0 | no | | The initial number of VMs in the pool per zone | number | 1 | no | | Workers instance type | string | n1-standard-2 | no | | Use preemtible instances for the node pool | bool | true | no | | Timeout (in seconds) for ICMP connections | string | "30" | no | | IPv4 CIDR Block for Master Nodes | string | 172.16.0.0/28 | no | | The Kubernetes MINIMUM version of the masters. GCP can perform upgrades, there is no max_version field. If set to 'latest' it will pull latest available version in the selected region | string | latest | no | | Max number of concurrent outgoing request to IP:PORT_PROTOCOL per VM | number | 8192 | no | | The number of NAT IPs | number | 1 | no | | Sets the network policy provider | string | CALICO | no | | Whether the nodes will be automatically repaired | bool | true | no | | Whether the nodes will be automatically upgraded | bool | true | no | | Disk Size for GKE Nodes | number | 40 | no | | Disk type for GKE nodes. Available values: pd-stadard, pd-ssd. | string | pd-ssd | no | | The project ID to host the cluster in | string | null | yes | | Override project name prefix used in all the resources | string | "" | no | | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | true | no | | The region to host the cluster in | string | us-central1 | no | | The release channel of this cluster. Allowed values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE` | string | UNSPECIFIED | no | | IPv4 CIDR Block for Kubernetes services | string | 192.168.64.0/18 | no | | IPv4 CIDR Block for Subnetwork | string | 10.0.0.0/17 | no | | The tcp established idle timeout in sec used by the nat gateway | string | "1200" | no | | The tcp trans idle timeout in sec used by the nat gateway | string | "30" | no | | Timeout (in seconds) for UDP connections | string | "30" | no | | The zone to host the cluster in (required if is a zonal cluster) | list(string) | [] | no |

### Outputs

| Name | Description |
| ------------------------ | ---------------------------- |
| google_container_cluster | GKE cluster name |
| k8s_ingress_ip | API server public IP address |
| nat_address | List of NAT addresses |
| network_name | Network name |
| network_self_link | Network selflink |
| subnetwork_name | Subnetwork name |

### Service Account permissions

To be able to bootstrap the cluster please ensure that the GCP Service Account have at least these
roles:

* roles/storage.objectAdmin (needed if you use GCS as backend)
* roles/container.admin
* roles/compute.admin
* roles/cloudkms.admin
* roles/iam.serviceAccountAdmin
* roles/iam.serviceAccountUser
* roles/iam.securityAdmin

## Development

Please follow the [contributing guidelines](CONTRIBUTING.md)