Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/memes/terraform-google-private-gke-cluster

Terraform module to create regional GKE clusters without public IP addresses on nodes or control plane
https://github.com/memes/terraform-google-private-gke-cluster

Last synced: 7 days ago
JSON representation

Terraform module to create regional GKE clusters without public IP addresses on nodes or control plane

Awesome Lists containing this project

README 

        
# Private regional GKE cluster



![GitHub release](https://img.shields.io/github/v/release/memes/terraform-google-private-gke-cluster?sort=semver)

![Maintenance](https://img.shields.io/maintenance/yes/2024)

[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)



This Terraform module creates a private regional GKE cluster:



* Default node pool will be deleted and a dedicated node pool will be created

* All nodes and masters will have private IP addresses only

* Access to master nodes will be restricted to addresses in the VPC network

* Cluster deletion prevention will be disabled

* Options are opinionated; not all configurations are possible in this module.



> NOTE: This module is deliberately restrictive compared to the

> [Google GKE Terraform](https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest)

> module. If you need flexibility you should use that module instead.



## Submodules



* [autopilot](modules/autopilot) provides a private regional Autopilot GKE

  cluster with a subset of options, as permitted for Autopilot clusters.

* [kubeconfig](module/kubeconfig) provides a way to generate a user or Kubernetes

  service account kubeconfig from a GKE self-link.

* [sa](module/sa) will create a Google Cloud service account with recommended

  IAM roles to log and provide monitoring details. If a list of GCR and/or GAR

  repos are provided, the generated SA will be granted read-only access to the

  repos.



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.2 |

|  [google](#requirement\_google) | >= 5.21 |



## Modules



No modules.



## Resources



| Name | Type |

|------|------|

| [google-beta_google_container_cluster.cluster](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_cluster) | resource |

| [google-beta_google_container_node_pool.pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource |

| [google_compute_subnetwork.subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_subnetwork) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [master\_authorized\_networks](#input\_master\_authorized\_networks) | A set of CIDRs that are permitted to reach the kubernetes API endpoints. | 
list(object({
    cidr_block   = string
    display_name = string
  }))
 | n/a | yes |

|  [name](#input\_name) | The name to use when naming resources managed by this module. Must be RFC1035
compliant and between 1 and 63 characters in length, inclusive. | `string` | n/a | yes |

|  [node\_pools](#input\_node\_pools) | Defines the mapping of node pool names (keys), to attributes of the node pools. | 
map(object({
    auto_upgrade                = bool
    autoscaling                 = bool
    location_policy             = string
    min_nodes_per_zone          = number
    max_nodes_per_zone          = number
    auto_repair                 = bool
    disk_size                   = number
    disk_type                   = string
    image_type                  = string
    labels                      = map(string)
    local_ssd_count             = number
    ephemeral_local_ssd_count   = number
    machine_type                = string
    min_cpu_platform            = string
    preemptible                 = bool
    spot                        = bool
    boot_disk_kms_key           = string
    enable_gcfs                 = bool
    enable_gvnic                = bool
    enable_gvisor_sandbox       = bool
    enable_secure_boot          = bool
    enable_integrity_monitoring = bool
    max_surge                   = number
    max_unavailable             = number
    placement_policy            = string
    metadata                    = map(string)
    sysctls                     = map(string)
    taints = list(object({
      key    = string
      value  = string
      effect = string
    }))
    tags = list(string)
  }))
 | n/a | yes |

|  [project\_id](#input\_project\_id) | The GCP project identifier where the GKE cluster will be created. | `string` | n/a | yes |

|  [service\_account](#input\_service\_account) | The Compute Engine service account that worker nodes will use. | `string` | n/a | yes |

|  [subnet](#input\_subnet) | Provides the subnet self\_link to which the cluster will be attached, the
*names* of the secondary ranges to use for pods and services, and the CIDR to
use for masters. | 
object({
    self_link           = string
    pods_range_name     = string
    services_range_name = string
    master_cidr         = string
  })
 | n/a | yes |

|  [autoscaling](#input\_autoscaling) | Configures cluster-scoped node auto-provisioning parameters. If null (default)
then autoscaling with node auto-provisioning will be disabled for the cluster
and node-pool definitions will be required for a functioning cluster. If specified,
a set of resource\_limits containing 'cpu' and 'memory' values must be provided. | 
object({
    autoscaling_profile = string
    resource_limits = list(object({
      resource_type = string
      maximum       = number
      minimum       = number
    }))
    nap = object({
      min_cpu_platform            = string
      boot_disk_kms_key           = string
      disk_size                   = number
      disk_type                   = string
      image_type                  = string
      auto_upgrade                = bool
      auto_repair                 = bool
      enable_secure_boot          = bool
      enable_integrity_monitoring = bool
      tags                        = list(string)
    })
  })
 | `null` | no |

|  [description](#input\_description) | An optional description to add to the Autopilot GKE cluster. | `string` | `null` | no |

|  [dns](#input\_dns) | An optional value to trigger integration of Cloud DNS as the preferred DNS
provider in the cluster. Default is null, which will create a cluster with
KubeDNS as the provider. | 
object({
    cluster_dns        = string
    cluster_dns_scope  = string
    cluster_dns_domain = string
  })
 | `null` | no |

|  [features](#input\_features) | The set of features that will be enabled on the GKE cluster. | 
object({
    alpha                = bool
    binary_authorization = bool
    cloudrun             = bool
    confidential_nodes   = bool
    config_connector     = bool
    csi_filestore        = bool
    csi_gce_pd           = bool
    gke_backup           = bool
    hpa                  = bool
    identity_service     = bool
    intranode_visibility = bool
    istio                = bool
    kalm                 = bool
    l7_lb                = bool
    sandbox              = bool
    service_external_ips = bool
    shielded_nodes       = bool
    tpu                  = bool
    vpa                  = bool
  })
 | 
{
  "alpha": false,
  "binary_authorization": false,
  "cloudrun": false,
  "confidential_nodes": false,
  "config_connector": false,
  "csi_filestore": false,
  "csi_gce_pd": false,
  "gke_backup": false,
  "hpa": true,
  "identity_service": false,
  "intranode_visibility": false,
  "istio": false,
  "kalm": false,
  "l7_lb": true,
  "sandbox": false,
  "service_external_ips": false,
  "shielded_nodes": true,
  "tpu": false,
  "vpa": false
}
 | no |

|  [labels](#input\_labels) | An optional set of key:value string pairs that will be added on the | `map(string)` | `{}` | no |

|  [maintenance](#input\_maintenance) | Defines the times that GKE is permitted to perform automatic cluster maintenance. | 
object({
    start_time = string
    end_time   = string
    exclusions = list(object({
      name            = string
      start_time      = string
      end_time        = string
      exclusion_scope = string
    }))
    recurrence = string
  })
 | 
{
  "end_time": "",
  "exclusions": [],
  "recurrence": "",
  "start_time": "05:00"
}
 | no |

|  [options](#input\_options) | Defines the set of GKE options to use when provisioning the cluster. Default
values will create cluster from the STABLE release channel with private RFC1918 endpoint. | 
object({
    release_channel      = string
    version              = string
    workload_pool        = string
    master_global_access = bool
    etcd_kms             = string
    max_pods_per_node    = number
    private_endpoint     = bool
    default_snat         = bool
    deletion_protection  = bool
  })
 | 
{
  "default_snat": true,
  "deletion_protection": false,
  "etcd_kms": null,
  "master_global_access": true,
  "max_pods_per_node": 110,
  "private_endpoint": true,
  "release_channel": "STABLE",
  "version": null,
  "workload_pool": null
}
 | no |



## Outputs



| Name | Description |

|------|-------------|

|  [ca\_cert](#output\_ca\_cert) | The base64 encoded CA certificate used by the kubernetes master. |

|  [endpoint\_url](#output\_endpoint\_url) | The URL to use for master access. |

|  [id](#output\_id) | The unique identifier of the GKE cluster. |

|  [location](#output\_location) | The location of the GKE cluster. |

|  [name](#output\_name) | The name of the GKE cluster. |

|  [public\_endpoint\_url](#output\_public\_endpoint\_url) | The URL to use for master access. |