diff --git a/.kitchen.yml b/.kitchen.yml index 6bf414c21f..5535409192 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -50,13 +50,34 @@ suites: systems: - name: node_pool backend: local - - name: "shared_vpc" + - name: "simple_regional_private" + driver: + root_module_directory: test/fixtures/simple_regional_private + verifier: + systems: + - name: simple_regional_private + backend: local + - name: "shared_vpc" driver: root_module_directory: test/fixtures/shared_vpc verifier: systems: - name: shared_vpc backend: local + - name: "safer_cluster" + driver: + root_module_directory: test/fixtures/safer_cluster + verifier: + systems: + - name: safer_cluster + backend: local + - name: "simple_regional" + driver: + root_module_directory: test/fixtures/simple_regional + verifier: + systems: + - name: simple_regional + backend: local - name: "simple_regional" driver: root_module_directory: test/fixtures/simple_regional diff --git a/examples/safer_cluster/README.md b/examples/safer_cluster/README.md new file mode 100644 index 0000000000..160fc74a4c --- /dev/null +++ b/examples/safer_cluster/README.md @@ -0,0 +1,49 @@ +# Simple Regional Cluster + +This example illustrates how to create a simple private cluster with beta features. + +[^]: (autogen_docs_start) + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| cloudrun | Boolean to enable / disable CloudRun | string | `"true"` | no | +| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | +| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes | +| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | +| istio | Boolean to enable / disable Istio | string | `"true"` | no | +| network | The VPC network to host the cluster in | string | n/a | yes | +| project\_id | The project ID to host the cluster in | string | n/a | yes | +| region | The region to host the cluster in | string | n/a | yes | +| subnetwork | The subnetwork to host the cluster in | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | | +| client\_token | | +| cluster\_name | Cluster name | +| credentials\_path | | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | +| kubernetes\_endpoint | | +| location | | +| master\_kubernetes\_version | The master Kubernetes version | +| network | | +| project\_id | | +| region | | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| subnetwork | | +| zones | List of zones in which the cluster resides | + +[^]: (autogen_docs_end) + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf new file mode 100644 index 0000000000..756a25a078 --- /dev/null +++ b/examples/safer_cluster/main.tf @@ -0,0 +1,51 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "safer-cluster" +} + +provider "google-beta" { + version = "~> 2.12.0" + credentials = file(var.credentials_path) + region = var.region +} + +data "google_compute_subnetwork" "subnetwork" { + name = var.subnetwork + project = var.project_id + region = var.region +} + +module "gke" { + source = "../../modules/safer-cluster/" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = true + region = var.region + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + master_ipv4_cidr_block = "172.16.0.0/28" + + istio = var.istio + cloudrun = var.cloudrun +} + +data "google_client_config" "default" { +} + diff --git a/examples/safer_cluster/outputs.tf b/examples/safer_cluster/outputs.tf new file mode 100644 index 0000000000..0d972dcd88 --- /dev/null +++ b/examples/safer_cluster/outputs.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + sensitive = true + value = module.gke.endpoint +} + +output "client_token" { + sensitive = true + value = base64encode(data.google_client_config.default.access_token) +} + +output "ca_certificate" { + value = module.gke.ca_certificate +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.gke.service_account +} + diff --git a/examples/safer_cluster/test_outputs.tf b/examples/safer_cluster/test_outputs.tf new file mode 120000 index 0000000000..17b34213ba --- /dev/null +++ b/examples/safer_cluster/test_outputs.tf @@ -0,0 +1 @@ +../../test/fixtures/all_examples/test_outputs.tf \ No newline at end of file diff --git a/examples/safer_cluster/variables.tf b/examples/safer_cluster/variables.tf new file mode 100644 index 0000000000..2763ef79c1 --- /dev/null +++ b/examples/safer_cluster/variables.tf @@ -0,0 +1,59 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" +} + +variable "credentials_path" { + description = "The path to the GCP credentials JSON file" +} + +variable "cluster_name_suffix" { + description = "A suffix to append to the default cluster name" + default = "" +} + +variable "region" { + description = "The region to host the cluster in" +} + +variable "network" { + description = "The VPC network to host the cluster in" +} + +variable "subnetwork" { + description = "The subnetwork to host the cluster in" +} + +variable "ip_range_pods" { + description = "The secondary ip range to use for pods" +} + +variable "ip_range_services" { + description = "The secondary ip range to use for pods" +} + +variable "istio" { + description = "Boolean to enable / disable Istio" + default = true +} + +variable "cloudrun" { + description = "Boolean to enable / disable CloudRun" + default = true +} + diff --git a/examples/safer_cluster/versions.tf b/examples/safer_cluster/versions.tf new file mode 100644 index 0000000000..832ec1df39 --- /dev/null +++ b/examples/safer_cluster/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.12" +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md new file mode 100644 index 0000000000..006fb071f8 --- /dev/null +++ b/modules/safer-cluster/README.md @@ -0,0 +1,14 @@ +# Safer Beta Cluster + +The module defines a safer configuration for a GKE cluster. It is based on the beta private cluster configuration, and forces certain security-relevant configurations to values that provice specific security +properties. + +[^]: (autogen_docs_start) + +[^]: (autogen_docs_end) + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf new file mode 100644 index 0000000000..a59f1382bd --- /dev/null +++ b/modules/safer-cluster/main.tf @@ -0,0 +1,170 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// The safer-cluster module is based on a private cluster, with a several +// settings set to recommended values by default. +module "gke" { + source = "../beta-private-cluster/" + project_id = var.project_id + name = var.name + regional = var.regional + region = var.region + network = var.network + network_project_id = var.network_project_id + + // We need to enforce a minimum Kubernetes Version to ensure + // that the necessary security features are enabled. + kubernetes_version = "latest" + + // Nodes are created with a default version. The nodepool enables + // auto_upgrade so that the node versions can be kept up to date with + // the master upgrades. + // + // https://cloud.google.com/kubernetes-engine/versioning-and-upgrades + node_version = "" + + + master_authorized_networks_config = var.master_authorized_networks_config + + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + + horizontal_pod_autoscaling = var.horizontal_pod_autoscaling + http_load_balancing = var.http_load_balancing + + // Disable the dashboard. It creates risk by running as a very sensitive user. + kubernetes_dashboard = false + + // We suggest the use coarse network policies to enforce restrictions in the + // communication between pods. + // + // NOTE: Enabling network policy is not sufficient to enforce restrictions. + // NetworkPolicies need to be configured in every namespace. The network + // policies should be under the control of a cental cluster management team, + // rather than individual teams. + network_policy = true + network_policy_provider = "CALICO" + + maintenance_start_time = var.maintenance_start_time + + initial_node_count = var.initial_node_count + + // We suggest removing the default node pull, as it cannot be modified without + // destroying the cluster. + remove_default_node_pool = true + + disable_legacy_metadata_endpoints = true + + node_pools = var.node_pools + node_pools_labels = var.node_pools_labels + + // TODO(mmontan): check whether we need to restrict these + // settings. + node_pools_metadata = var.node_pools_metadata + node_pools_taints = var.node_pools_taints + node_pools_tags = var.node_pools_tags + + // TODO(mmontan): we generally considered applying + // just the cloud-platofrm scope and use Cloud IAM + // If we have Workload Identity, are there advantages + // in restricting scopes even more? + node_pools_oauth_scopes = { + all = ["https://www.googleapis.com/auth/cloud-platform"] + } + + + stub_domains = var.stub_domains + upstream_nameservers = var.upstream_nameservers + + // We should use IP Alias. + configure_ip_masq = false + + logging_service = var.logging_service + monitoring_service = var.monitoring_service + + // We never use the default service account for the cluster. The default + // project/editor permissions can create problems if nodes were to be ever + // compromised. + + // We either: + // - Create a dedicated service account with minimal permissions to run nodes. + // All applications shuold run with an identity defined via Workload Identity anyway. + // - Use a service account passed as a parameter to the module, in case the user + // wants to maintain control of their service accounts. + create_service_account = cond(length(var.compute_engine_service_account) > 0, false, true) + service_account = var.compute_engine_service_account + + grant_registry_access = true + registry_project = var.registry_project + + // Basic Auth disabled + basic_auth_username = "" + basic_auth_password = "" + + issue_client_certificate = false + + cluster_ipv4_cidr = var.cluster_ipv4_cidr + + cluster_resource_labels = var.cluster_resource_labels + + // We enable private endpoints to limit exposure. + enable_private_endpoint = true + deploy_using_private_endpoint = true + + // Private nodes better control public exposure, and reduce + // the ability of nodes to reach to the Internet without + // additional configurations. + enable_private_nodes = true + + master_ipv4_cidr_block = var.master_ipv4_cidr_block + + // Istio is recommended for pod-to-pod communications. + istio = true + + default_max_pods_per_node = var.default_max_pods_per_node + + database_encryption = var.database_encryption + + cloudrun = var.cloudrun + + // We suggest to define policies about which images can run on a cluster. + enable_binary_authorization = true + + // Define PodSecurityPolicies for differnet applications. + // TODO(mmontan): link to a couple of policies. + pod_security_policy_config = true + + resource_usage_export_dataset_id = var.resource_usage_export_dataset_id + node_metadata = "SECURE" + + // Sandbox is needed if the cluster is going to run any untrusted workload (e.g., user submitted code). + // Sandbox can also provide increased protection in other cases, at some performance cost. + sandbox_enabled = var.sandbox_enabled + + // TODO(mmontan): investigate whether this should be a recommended setting + enable_intranode_visibility = var.enable_intranode_visibility + + enable_vertical_pod_autoscaling = var.enable_vertical_pod_autoscaling + + // We enable identity namespace by default. + identity_namespace = "${var.project_id}.svc.id.goog" + + + authenticator_security_group = var.authenticator_security_group + +} + diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf new file mode 100644 index 0000000000..ad152e186c --- /dev/null +++ b/modules/safer-cluster/outputs.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + sensitive = true + value = module.gke.endpoint +} + +output "client_token" { + sensitive = true + value = base64encode(data.google_client_config.default.access_token) +} + +output "ca_certificate" { + value = module.gke.ca_certificate +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.gke.service_account +} diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf new file mode 100644 index 0000000000..356ad14b0c --- /dev/null +++ b/modules/safer-cluster/variables.tf @@ -0,0 +1,290 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// This file was automatically generated from a template in ./autogen + +variable "project_id" { + type = string + description = "The project ID to host the cluster in (required)" +} + +variable "name" { + type = string + description = "The name of the cluster (required)" +} + +variable "description" { + type = string + description = "The description of the cluster" + default = "" +} + +variable "regional" { + type = bool + description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + default = true +} + +variable "region" { + type = string + description = "The region to host the cluster in (required)" +} + +variable "zones" { + type = list(string) + description = "The zones to host the cluster in (optional if regional cluster / required if zonal)" + default = [] +} + +variable "network" { + type = string + description = "The VPC network to host the cluster in (required)" +} + +variable "network_project_id" { + type = string + description = "The project ID of the shared VPC's host (for shared vpc support)" + default = "" +} + +variable "subnetwork" { + type = string + description = "The subnetwork to host the cluster in (required)" +} + +variable "kubernetes_version" { + type = string + description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. " + default = "latest" +} + +variable "node_version" { + type = string + description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." + default = "" +} + +variable "master_authorized_networks_config" { + type = list(object({ cidr_blocks = list(object({ cidr_block = string, display_name = string })) })) + description = "Additional CIDR of private networks that can access the master. The object format is {cidr_blocks = list(object({cidr_block = string, display_name = string}))}. By default, the private master endpoint is accessible by the nodes in the cluster's VPC and by Google's internal production jobs managing the cluster." + default = [] +} + +variable "horizontal_pod_autoscaling" { + type = bool + description = "Enable horizontal pod autoscaling addon" + default = true +} + +variable "http_load_balancing" { + type = bool + description = "Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed." + default = true +} + +variable "maintenance_start_time" { + type = string + description = "Time window specified for daily maintenance operations in RFC3339 format" + default = "05:00" +} + +variable "ip_range_pods" { + type = string + description = "The _name_ of the secondary subnet ip range to use for pods" +} + +variable "ip_range_services" { + type = string + description = "The _name_ of the secondary subnet range to use for services" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "node_pools" { + type = list(map(string)) + description = "List of maps containing node pools" + + default = [ + { + name = "default-node-pool" + }, + ] +} + +variable "node_pools_labels" { + type = map(map(string)) + description = "Map of maps containing node labels by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + +variable "node_pools_metadata" { + type = map(map(string)) + description = "Map of maps containing node metadata by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + +variable "node_pools_taints" { + type = map(list(object({ key = string, value = string, effect = string }))) + description = "Map of lists containing node taints by node-pool name" + + default = { + all = [] + default-node-pool = [] + } +} + +variable "node_pools_tags" { + type = map(list(string)) + description = "Map of lists containing node network tags by node-pool name" + + default = { + all = [] + default-node-pool = [] + } +} + +variable "node_pools_oauth_scopes" { + type = map(list(string)) + description = "Map of lists containing node oauth scopes by node-pool name" + + default = { + all = ["https://www.googleapis.com/auth/cloud-platform"] + default-node-pool = [] + } +} + +variable "stub_domains" { + type = map(list(string)) + description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" + default = {} +} + +variable "upstream_nameservers" { + type = "list" + description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf" + default = [] +} + +variable "logging_service" { + type = string + description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" + default = "logging.googleapis.com" +} + +variable "monitoring_service" { + type = string + description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" + default = "monitoring.googleapis.com" +} + +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + +// TODO(mmontan): allow specifying which project to use +// for reading images. + +variable "service_account" { + type = string + description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." + default = "" +} + +variable "cluster_ipv4_cidr" { + default = "" + description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR." +} + +variable "cluster_resource_labels" { + type = map(string) + description = "The GCE resource labels (a map of key/value pairs) to be applied to the cluster" + default = {} +} + +variable "master_ipv4_cidr_block" { + type = string + description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + default = "10.0.0.0/28" +} + +variable "istio" { + description = "(Beta) Enable Istio addon" + default = false +} + +variable "default_max_pods_per_node" { + description = "The maximum number of pods to schedule per node" + default = 110 +} + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" + default = false +} + +variable "resource_usage_export_dataset_id" { + type = string + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + +variable "enable_vertical_pod_autoscaling" { + type = bool + description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" + default = false +} + +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} + diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf new file mode 100644 index 0000000000..832ec1df39 --- /dev/null +++ b/modules/safer-cluster/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.12" +} diff --git a/test/fixtures/safer-cluster/example.tf b/test/fixtures/safer-cluster/example.tf new file mode 100644 index 0000000000..a82fe4f401 --- /dev/null +++ b/test/fixtures/safer-cluster/example.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "example" { + source = "../../../examples/safer-cluster" + + project_id = var.project_id + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name +} + diff --git a/test/fixtures/safer-cluster/network.tf b/test/fixtures/safer-cluster/network.tf new file mode 100644 index 0000000000..f34f629069 --- /dev/null +++ b/test/fixtures/safer-cluster/network.tf @@ -0,0 +1,46 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_compute_network" "main" { + project = var.project_id + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + project = var.project_id + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} + diff --git a/test/fixtures/safer-cluster/outputs.tf b/test/fixtures/safer-cluster/outputs.tf new file mode 120000 index 0000000000..726bdc722f --- /dev/null +++ b/test/fixtures/safer-cluster/outputs.tf @@ -0,0 +1 @@ +../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/safer-cluster/terraform.tfvars b/test/fixtures/safer-cluster/terraform.tfvars new file mode 120000 index 0000000000..08ac6f4724 --- /dev/null +++ b/test/fixtures/safer-cluster/terraform.tfvars @@ -0,0 +1 @@ +../shared/terraform.tfvars \ No newline at end of file diff --git a/test/fixtures/safer-cluster/variables.tf b/test/fixtures/safer-cluster/variables.tf new file mode 120000 index 0000000000..c113c00a3d --- /dev/null +++ b/test/fixtures/safer-cluster/variables.tf @@ -0,0 +1 @@ +../shared/variables.tf \ No newline at end of file diff --git a/test/fixtures/safer_cluster/example.tf b/test/fixtures/safer_cluster/example.tf new file mode 100644 index 0000000000..c9d659ba67 --- /dev/null +++ b/test/fixtures/safer_cluster/example.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "example" { + source = "../../../examples/safer_cluster" + + project_id = var.project_id + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + compute_engine_service_account = var.compute_engine_service_account +} diff --git a/test/fixtures/safer_cluster/network.tf b/test/fixtures/safer_cluster/network.tf new file mode 100644 index 0000000000..e1292eae3b --- /dev/null +++ b/test/fixtures/safer_cluster/network.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +provider "google" { + project = var.project_id +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} + diff --git a/test/fixtures/safer_cluster/outputs.tf b/test/fixtures/safer_cluster/outputs.tf new file mode 120000 index 0000000000..726bdc722f --- /dev/null +++ b/test/fixtures/safer_cluster/outputs.tf @@ -0,0 +1 @@ +../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/safer_cluster/terraform.tfvars b/test/fixtures/safer_cluster/terraform.tfvars new file mode 120000 index 0000000000..08ac6f4724 --- /dev/null +++ b/test/fixtures/safer_cluster/terraform.tfvars @@ -0,0 +1 @@ +../shared/terraform.tfvars \ No newline at end of file diff --git a/test/fixtures/safer_cluster/variables.tf b/test/fixtures/safer_cluster/variables.tf new file mode 120000 index 0000000000..c113c00a3d --- /dev/null +++ b/test/fixtures/safer_cluster/variables.tf @@ -0,0 +1 @@ +../shared/variables.tf \ No newline at end of file diff --git a/test/fixtures/shared/terraform.tfvars b/test/fixtures/shared/terraform.tfvars index e69de29bb2..cf4c055143 100644 --- a/test/fixtures/shared/terraform.tfvars +++ b/test/fixtures/shared/terraform.tfvars @@ -0,0 +1,5 @@ +project_id = "mm-kitchen-test-1" +region = "us-east4" +zones = ["us-east4-a", "us-east4-b", "us-east4-c"] +compute_engine_service_account = "1039498062444-compute@developer.gserviceaccount.com" +