README
This terraform script deploys the following resources (The script deploys resources in the 'europe-west2' a.k.a London DC region):
-
Custom VPC with 2 subnets (1 subnet for Bastion Host and other administrative machines, the other subnet for hosting the k8s nodes).
-
Firewall rule to allow IAP (Identity Aware Proxy) for securely logging in to Bastion Host VM
-
Bastion Host for communicating with Kube API server
-
Security Hardened Private GKE Cluster with minimal permissions and privileges. This cluster will only be accessible via the Bastion host which is whitelisted to use it. (
Notes:
-> This script does not include the creation of service accounts nor roles -> This script does not include the creation of Key Rings and Encryption Keys -> This script does not include the creation and configuration of NAT Gateway, it is recommended to setup CloudNAT and configure it for the VPC where your cluster is hosted, else the private K8s nodes will not be able to access the internet. -> Any access from pods/jobs to Google Cloud Services that are not part of the K8s nodes service account permissions need to be granted granular permissions via Workload Identity
Pre-requisites:
- service account for terraform with the following roles:
-> Editor
- service account for bastion host with the following roles:
-> Monitoring Viewer -> Monitoring Metric Writer -> Logs Writer -> Storage Object Viewer -> Kubernetes Engine Developer
- service account for k8s nodes with the following roles:
-> Monitoring Viewer -> Monitoring Metric Writer -> Logs Writer -> Storage Object Viewer
- encryption key in cloud KMS for encrypting ETCD
Edits required before terraform apply:
- root/variables.tf:
-> Line 4: Add path to credentials file -> Line 16: Add project ID -> Line 122: Add service acount ID of k8s-nodes -> Line 123 (optional): Change node pool machine type -> line 130: Add encryption key name for ETCD
- modules/kubernetes/main.tf
-> Line 31 (optional): Change GKE master version -> Line 57: Add key ID where encryption key for ETCD is contained (the full resource ID must be mentioned for this, not just the key name) -> Set maintenance window and maintenance exclusions based on your time zone (I have intentionally left this out consdiering that different organizations have different peak traffic hours and varying time zones)
- modules/Bastion_Host/main.tf
-> Line 30: Add service account ID of Bastion Host VM
This terraform module produces blah
module "iam" {
source = "terraform-aws-modules/iam/aws"
version = "5.3.0"
}
No providers.
No requirements.
Name | Description | Type | Default | Required |
---|---|---|---|---|
bastion_host | The Bastion host config for production | object({ |
{ |
no |
bastion_subnet_name | name of the subnet to deploy bastion host on | string |
"admin-subnet" |
no |
cluster_name | Cluster name for the GCP Cluster. | string |
"gke-cluster" |
no |
cred_url | Your service account full URL | string |
"<path to json key credentials of service account that tf uses>" |
no |
encryption_key_name | Name of the encryption key for ETCD | string |
"<encryption-key-id>" |
no |
gke-cluster | The GKE app cluster for production | object({ |
{ |
no |
gke-vpc | The name of the production VPC | object({ |
{ |
no |
master_cidr | CIDR block address of GKE master. | string |
"172.16.0.0/28" |
no |
project_id | Your project id in GCP | string |
"<project-id>" |
no |
region | The region of the project resources in GCP | string |
"europe-west2" |
no |
service_account_name | The service account name | string |
"<ID of K8s nodes service account>" |
no |
zone | The zone of the project resources in GCP | string |
"a" |
no |
No outputs.
No resources.
OS X & Linux:
npm install my-crazy-module --save
Windows:
edit autoexec.bat
Describe how to install all development dependencies and how to run an automated test-suite of some kind. Potentially do this for multiple platforms.
make install
npm test
List the roadmap steps; alternatively link the Confluence Wiki page where the project roadmap is published.
- Item 1
- Item 2
- ....
- Fork it (https://github.com/finos/cfi-terraform-template-child-module/fork)
- Create your feature branch (
git checkout -b feature/fooBar
) - Read our contribution guidelines and Community Code of Conduct
- Commit your changes (
git commit -am 'Add some fooBar'
) - Push to the branch (
git push origin feature/fooBar
) - Create a new Pull Request
_NOTE:_ Commits and pull requests to FINOS repositories will only be accepted from those contributors with an active, executed Individual Contributor License Agreement (ICLA) with FINOS OR who are covered under an existing and active Corporate Contribution License Agreement (CCLA) executed with FINOS. Commits from individuals not covered under an ICLA or CCLA will be flagged and blocked by the FINOS Clabot tool (or EasyCLA). Please note that some CCLAs require individuals/employees to be explicitly named on the CCLA.
Need an ICLA? Unsure if you are covered under an existing CCLA? Email help@finos.org
Copyright 2022 FINOS
Distributed under the Apache License, Version 2.0.
SPDX-License-Identifier: Apache-2.0