add: Example for existing GKE cluster - initial commit (#3)

* add: Example for existing GKE cluster - initial commit Changes to be committed: new file: README.md new file: main.tf new file: outputs.tf new file: variables.tf new file: versions.tf * upd: README for example with current status Changes to be committed: modified: README.md * upd: README Changes to be committed: modified: README.md
anyscale · Sep 19, 2024 · 583c7cb · 583c7cb
1 parent c0e3de0
commit 583c7cb
Show file tree

Hide file tree

Showing 5 changed files with 335 additions and 0 deletions.
diff --git a/examples/gcp/gke-existing_cluster/README.md b/examples/gcp/gke-existing_cluster/README.md
@@ -0,0 +1,74 @@
+[![Build Status][badge-build]][build-status]
+[![Terraform Version][badge-terraform]](https://github.com/hashicorp/terraform/releases)
+[![Google Provider Version][badge-tf-google]](https://github.com/terraform-providers/terraform-provider-google/releases)
+
+# Anyscale GCP GKE Example - Existing Cluster
+This example creates the resources to run Anyscale on GCP GKE with an existing cluster
+**Work in progress**
+
+## Needs to Create:
+- DONE - filestore
+- DONE - IAM Service Accounts for ControlPlane
+- DONE - Firewall
+- IAM Service Accounts for Dataplane (?) (needs a cluster role for GKE)
+- DONE - storage bucket
+- namespace
+- helm charts
+- configmap
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 5.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_anyscale_cloudstorage"></a> [anyscale\_cloudstorage](#module\_anyscale\_cloudstorage) | github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-cloudstorage | n/a |
+| <a name="module_anyscale_filestore"></a> [anyscale\_filestore](#module\_anyscale\_filestore) | github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-filestore | n/a |
+| <a name="module_anyscale_firewall"></a> [anyscale\_firewall](#module\_anyscale\_firewall) | github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-vpc-firewall | n/a |
+| <a name="module_anyscale_iam"></a> [anyscale\_iam](#module\_anyscale\_iam) | github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-iam | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_anyscale_org_id"></a> [anyscale\_org\_id](#input\_anyscale\_org\_id) | (Required) Anyscale Organization ID | `string` | n/a | yes |
+| <a name="input_customer_ingress_cidr_ranges"></a> [customer\_ingress\_cidr\_ranges](#input\_customer\_ingress\_cidr\_ranges) | The IPv4 CIDR blocks that allows access Anyscale clusters.<br>These are added to the firewall and allows port 443 (https) and 22 (ssh) access.<br>ex: `52.1.1.23/32,10.1.0.0/16'<br>` | `string` | n/a | yes |
+| <a name="input_existing_subnet_cidr"></a> [existing\_subnet\_cidr](#input\_existing\_subnet\_cidr) | The CIDR range of the existing subnet | `string` | n/a | yes |
+| <a name="input_existing_vpc_id"></a> [existing\_vpc\_id](#input\_existing\_vpc\_id) | The ID of the existing VPC | `string` | n/a | yes |
+| <a name="input_existing_vpc_name"></a> [existing\_vpc\_name](#input\_existing\_vpc\_name) | The name of the existing VPC | `string` | n/a | yes |
+| <a name="input_google_project_id"></a> [google\_project\_id](#input\_google\_project\_id) | ID of the Project to put these resources in | `string` | n/a | yes |
+| <a name="input_google_region"></a> [google\_region](#input\_google\_region) | The Google region in which all resources will be created. | `string` | n/a | yes |
+| <a name="input_anyscale_cloud_id"></a> [anyscale\_cloud\_id](#input\_anyscale\_cloud\_id) | (Optional) Anyscale Cloud ID | `string` | `null` | no |
+| <a name="input_anyscale_deploy_env"></a> [anyscale\_deploy\_env](#input\_anyscale\_deploy\_env) | (Optional) Anyscale deploy environment. Used in resource names and tags.<br><br>ex:<pre>anyscale_deploy_env = "production"</pre> | `string` | `"production"` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | (Optional) A map of labels to all resources that accept labels. | `map(string)` | <pre>{<br>  "environment": "test",<br>  "test": true<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_anyscale_registration_command"></a> [anyscale\_registration\_command](#output\_anyscale\_registration\_command) | The Anyscale registration command. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+<!-- References -->
+[Terraform]: https://www.terraform.io
+[Issues]: https://github.com/anyscale/sa-terraform-google-cloudfoundation-modules/issues
+[badge-build]: https://github.com/anyscale/sa-terraform-google-cloudfoundation-modules/workflows/CI/CD%20Pipeline/badge.svg
+[badge-terraform]: https://img.shields.io/badge/terraform-1.x%20-623CE4.svg?logo=terraform
+[badge-tf-google]: https://img.shields.io/badge/GCP-5.+-F8991D.svg?logo=terraform
+[build-status]: https://github.com/anyscale/sa-terraform-google-cloudfoundation-modules/actions
diff --git a/examples/gcp/gke-existing_cluster/main.tf b/examples/gcp/gke-existing_cluster/main.tf
@@ -0,0 +1,83 @@
+# ---------------------------------------------------------------------------------------------------------------------# Example Anyscale K8s Resources - Public Networking
+#   This template cretes resources for Anyscale with existing GKE Cluster
+#   It creates:
+#     - Storage Bucket
+#     - Filestore
+#     - IAM Service Accounts
+#     - Firewall Policy
+#     - Helm Charts
+#   It expects the following to be already created:
+#     - GCP Project
+#     - GKE Cluster
+#     - GKE Node Pool
+#     - VPC
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+  full_labels = merge(tomap({
+    anyscale-cloud-id           = var.anyscale_cloud_id,
+    anyscale-deploy-environment = var.anyscale_deploy_env
+    }),
+    var.labels
+  )
+}
+
+module "anyscale_cloudstorage" {
+  #checkov:skip=CKV_TF_1: Example code should use the latest version of the module
+  #checkov:skip=CKV_TF_2: Example code should use the latest version of the module
+  source         = "github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-cloudstorage"
+  module_enabled = true
+
+  anyscale_project_id = var.google_project_id
+  labels              = local.full_labels
+}
+
+module "anyscale_iam" {
+  #checkov:skip=CKV_TF_1: Example code should use the latest version of the module
+  #checkov:skip=CKV_TF_2: Example code should use the latest version of the module
+  source         = "github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-iam"
+  module_enabled = true
+
+  anyscale_org_id                           = var.anyscale_org_id
+  create_anyscale_access_role               = true
+  create_anyscale_cluster_node_service_acct = false
+
+  anyscale_project_id = var.google_project_id
+}
+
+module "anyscale_filestore" {
+  #checkov:skip=CKV_TF_1: Example code should use the latest version of the module
+  #checkov:skip=CKV_TF_2: Example code should use the latest version of the module
+  source         = "github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-filestore"
+  module_enabled = true
+
+  filestore_vpc_name = var.existing_vpc_name
+  filestore_tier     = "STANDARD"
+  filestore_location = "us-central1-b"
+
+  anyscale_project_id = var.google_project_id
+  labels              = local.full_labels
+}
+
+module "anyscale_firewall" {
+  #checkov:skip=CKV_TF_1: Example code should use the latest version of the module
+  #checkov:skip=CKV_TF_2: Example code should use the latest version of the module
+  source         = "github.com/anyscale/terraform-google-anyscale-cloudfoundation-modules//modules/google-anyscale-vpc-firewall"
+  module_enabled = true
+
+  vpc_name = var.existing_vpc_name
+  vpc_id   = var.existing_vpc_id
+
+  ingress_with_self_cidr_range = [var.existing_subnet_cidr]
+  ingress_from_cidr_map = [
+    {
+      rule        = "https-443-tcp"
+      cidr_blocks = var.customer_ingress_cidr_ranges
+    },
+    {
+      rule        = "ssh-tcp"
+      cidr_blocks = var.customer_ingress_cidr_ranges
+    }
+  ]
+
+  anyscale_project_id = var.google_project_id
+}
diff --git a/examples/gcp/gke-existing_cluster/outputs.tf b/examples/gcp/gke-existing_cluster/outputs.tf
@@ -0,0 +1,20 @@
+output "anyscale_registration_command" {
+  description = "The Anyscale registration command."
+  value       = <<-EOT
+    anyscale cloud register --provider gcp \
+    --name <anyscale_cloud_name> \
+    --compute-stack k8s \
+    --project-id ${var.google_project_id} \
+    --vpc-name ${var.existing_vpc_name} \
+    --region ${var.google_region} \
+    --cloud-storage-bucket-name ${module.anyscale_cloudstorage.cloudstorage_bucket_name} \
+    --filestore-instance-id ${module.anyscale_filestore.anyscale_filestore_name} \
+    --filestore-location ${module.anyscale_filestore.anyscale_filestore_location} \
+    --anyscale-service-account-email ${module.anyscale_iam.iam_anyscale_access_service_acct_email} \
+    --provider-name ${module.anyscale_iam.iam_workload_identity_provider_name} \
+    --kubernetes-namespaces <kubernetes-namespaces>
+    --kubernetes-ingress-external-address <kubernetes-ingress-external-address-or-ip> \
+    --kubernetes-zones <comma-separated-zones> \
+    --kubernetes-dataplane-identity <data-plane-service-account-email>
+  EOT
+}
diff --git a/examples/gcp/gke-existing_cluster/variables.tf b/examples/gcp/gke-existing_cluster/variables.tf
@@ -0,0 +1,108 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# ENVIRONMENT VARIABLES
+# Define these secrets as environment variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+
+# ---------------------------------------------------------------------------------------------------------------------
+# REQUIRED VARIABLES
+# These variables must be set when using this module.
+# ---------------------------------------------------------------------------------------------------------------------
+variable "google_region" {
+  description = "The Google region in which all resources will be created."
+  type        = string
+}
+
+variable "google_project_id" {
+  description = "ID of the Project to put these resources in"
+  type        = string
+}
+
+variable "anyscale_org_id" {
+  description = "(Required) Anyscale Organization ID"
+  type        = string
+  validation {
+    condition = (
+      length(var.anyscale_org_id) > 4 &&
+      substr(var.anyscale_org_id, 0, 4) == "org_"
+    )
+    error_message = "The anyscale_org_id value must start with \"org_\"."
+  }
+}
+
+
+variable "customer_ingress_cidr_ranges" {
+  description = <<-EOT
+    The IPv4 CIDR blocks that allows access Anyscale clusters.
+    These are added to the firewall and allows port 443 (https) and 22 (ssh) access.
+    ex: `52.1.1.23/32,10.1.0.0/16'
+  EOT
+  type        = string
+}
+
+# -----------------
+# Networking
+# -----------------
+variable "existing_vpc_name" {
+  description = "The name of the existing VPC"
+  type        = string
+}
+
+variable "existing_vpc_id" {
+  description = "The ID of the existing VPC"
+  type        = string
+}
+
+variable "existing_subnet_cidr" {
+  description = "The CIDR range of the existing subnet"
+  type        = string
+}
+
+
+# ------------------------------------------------------------------------------
+# OPTIONAL PARAMETERS
+# These variables have defaults, but may be overridden.
+# ------------------------------------------------------------------------------
+variable "anyscale_deploy_env" {
+  description = <<-EOT
+  (Optional) Anyscale deploy environment. Used in resource names and tags.
+
+  ex:
+  ```
+  anyscale_deploy_env = "production"
+  ```
+  EOT
+
+  type    = string
+  default = "production"
+  validation {
+    condition = (
+      var.anyscale_deploy_env == "production" || var.anyscale_deploy_env == "development" || var.anyscale_deploy_env == "test"
+    )
+    error_message = "The anyscale_deploy_env only allows `production`, `test`, or `development`"
+  }
+}
+
+variable "anyscale_cloud_id" {
+  description = "(Optional) Anyscale Cloud ID"
+  type        = string
+  default     = null
+  validation {
+    condition = (
+      var.anyscale_cloud_id == null ? true : (
+        length(var.anyscale_cloud_id) > 4 &&
+        substr(var.anyscale_cloud_id, 0, 4) == "cld_"
+      )
+    )
+    error_message = "The anyscale_cloud_id value must start with \"cld_\"."
+  }
+}
+
+variable "labels" {
+  description = "(Optional) A map of labels to all resources that accept labels."
+  type        = map(string)
+  default = {
+    "test" : true,
+    "environment" : "test"
+  }
+}
diff --git a/examples/gcp/gke-existing_cluster/versions.tf b/examples/gcp/gke-existing_cluster/versions.tf
@@ -0,0 +1,50 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.0"
+    }
+
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
+
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+  }
+}
+
+
+provider "helm" {
+  kubernetes {
+    host                   = module.anyscale_eks_cluster.eks_kubeconfig.endpoint
+    cluster_ca_certificate = base64decode(module.anyscale_eks_cluster.eks_kubeconfig.cluster_ca_certificate)
+
+    # https://registry.terraform.io/providers/hashicorp/helm/latest/docs#exec-plugins
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      args        = ["eks", "get-token", "--cluster-name", module.anyscale_eks_cluster.eks_cluster_name]
+      command     = "aws"
+    }
+  }
+}
+
+provider "kubernetes" {
+  host                   = module.anyscale_eks_cluster.eks_kubeconfig.endpoint
+  cluster_ca_certificate = base64decode(module.anyscale_eks_cluster.eks_kubeconfig.cluster_ca_certificate)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    args        = ["eks", "get-token", "--cluster-name", module.anyscale_eks_cluster.eks_cluster_name]
+    command     = "aws"
+  }
+}
+
+provider "google" {
+  project = var.google_project_id
+  region  = var.google_region
+}