This module creates a basic public GKE cluster located in a shared VPC.
When preparing a GCP project for a Terraform GKE deployment, ensure the following APIs/services are enabled:
- Cloud Resource Manager
- Compute Engine
- Kubernetes Engine
- Service Networking
This module requires a shared VPC, and assumes that the main project specified by
google_project is a 'service project' that is attached to a shared VPC originating
in shared_vpc_host_google_project.
Ensure that the secondary IP ranges for Pods and Services in the shared VPC are not used by another cluster, otherwise this module will time out/fail.
Network and Subnet Names
Some assumptions are made regarding the name of the shared VPC network, subnet, and IP ranges for Pods and Services:
- Shared VPC network name =
<STAGE>-private-vpc(eg.test-private-vpc) - Shared VPC subnet name =
<STAGE>-private-vpc-subnet(eg.test-private-vpc-subnet) - Shared VPC subnet Pods IP range name =
<STAGE>-private-vpc-pods(eg.test-private-vpc-pods) - Shared VPC subnet Services IP range name =
<STAGE>-private-vpc-services(eg.test-private-vpc-services)
The GCP Service Account used by the compute Google provider (that builds the GKE cluster) requires the compute.networkUser
role in the shared VPC host project.
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| Name | Version |
|---|---|
| random | 3.6.2 |
| Name | Source | Version |
|---|---|---|
| gke | ./modules/gcp-gke | n/a |
| Name | Type |
|---|---|
| random_id.run_id | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_gcp_nat | Set to true to create an Internet NAT for ALL_SUBNETWORKS_ALL_IP_RANGES in the VPC network. |
bool |
n/a | yes |
| create_gcp_router | Set to true to create a router in the VPC network. |
bool |
n/a | yes |
| create_public_https_firewall_rule | Set to true to create a firewall rule allowing 0.0.0.0/0:443 on TCP to all worker nodes. |
bool |
n/a | yes |
| enable_cost_allocation_feature | Whether to enable the cost allocation feature. | bool |
false |
no |
| enable_l4_ilb_subsetting | Enable L4 ILB Subsetting | bool |
false |
no |
| enable_network_policy | This value is passed to network_policy.enabled and the negative is passed to addons_config.network_policy_config.disabled. This might conflict with Workload Identity - make sure to read https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#limitations_and_requirements. | bool |
n/a | yes |
| gke_authenticator_groups_config_domain | Domain to append to gke-security-groups to pass to authenticator_groups_config so members of that Google Group can authenticate to the cluster. Pass an empty string to disable. Domain passed here should be in the format of TLD.EXTENSION. |
string |
n/a | yes |
| google_credentials | Contents of a JSON keyfile of an account with write access to the project | any |
n/a | yes |
| google_project | The GCP project to use for this run | any |
n/a | yes |
| google_region | GCP region used to create all resources in this run | any |
n/a | yes |
| initial_node_count | Initial node count, per-zone for regional clusters. | any |
n/a | yes |
| kubernetes_version | The Kubernetes version to install on the master and node pool - must be a valid version from the specified var.release_channel |
string |
n/a | yes |
| machine_type | Machine types to use for the node pool. | string |
n/a | yes |
| master_authorized_networks | List of authorized networks to access the control plane. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | list(object({ cidr_block = string, display_name = string })) |
n/a | yes |
| master_ipv4_cidr_block | The IP range to set for master nodes, passed to master_ipv4_cidr_block - /28 required by Google. | any |
n/a | yes |
| maximum_node_count | Maximum nodes for the node pool. This is the total nodes so for regional deployments it is the total nodes across all zones. | string |
n/a | yes |
| minimum_node_count | Minimum nodes for the node pool. This is the total nodes so for regional deployments it is the total nodes across all zones. | string |
n/a | yes |
| nat_ip_address_self_links | List of IP address self links to use for NAT | list(string) |
[] |
no |
| pods_ip_range_cidr | CIDR of the secondary IP range used for Kubernetes Pods. | string |
n/a | yes |
| pods_ip_range_name | Name of the secondary IP range used for Kubernetes Pods. | string |
n/a | yes |
| release_channel | (Beta) The release channel of this cluster. Accepted values are UNSPECIFIED, RAPID, REGULAR and STABLE. Defaults to REGULAR. |
string |
"RAPID" |
no |
| services_ip_range_cidr | CIDR of the secondary IP range used for Kubernetes Services. | string |
n/a | yes |
| services_ip_range_name | Name of the secondary IP range used for Kubernetes Services. | string |
n/a | yes |
| shared_vpc_host_google_credentials | Service Account with access to shared_vpc_host_google_project networks | any |
n/a | yes |
| shared_vpc_host_google_project | The GCP project that hosts the shared VPC to place resources into | any |
n/a | yes |
| shared_vpc_id | The id of the shared VPC. | string |
n/a | yes |
| shared_vpc_self_link | self_link of the shared VPC to place the GKE cluster in. | string |
n/a | yes |
| stage | Stage: [test, dev, prod...] used as prefix for all resources. | string |
"test" |
no |
| subnetwork_self_link | self_link of the google_compute_subnetwork to place the GKE cluster in. | string |
n/a | yes |
| Name | Description |
|---|---|
| ca_certificate | n/a |
| client_token | n/a |
| cluster_name | The GKE cluster name that was built |
| cluster_project | The project hosting the GKE cluster. |
| gke_cluster_primary_node_pool_tag | Tag applied to the node pool instances - used for network/firewall rules. |
| kubernetes_endpoint | n/a |
| service_account | The default service account used for running nodes. |