richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5763 Commits
33 Branches
82 Tags
153 MiB
Tree: ae3a1d7c01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae3a1d7c01'
${ noResults }
kubespray/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf

360 lines
7.7 KiB
Raw Normal View History

Added gcp terraform support (#6974) * Added gcp terraform support * Added http/https firewall rule * Ignoring lifecycle changes for attached disks on the google_compute_instance
4 years ago
  1. #################################################
  2. ##
  3. ## General
  4. ##
  6. resource "google_compute_network" "main" {
  7. name = "${var.prefix}-network"
  8. }
  10. resource "google_compute_subnetwork" "main" {
  11. name = "${var.prefix}-subnet"
  12. network = google_compute_network.main.name
  13. ip_cidr_range = var.private_network_cidr
  14. region = var.region
  15. }
  17. resource "google_compute_firewall" "deny_all" {
  18. name = "${var.prefix}-default-firewall"
  19. network = google_compute_network.main.name
  21. priority = 1000
  23. deny {
  24. protocol = "all"
  25. }
  26. }
  28. resource "google_compute_firewall" "allow_internal" {
  29. name = "${var.prefix}-internal-firewall"
  30. network = google_compute_network.main.name
  32. priority = 500
  34. source_ranges = [var.private_network_cidr]
  36. allow {
  37. protocol = "all"
  38. }
  39. }
  41. resource "google_compute_firewall" "ssh" {
  42. name = "${var.prefix}-ssh-firewall"
  43. network = google_compute_network.main.name
  45. priority = 100
  47. source_ranges = var.ssh_whitelist
  49. allow {
  50. protocol = "tcp"
  51. ports = ["22"]
  52. }
  53. }
  55. resource "google_compute_firewall" "api_server" {
  56. name = "${var.prefix}-api-server-firewall"
  57. network = google_compute_network.main.name
  59. priority = 100
  61. source_ranges = var.api_server_whitelist
  63. allow {
  64. protocol = "tcp"
  65. ports = ["6443"]
  66. }
  67. }
  69. resource "google_compute_firewall" "nodeport" {
  70. name = "${var.prefix}-nodeport-firewall"
  71. network = google_compute_network.main.name
  73. priority = 100
  75. source_ranges = var.nodeport_whitelist
  77. allow {
  78. protocol = "tcp"
  79. ports = ["30000-32767"]
  80. }
  81. }
  83. resource "google_compute_firewall" "ingress_http" {
  84. name = "${var.prefix}-http-ingress-firewall"
  85. network = google_compute_network.main.name
  87. priority = 100
  89. allow {
  90. protocol = "tcp"
  91. ports = ["80"]
  92. }
  93. }
  95. resource "google_compute_firewall" "ingress_https" {
  96. name = "${var.prefix}-https-ingress-firewall"
  97. network = google_compute_network.main.name
  99. priority = 100
  101. allow {
  102. protocol = "tcp"
  103. ports = ["443"]
  104. }
  105. }
  107. #################################################
  108. ##
  109. ## Local variables
  110. ##
  112. locals {
  113. master_target_list = [
  114. for name, machine in google_compute_instance.master :
  115. "${machine.zone}/${machine.name}"
  116. ]
  118. worker_target_list = [
  119. for name, machine in google_compute_instance.worker :
  120. "${machine.zone}/${machine.name}"
  121. ]
  123. master_disks = flatten([
  124. for machine_name, machine in var.machines : [
  125. for disk_name, disk in machine.additional_disks : {
  126. "${machine_name}-${disk_name}" = {
  127. "machine_name": machine_name,
  128. "machine": machine,
  129. "disk_size": disk.size,
  130. "disk_name": disk_name
  131. }
  132. }
  133. ]
  134. if machine.node_type == "master"
  135. ])
  137. worker_disks = flatten([
  138. for machine_name, machine in var.machines : [
  139. for disk_name, disk in machine.additional_disks : {
  140. "${machine_name}-${disk_name}" = {
  141. "machine_name": machine_name,
  142. "machine": machine,
  143. "disk_size": disk.size,
  144. "disk_name": disk_name
  145. }
  146. }
  147. ]
  148. if machine.node_type == "worker"
  149. ])
  150. }
  152. #################################################
  153. ##
  154. ## Master
  155. ##
  157. resource "google_compute_address" "master" {
  158. for_each = {
  159. for name, machine in var.machines :
  160. name => machine
  161. if machine.node_type == "master"
  162. }
  164. name = "${var.prefix}-${each.key}-pip"
  165. address_type = "EXTERNAL"
  166. region = var.region
  167. }
  169. resource "google_compute_disk" "master" {
  170. for_each = {
  171. for item in local.master_disks :
  172. keys(item)[0] => values(item)[0]
  173. }
  175. name = "${var.prefix}-${each.key}"
  176. type = "pd-ssd"
  177. zone = each.value.machine.zone
  178. size = each.value.disk_size
  180. physical_block_size_bytes = 4096
  181. }
  183. resource "google_compute_attached_disk" "master" {
  184. for_each = {
  185. for item in local.master_disks :
  186. keys(item)[0] => values(item)[0]
  187. }
  189. disk = google_compute_disk.master[each.key].id
  190. instance = google_compute_instance.master[each.value.machine_name].id
  191. }
  193. resource "google_compute_instance" "master" {
  194. for_each = {
  195. for name, machine in var.machines :
  196. name => machine
  197. if machine.node_type == "master"
  198. }
  200. name = "${var.prefix}-${each.key}"
  201. machine_type = each.value.size
  202. zone = each.value.zone
  204. tags = ["master"]
  206. boot_disk {
  207. initialize_params {
  208. image = each.value.boot_disk.image_name
  209. size = each.value.boot_disk.size
  210. }
  211. }
  213. network_interface {
  214. subnetwork = google_compute_subnetwork.main.name
  216. access_config {
  217. nat_ip = google_compute_address.master[each.key].address
  218. }
  219. }
  221. metadata = {
  222. ssh-keys = "ubuntu:${trimspace(file(pathexpand(var.ssh_pub_key)))}"
  223. }
  225. service_account {
  226. email = var.master_sa_email
  227. scopes = var.master_sa_scopes
  228. }
  230. # Since we use google_compute_attached_disk we need to ignore this
  231. lifecycle {
  232. ignore_changes = ["attached_disk"]
  233. }
  234. }
  236. resource "google_compute_forwarding_rule" "master_lb" {
  237. name = "${var.prefix}-master-lb-forward-rule"
  239. port_range = "6443"
  241. target = google_compute_target_pool.master_lb.id
  242. }
  244. resource "google_compute_target_pool" "master_lb" {
  245. name = "${var.prefix}-master-lb-pool"
  246. instances = local.master_target_list
  247. }
  249. #################################################
  250. ##
  251. ## Worker
  252. ##
  254. resource "google_compute_disk" "worker" {
  255. for_each = {
  256. for item in local.worker_disks :
  257. keys(item)[0] => values(item)[0]
  258. }
  260. name = "${var.prefix}-${each.key}"
  261. type = "pd-ssd"
  262. zone = each.value.machine.zone
  263. size = each.value.disk_size
  265. physical_block_size_bytes = 4096
  266. }
  268. resource "google_compute_attached_disk" "worker" {
  269. for_each = {
  270. for item in local.worker_disks :
  271. keys(item)[0] => values(item)[0]
  272. }
  274. disk = google_compute_disk.worker[each.key].id
  275. instance = google_compute_instance.worker[each.value.machine_name].id
  276. }
  278. resource "google_compute_address" "worker" {
  279. for_each = {
  280. for name, machine in var.machines :
  281. name => machine
  282. if machine.node_type == "worker"
  283. }
  285. name = "${var.prefix}-${each.key}-pip"
  286. address_type = "EXTERNAL"
  287. region = var.region
  288. }
  290. resource "google_compute_instance" "worker" {
  291. for_each = {
  292. for name, machine in var.machines :
  293. name => machine
  294. if machine.node_type == "worker"
  295. }
  297. name = "${var.prefix}-${each.key}"
  298. machine_type = each.value.size
  299. zone = each.value.zone
  301. tags = ["worker"]
  303. boot_disk {
  304. initialize_params {
  305. image = each.value.boot_disk.image_name
  306. size = each.value.boot_disk.size
  307. }
  308. }
  310. network_interface {
  311. subnetwork = google_compute_subnetwork.main.name
  313. access_config {
  314. nat_ip = google_compute_address.worker[each.key].address
  315. }
  316. }
  318. metadata = {
  319. ssh-keys = "ubuntu:${trimspace(file(pathexpand(var.ssh_pub_key)))}"
  320. }
  322. service_account {
  323. email = var.worker_sa_email
  324. scopes = var.worker_sa_scopes
  325. }
  327. # Since we use google_compute_attached_disk we need to ignore this
  328. lifecycle {
  329. ignore_changes = ["attached_disk"]
  330. }
  331. }
  333. resource "google_compute_address" "worker_lb" {
  334. name = "${var.prefix}-worker-lb-address"
  335. address_type = "EXTERNAL"
  336. region = var.region
  337. }
  339. resource "google_compute_forwarding_rule" "worker_http_lb" {
  340. name = "${var.prefix}-worker-http-lb-forward-rule"
  342. ip_address = google_compute_address.worker_lb.address
  343. port_range = "80"
  345. target = google_compute_target_pool.worker_lb.id
  346. }
  348. resource "google_compute_forwarding_rule" "worker_https_lb" {
  349. name = "${var.prefix}-worker-https-lb-forward-rule"
  351. ip_address = google_compute_address.worker_lb.address
  352. port_range = "443"
  354. target = google_compute_target_pool.worker_lb.id
  355. }
  357. resource "google_compute_target_pool" "worker_lb" {
  358. name = "${var.prefix}-worker-lb-pool"
  359. instances = local.worker_target_list
  360. }