terraform {
backend "http" {
}
required_providers {
google = {
source = "hashicorp/google"
version = "4.3.0"
}
}
}
provider "google" {
credentials = file("./gcp-sa.json")
project = var.project_id
region = var.region
}
data "google_project" "project" {
provider = google
project_id = var.project_id
}
### Reserve Static IP
resource "google_compute_global_address" "static_ip" {
provider = google
project = var.project_id
name = "gke-frontend"
}
### Create Network
resource "google_compute_network" "vpc_network" {
provider = google
project = var.project_id
name = var.vpc_network_name
auto_create_subnetworks = false
mtu = 1460
routing_mode = "GLOBAL"
}
### Create Subnetwork
resource "google_compute_subnetwork" "vpc_subnetwork" {
provider = google
project = var.project_id
name = var.vpc_subnetwork_name
ip_cidr_range = "192.168.100.0/24"
region = var.region
network = google_compute_network.vpc_network.id
secondary_ip_range {
range_name = "pods"
ip_cidr_range = "10.0.0.0/14"
}
secondary_ip_range {
range_name = "services"
ip_cidr_range = "10.4.0.0/19"
}
private_ip_google_access = true
depends_on = [
google_compute_network.vpc_network
]
}
### Create VPC network peering
resource "google_compute_global_address" "vpc_private_ip_address" {
provider = google
project = var.project_id
name = var.vpc_private_ip_address_name
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = google_compute_network.vpc_network.id
}
resource "google_service_networking_connection" "vpc_private_vpc_connection" {
provider = google
network = google_compute_network.vpc_network.id
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [
google_compute_global_address.vpc_private_ip_address.name
]
}
### Create firewall rules
resource "google_compute_firewall" "fw_http" {
provider = google
project = var.project_id
name = var.fw_http_name
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["80"]
}
target_tags = ["http-server"]
source_ranges = ["0.0.0.0/0"]
disabled = false
}
resource "google_compute_firewall" "fw_https" {
provider = google
project = var.project_id
name = var.fw_https_name
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["443"]
}
target_tags = ["https-server"]
source_ranges = ["0.0.0.0/0"]
disabled = false
}
resource "google_compute_firewall" "allow_from_iap_to_instances" {
provider = google
project = var.project_id
name = var.fw_ssh_name
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["35.235.240.0/20"]
}
### Create Cloud NAT
resource "google_compute_router" "router" {
provider = google
project = var.project_id
name = var.router_name
region = var.region
network = google_compute_network.vpc_network.id
bgp {
asn = 64514
}
}
resource "google_compute_router_nat" "cloud_nat" {
provider = google
project = var.project_id
name = var.cloud_nat_name
region = var.region
router = google_compute_router.router.name
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = false
filter = "ERRORS_ONLY"
}
min_ports_per_vm = 64
}
### Create Kubernetes Cluster
resource "google_container_cluster" "cluster" {
provider = google
project = var.project_id
name = var.cluster_name
location = var.region
remove_default_node_pool = true
initial_node_count = 1
logging_service = "logging.googleapis.com/kubernetes"
default_max_pods_per_node = 20
networking_mode = "VPC_NATIVE"
network = google_compute_network.vpc_network.id
subnetwork = google_compute_subnetwork.vpc_subnetwork.id
enable_shielded_nodes = true
private_cluster_config {
enable_private_endpoint = false
enable_private_nodes = true
master_ipv4_cidr_block = "172.16.0.0/28"
}
default_snat_status {
disabled = false
}
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "services"
}
workload_identity_config {
workload_pool = "${data.google_project.project.project_id}.svc.id.goog"
}
depends_on = [
google_compute_network.vpc_network,
google_compute_subnetwork.vpc_subnetwork
]
}
### Create Kubernetes Node Pool
resource "google_container_node_pool" "node_pool" {
provider = google
project = var.project_id
name = var.node_pool_name
location = var.region
cluster = google_container_cluster.cluster.name
node_count = 1
node_config {
preemptible = true
machine_type = "e2-micro"
disk_size_gb = "10"
disk_type = "pd-ssd"
image_type = "cos"
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
labels = {
disktype = "ssd"
cputype = "e2"
preemptible = "true"
}
}
}