# This is a combination of 6 commits.

# This is the 1st commit message:

Initial definition of a Safer Cluster module.

# This is the commit message terraform-google-modules#2:

Add a sample for using the safer-cluster module.

# This is the commit message terraform-google-modules#3:

Add a test kitchen instance

# This is the commit message terraform-google-modules#4:

Formatting TF files.

# This is the commit message terraform-google-modules#5:

Add a test for the safer-cluster module

# This is the commit message terraform-google-modules#6:

Additional fixes

Author: mmontan

.kitchen.yml

@@ -50,13 +50,34 @@ suites:
       systems:
         - name: node_pool
           backend: local
-  - name: "shared_vpc"
+  - name: "simple_regional_private"
+    driver:
+      root_module_directory: test/fixtures/simple_regional_private
+    verifier:
+      systems:
+        - name: simple_regional_private
+          backend: local
+        - name: "shared_vpc"
     driver:
       root_module_directory: test/fixtures/shared_vpc
     verifier:
       systems:
         - name: shared_vpc
           backend: local
+  - name: "safer_cluster"
+    driver:
+      root_module_directory: test/fixtures/safer_cluster
+    verifier:
+      systems:
+        - name: safer_cluster
+          backend: local
+  - name: "simple_regional"
+    driver:
+      root_module_directory: test/fixtures/simple_regional
+    verifier:
+      systems:
+        - name: simple_regional
+          backend: local
   - name: "simple_regional"
     driver:
       root_module_directory: test/fixtures/simple_regional

examples/safer_cluster/README.md

@@ -0,0 +1,49 @@
+# Simple Regional Cluster
+
+This example illustrates how to create a simple private cluster with beta features.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cloudrun | Boolean to enable / disable CloudRun | string | `"true"` | no |
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes |
+| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
+| istio | Boolean to enable / disable Istio | string | `"true"` | no |
+| network | The VPC network to host the cluster in | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | n/a | yes |
+| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate |  |
+| client\_token |  |
+| cluster\_name | Cluster name |
+| credentials\_path |  |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| kubernetes\_endpoint |  |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| project\_id |  |
+| region |  |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/safer_cluster/main.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "safer-cluster"
+}
+
+provider "google-beta" {
+  version     = "~> 2.12.0"
+  credentials = file(var.credentials_path)
+  region      = var.region
+}
+
+data "google_compute_subnetwork" "subnetwork" {
+  name    = var.subnetwork
+  project = var.project_id
+  region  = var.region
+}
+
+module "gke" {
+  source                 = "../../modules/safer-cluster/"
+  project_id             = var.project_id
+  name                   = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional               = true
+  region                 = var.region
+  network                = var.network
+  subnetwork             = var.subnetwork
+  ip_range_pods          = var.ip_range_pods
+  ip_range_services      = var.ip_range_services
+  master_ipv4_cidr_block = "172.16.0.0/28"
+
+  istio    = var.istio
+  cloudrun = var.cloudrun
+}
+
+data "google_client_config" "default" {
+}
+

examples/safer_cluster/outputs.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = module.gke.endpoint
+}
+
+output "client_token" {
+  sensitive = true
+  value     = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+  value = module.gke.ca_certificate
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = module.gke.service_account
+}
+

examples/safer_cluster/test_outputs.tf

@@ -0,0 +1 @@
+../../test/fixtures/all_examples/test_outputs.tf

examples/safer_cluster/variables.tf

@@ -0,0 +1,59 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+}
+
+variable "credentials_path" {
+  description = "The path to the GCP credentials JSON file"
+}
+
+variable "cluster_name_suffix" {
+  description = "A suffix to append to the default cluster name"
+  default     = ""
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+}
+
+variable "network" {
+  description = "The VPC network to host the cluster in"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork to host the cluster in"
+}
+
+variable "ip_range_pods" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "ip_range_services" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "istio" {
+  description = "Boolean to enable / disable Istio"
+  default     = true
+}
+
+variable "cloudrun" {
+  description = "Boolean to enable / disable CloudRun"
+  default     = true
+}
+

examples/safer_cluster/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}

modules/safer-cluster/README.md

@@ -0,0 +1,14 @@
+# Safer Beta Cluster
+
+The module defines a safer configuration for a GKE cluster. It is based on the beta private cluster configuration, and forces certain security-relevant configurations to values that provice specific security
+properties.
+
+[^]: (autogen_docs_start)
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure