Terraform setup to spin up a complete Kubernetes runtime on Google Cloud.
Description of files and directories within this directory.
Path | Description |
---|---|
env/ |
Environment specific cofigurations |
modules/ |
Directory with Terraform modules |
backend.tf |
Configuration of Terraform state backend |
modules.tf |
Configuration of Terraform modules in /modules |
providers.tf |
Configuration of Terraform providers |
variables.tf |
Declaration of top level project variables |
- Google Cloud Platform (GCP) service account for Terraform
- Google Cloud Storage (GCS) bucket for Terraform state
Log in to Google Cloud using the gcloud
command line:
gcloud auth login
Set the following configurations:
gcloud config set account <my_user_account>
gcloud config set project andersrunningen-test
gcloud config set compute/region europe-north1
Create a new Service Account for running Terraform:
gcloud iam service-accounts create terraform
Grant the new Service Account owner permissions:
gcloud projects add-iam-policy-binding andersrunningen-test \
--member serviceAccount:[email protected] \
--role roles/owner
Create a credential for the Service Account by running the following command:
gcloud iam service-accounts keys create \
--iam-account [email protected] \
andersrunningen-test.json
Move the .json
file somewhere safe and set the following environment variables:
export GOOGLE_CREDENTIALS=$(cat ~/my/path.json | tr -d '\n')
export TERRAFORM_ENVIRONMENT=test
export TERRAFORM_STATE_GCP_BUCKET=andersrunningen-test-tf-state
Create an encryption key for encrypting the content of the Terraform State and keep it somewhere safe:
openssl rand -base64 32 > ~/my/path.enc
export GOOGLE_ENCRYPTION_KEY=$(cat ~/my/path.enc)
Create a bucket for storing the Terraform state:
gsutil mb -b on -c regional -l europe-north1 gs://${TERRAFORM_STATE_GCP_BUCKET}
terraform init -reconfigure -backend-config="bucket=${TERRAFORM_STATE_GCP_BUCKET}"
terraform workspace new ${TERRAFORM_ENVIRONMENT}
terraform plan -var-file=env/${TERRAFORM_ENVIRONMENT}.tfvars
terraform apply -var-file=env/${TERRAFORM_ENVIRONMENT}.tfvars
gcloud iam workload-identity-pools create "ga-pool" \
--project="andersrunningen-test" \
--location="global" \
--display-name="Github actions pool"
gcloud iam workload-identity-pools providers create-oidc "my-provider" \
--project="andersrunningen-test" \
--location="global" \
--workload-identity-pool="ga-pool" \
--display-name="GitHub provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
--issuer-uri="https://token.actions.githubusercontent.com"
gcloud iam service-accounts add-iam-policy-binding "[email protected]" \
--project="andersrunningen-test" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/325888718151/locations/global/workloadIdentityPools/ga-pool/attribute.repository/AndersRunningen/terraform-gcp-example"
325888718151
can be found by gcloud projects list
Run the following command in order to fetch the credentials for the new Kubernetes cluster:
gcloud container clusters get-credentials andersrunningen-test-gke --zone europe-west1-b
You can now list the running pods with the kubectl
command:
kubectl get pods --all-namespaces
There are a few things you have to do manually after the first apply:
- Set up the appropriate DNS Zone in the Root DNS server
- Open firewall rules on the shared VPC project (check logs after first Ingress, this must only be run once). Copy the command you see in the event logs:
kubectl describe ingress [ingress-name]
https://www.terraform.io/intro/index.html https://learn.hashicorp.com/tutorials/terraform/gke?in=terraform/kubernetes https://github.com/hashicorp/learn-terraform-provision-gke-cluster