diff --git a/tf-environments/gcp/README.md b/tf-environments/gcp/README.md new file mode 100644 index 000000000..721b23a8f --- /dev/null +++ b/tf-environments/gcp/README.md @@ -0,0 +1,32 @@ +Folder Layout +============== + +This folder is here to hold all Terraform resources for our GCP deployments. + +# ./gcp folder +This folder holds each named environment we have: dev, qa, stage, prod, special-project, etc + +This can hold any number of environments + +# ./gcp/ +Under the named environment folder we have another folder that is named exactly the same. Yes, this is a little redundant and not too DRY but let me explain why this is done. + +In the folder `./gcp//` folder we have a `terragrunt.hcl` file that holds the state store information: + +``` +remote_state { + backend = "gcs" + config = { + bucket = "kubernetes-ops-terraform-state-${get_env("STATE_STORE_UNIQUE_KEY", "default-value-1234")}" + prefix = path_relative_to_include() + project = "managedkube" + location = "us-central1" + } +} +``` + +Creating a directory structure like this allows us to keep this file "DRY" and with no specific changes needed for it besides the `project` var if you wanted to store the state in another GCP project. + +The alternative is to hold this file in each of the top level named environment dir and then set the `prefix` with the environment name. However, this means that if I create another environment I have to copy this file over to that directory and remember to change the environment name in the `prefix` variable. While I like that idea, I have seen many times when someone creates a new environment they don't chane that var and then start overwritting another environment's state store. With this method, the environment name (which is the directory name) is always there and in the GCS bucket that means these paths will always be unique because on your local file system you cannot create a folder name with the same name. + +Another thing that this provide us is a way to keep the state store in another GCP project. Your pre-production infra might be in one GCP project and your production infra could be in another project. This allows us to specify which project to target. diff --git a/tf-environments/gcp/dev/dev/cluster/terragrunt.hcl b/tf-environments/gcp/dev/dev/cluster/terragrunt.hcl new file mode 100644 index 000000000..b7a587aea --- /dev/null +++ b/tf-environments/gcp/dev/dev/cluster/terragrunt.hcl @@ -0,0 +1,58 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/gcp/private-gke-cluster/" +} + +inputs = { + vpc_name = "dev" + network_name = "dev" + cluster_name = "dev" + + enable_private_kube_master_endpoint = false + + oauth_scopes = [ + "compute-rw", + "storage-rw", + "logging-write", + "monitoring" + ] + + tags = ["dev"] + + labels = {} + + taints = [] + + node_version = "1.13.11-gke.14" + machine_type = "n1-standard-4" + image_type = "COS" + disk_size_gb = "20" + initial_node_count = "1" + + master_ipv4_cidr_block="10.20.22.0/28" + + pods_ip_cidr_range="10.20.64.0/19" + services_ip_cidr_range="10.20.96.0/19" + # pods_ip_cidr_range="10.30.10.0/16" + # services_ip_cidr_range="10.30.11.0/16" + + master_authorized_networks_cidr = [ + { cidr_block = "10.0.0.0/8", display_name = "10x" }, + { cidr_block = "172.16.0.0/12", display_name = "172x" }, + { cidr_block = "192.168.0.0/16", display_name = "192x" }, + { cidr_block = "38.30.8.138/32", display_name = "home" }, + { cidr_block = "35.222.67.76/32", display_name = "gar-vpn" }, + ] + + + ##################### + # networking + ##################### + public_subnet_cidr_range = "10.20.11.0/24" + private_subnet_cidr_range = "10.20.21.0/24" + + outbound_through_nat_tags=["private-subnet", "gke-private-nodes"] +} diff --git a/tf-environments/gcp/dev/dev/networking/terragrunt.hcl b/tf-environments/gcp/dev/dev/networking/terragrunt.hcl new file mode 100644 index 000000000..4fbb1a415 --- /dev/null +++ b/tf-environments/gcp/dev/dev/networking/terragrunt.hcl @@ -0,0 +1,26 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/gcp/vpc/" +} + +inputs = { + # region = "us-central1" # specified in ../_env_defaults/gcp.tfars + bastion_region_zone = "us-central1-b" + // project_name = "managedkube" + vpc_name = "dev" + + public_subnet_cidr_range = "10.20.10.0/24" + private_subnet_cidr_range = "10.20.20.0/24" + + bastion_machine_type = "n1-standard-2" + bastion_image = "ubuntu-1810-cosmic-v20190628" + bastion_internal_ip = "10.20.10.253" + + internal_services_bastion_cidr = "10.20.10.253/32" + + outbound_through_bastion_tags=["private-subnet", "gke-private-nodes"] + outbound_through_nat_tags=["private-subnet", "gke-private-nodes"] +} diff --git a/tf-environments/gcp/dev/dev/nodepools/pool-1/terragrunt.hcl b/tf-environments/gcp/dev/dev/nodepools/pool-1/terragrunt.hcl new file mode 100644 index 000000000..d944cb97c --- /dev/null +++ b/tf-environments/gcp/dev/dev/nodepools/pool-1/terragrunt.hcl @@ -0,0 +1,58 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../tf-modules/gcp/nodepool/" +} + +inputs = { + + cluster_name = "dev" + node_pool_name = "pool-1" + + initial_node_count = "3" + min_node_count = "0" + max_node_count = "50" + machine_type = "n1-standard-2" + disk_size_gb = "100" + + image_type = "COS" + + # These represent the "gke-defaults" scope list + oauth_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append", + ] + + # Kubernetes node labels + labels = {} + // { + // foo = "bar", + // foo2 = "bar2", + // } + + # GCP node labels and firewall labels + tags = [] + // ["foo", "bar"] + + # Kubernetes taints + taints = [] + // [ + // { + // effect = "NO_SCHEDULE" + // key = "bar" + // value = "foo" + // }, + // { + // effect = "NO_SCHEDULE" + // key = "bar2" + // value = "foo2" + // }, + // ] + +} diff --git a/tf-environments/gcp/dev/dev/nodepools/pool-2/terragrunt.hcl b/tf-environments/gcp/dev/dev/nodepools/pool-2/terragrunt.hcl new file mode 100644 index 000000000..12cee00e0 --- /dev/null +++ b/tf-environments/gcp/dev/dev/nodepools/pool-2/terragrunt.hcl @@ -0,0 +1,59 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../tf-modules/gcp/nodepool/" +} + +inputs = { + + cluster_name = "dev" + node_pool_name = "pool-2" + + initial_node_count = "1" + is_preemtible = true + min_node_count = "0" + max_node_count = "6" + machine_type = "n1-standard-8" + disk_size_gb = "100" + + image_type = "COS" + + # These represent the "gke-defaults" scope list + oauth_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append", + ] + + # Kubernetes node labels + labels = {} + // { + // foo = "bar", + // foo2 = "bar2", + // } + + # GCP node labels and firewall labels + tags = [] + // ["foo", "bar"] + + # Kubernetes taints + taints = [] + // [ + // { + // effect = "NO_SCHEDULE" + // key = "bar" + // value = "foo" + // }, + // { + // effect = "NO_SCHEDULE" + // key = "bar2" + // value = "foo2" + // }, + // ] + +} diff --git a/tf-environments/gcp/dev/terragrunt.hcl b/tf-environments/gcp/dev/terragrunt.hcl new file mode 100644 index 000000000..36d41efd4 --- /dev/null +++ b/tf-environments/gcp/dev/terragrunt.hcl @@ -0,0 +1,21 @@ +remote_state { + backend = "gcs" + config = { + bucket = "kubernetes-ops-terraform-state-${get_env("STATE_STORE_UNIQUE_KEY", "default-value-1234")}" + prefix = path_relative_to_include() + project = "managedkube" + location = "us-central1" + } +} + +terraform { + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/gcp.tfvars", + # "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", + "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/gcp.tfvars", + ] + } +}