fix: update startup script to install packages successfully

Added IAM role binding to add the role "container admin" to the
service account created and attached the cluster node pool.

Fixes issue #30

modules/bastion/startup.sh

@@ -1,56 +1,19 @@
 #!/bin/bash
 
-# Kubectl Setup: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-using-native-package-management
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-echo "|                                                                                                                                         |"
-echo "|                                                             INSTALL KUBECTL                                                             |"
-echo "|                                                                                                                                         |"
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-
-sudo apt-get update
-curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key |
-  sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
-# This overwrites any existing configuration in /etc/apt/sources.list.d/kubernetes.list
-echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' |
-  sudo tee /etc/apt/sources.list.d/kubernetes.list
-sudo apt-get update && sudo apt-get install kubectl -y
-
-# Helm Setup: https://helm.sh/docs/intro/install/#from-apt-debianubuntu
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-echo "|                                                                                                                                         |"
-echo "|                                                              INSTALL HELM                                                               |"
-echo "|                                                                                                                                         |"
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-
-sudo apt-get update
-curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg >/dev/null
-sudo apt-get install apt-transport-https -y
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" |
-  sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
-sudo apt-get update && sudo apt-get install helm -y
-
-# GCloud Setup: https://cloud.google.com/sdk/docs/install#deb
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-echo "|                                                                                                                                         |"
-echo "|                                                         INSTALL GCLOUD PLUGINS                                                          |"
-echo "|                                                                                                                                         |"
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-
-sudo apt-get update
-sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo -y
-curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
-echo \
-  "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" |
-  sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
-sudo apt-get update
-sudo apt-get install google-cloud-cli -y
-sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin -y
-
-# Install tinyproxy for tunneling
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-echo "|                                                                                                                                         |"
-echo "|                                                            INSTALL TINYPROXY                                                            |"
-echo "|                                                                                                                                         |"
-echo "+-----------------------------------------------------------------------------------------------------------------------------------------+"
-
-sudo apt-get update && sudo apt-get install tinyproxy -y
+sudo apt-get update -y
+curl -LO https://dl.k8s.io/release/v1.28.3/bin/linux/amd64/kubectl
+echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
+
+sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+chmod +x kubectl
+mkdir -p ~/.local/bin
+mv ./kubectl ~/.local/bin/kubectl
+kubectl version --client
+
+curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+chmod 700 get_helm.sh
+./get_helm.sh
+helm version
+
+sudo apt-get update -y
+sudo apt-get install tinyproxy -y

modules/k8s/main.tf

@@ -1,11 +1,20 @@
 # Service account
-resource "google_service_account" "kubernetes" {
-  account_id = var.account_id_kubernetes
+resource "google_service_account" "gke_sa" {
+  account_id   = var.account_id_kubernetes
+  display_name = "GKE Admin Service Account"
+}
+
+resource "google_project_iam_binding" "gke_sa_admin" {
+  project = var.project_id
+  role    = "roles/container.admin"
+  members = [
+    "serviceAccount:${google_service_account.gke_sa.email}"
+  ]
 }
 
 # GKE cluster
-resource "google_container_cluster" "my_gke" {
-  name                = "primary"
+resource "google_container_cluster" "pwncorp_cluster" {
+  name                = "pwncorp-cluster"
   location            = var.region
   deletion_protection = false
   # We can't create a cluster with no node pool defined, but we want to only use
@@ -61,15 +70,15 @@ resource "google_container_cluster" "my_gke" {
 
 # Node pool for Cluster
 resource "google_container_node_pool" "gke_linux_node_pool" {
-  name           = "${google_container_cluster.my_gke.name}--linux-node-pool"
-  location       = google_container_cluster.my_gke.location
+  name           = "${google_container_cluster.pwncorp_cluster.name}--linux-node-pool"
+  location       = google_container_cluster.pwncorp_cluster.location
   node_locations = var.node_zones
-  cluster        = google_container_cluster.my_gke.name
+  cluster        = google_container_cluster.pwncorp_cluster.name
   node_count     = 1
 
   autoscaling {
-    max_node_count = 2
-    min_node_count = 1
+    max_node_count = 2 # change to 6
+    min_node_count = 1 # change to 3
   }
 
   management {
@@ -84,10 +93,10 @@ resource "google_container_node_pool" "gke_linux_node_pool" {
 
     labels = {
       role    = "general"
-      cluster = google_container_cluster.my_gke.name
+      cluster = google_container_cluster.pwncorp_cluster.name
     }
 
-    service_account = google_service_account.kubernetes.email
+    service_account = google_service_account.gke_sa.email
     oauth_scopes = [
       "https://www.googleapis.com/auth/devstorage.read_only",
       "https://www.googleapis.com/auth/logging.write",

root/variables.tf

@@ -7,7 +7,7 @@ variable "region" {
 variable "dev_folder_id" {
   default     = "135331753386"
   type        = string
-  description = "Dev folder ID in organization"
+  description = "Dev/Prod folder ID in organization. Default is dev folder ID"
 }
 
 variable "folder_name" {
@@ -66,7 +66,8 @@ variable "vm_name" {
 
 variable "machine_type" {
   type        = string
-  description = "VM name"
+  description = "The compute instance machine type. Default machine has 8 vCPU and 32GiB vRAM"
+  default     = "e2-standard-8"
 }
 
 variable "zone" {
@@ -89,7 +90,7 @@ variable "nat_ip_allocate_strategy" {
 }
 variable "account_id_kubernetes" {
   type        = string
-  description = "account id for workload identity"
+  description = "service account id for workload identity with access to GKE cluster node pools"
 }
 variable "initial_node_count" {
   type        = number