feat: add island-cluster example

Author: nvnmandadhi

examples/island_cluster_with_vm_router/README.md

@@ -0,0 +1,87 @@
+# GKE island cluster using VM as router
+
+This example provisions a cluster in an island VPC allowing reuse of the IP address space for multiple clusters in the same project. 
+
+1. An appliance(VM as router) with multiple NICs is used to establish connectivity between the island VPC and the existing network.
+2. Outbound connections will go through the router.
+3. For inbound connections, use Private Service Connect.
+
+## Deploy
+
+1. Use the following example to deploy a cluster using this module.
+2. Update `project_id` and `primary_subnet` values in `terraform.tfvars`, and update other variables as needed.
+3. Value for `random_suffix` variable needs to be provided for a successful terraform plan.
+
+    ```
+    module "gke-island-cluster" {
+        source = "./"
+
+        project_id                 = var.project_id
+        region                     = var.region
+        random_suffix              = "<random_suffix>>"
+        node_locations             = var.node_locations
+        subnet_cidr                = var.subnet_cidr
+        secondary_ranges           = var.secondary_ranges
+        master_authorized_networks = var.master_authorized_networks
+        router_machine_type        = var.router_machine_type
+        primary_subnet             = var.primary_subnet
+        primary_net_cidrs          = var.primary_net_cidrs
+        psc_subnet_cidr            = var.psc_subnet_cidr
+        proxy_subnet_cidr          = var.proxy_subnet_cidr
+    }
+    ```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.6 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_gke"></a> [gke](#module\_gke) | terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster | ~> 30.0 |
+| <a name="module_net"></a> [net](#module\_net) | terraform-google-modules/network/google | ~> 9.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google-beta_google_gke_hub_membership.primary](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_gke_hub_membership) | resource |
+| [google_compute_firewall.proxy_snet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.psc_snet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_instance.vm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
+| [google_project_iam_member.gke-dev](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.gke-access-sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account.gke-sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_master_authorized_networks"></a> [master\_authorized\_networks](#input\_master\_authorized\_networks) | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | n/a | yes |
+| <a name="input_node_locations"></a> [node\_locations](#input\_node\_locations) | n/a | `list(string)` | n/a | yes |
+| <a name="input_primary_net_cidrs"></a> [primary\_net\_cidrs](#input\_primary\_net\_cidrs) | n/a | `list(string)` | n/a | yes |
+| <a name="input_primary_subnet"></a> [primary\_subnet](#input\_primary\_subnet) | n/a | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
+| <a name="input_proxy_subnet_cidr"></a> [proxy\_subnet\_cidr](#input\_proxy\_subnet\_cidr) | n/a | `string` | n/a | yes |
+| <a name="input_psc_subnet_cidr"></a> [psc\_subnet\_cidr](#input\_psc\_subnet\_cidr) | n/a | `string` | n/a | yes |
+| <a name="input_random_suffix"></a> [random\_suffix](#input\_random\_suffix) | n/a | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | n/a | yes |
+| <a name="input_router_machine_type"></a> [router\_machine\_type](#input\_router\_machine\_type) | n/a | `string` | n/a | yes |
+| <a name="input_secondary_ranges"></a> [secondary\_ranges](#input\_secondary\_ranges) | n/a | `map(string)` | n/a | yes |
+| <a name="input_subnet_cidr"></a> [subnet\_cidr](#input\_subnet\_cidr) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | n/a |

examples/island_cluster_with_vm_router/main.tf

@@ -0,0 +1,219 @@
+resource "google_service_account" "gke-sa" {
+  account_id = "gke-sa-${var.random_suffix}"
+}
+
+resource "google_service_account" "gke-access-sa" {
+  account_id = "gke-access-sa-${var.random_suffix}"
+}
+
+resource "google_project_iam_member" "gke-dev" {
+  project = var.project_id
+  member  = "serviceAccount:${google_service_account.gke-access-sa.email}"
+  role    = "roles/container.developer"
+}
+
+module "net" {
+  source  = "terraform-google-modules/network/google"
+  version = "~> 9.0"
+
+  network_name                           = "gke-net-${var.random_suffix}"
+  routing_mode                           = "GLOBAL"
+  project_id                             = var.project_id
+  delete_default_internet_gateway_routes = true
+
+  subnets = [
+    {
+      subnet_name           = "${var.region}-snet-${var.random_suffix}"
+      subnet_ip             = var.subnet_cidr
+      subnet_region         = var.region
+      subnet_private_access = "true"
+    },
+    {
+      subnet_name   = "${var.region}-proxy-snet-${var.random_suffix}"
+      subnet_ip     = var.proxy_subnet_cidr
+      subnet_region = var.region
+      purpose       = "REGIONAL_MANAGED_PROXY"
+      role          = "ACTIVE"
+    },
+    {
+      subnet_name           = "${var.region}-psc-snet-${var.random_suffix}"
+      subnet_ip             = var.psc_subnet_cidr
+      subnet_region         = var.region
+      subnet_private_access = "true"
+      purpose               = "PRIVATE_SERVICE_CONNECT"
+    }
+  ]
+
+  secondary_ranges = {
+    "${var.region}-snet-${var.random_suffix}" = [
+      {
+        range_name    = "${var.region}-snet-pods-${var.random_suffix}"
+        ip_cidr_range = var.secondary_ranges["pods"]
+      },
+      {
+        range_name    = "${var.region}-snet-services-${var.random_suffix}"
+        ip_cidr_range = var.secondary_ranges["services"]
+      },
+    ]
+  }
+
+  routes = flatten([
+    [for k, v in var.primary_net_cidrs :
+      {
+        name              = "egress-gke-${k}-${var.random_suffix}"
+        description       = "egress through the router for range ${v}"
+        destination_range = v
+        tags              = "gke-${var.random_suffix}"
+        next_hop_instance = google_compute_instance.vm.self_link
+        priority          = 100
+      }
+    ],
+    [
+      {
+        name              = "default-igw-${var.random_suffix}"
+        description       = "internet through the router"
+        destination_range = "0.0.0.0/0"
+        tags              = "gke-${var.random_suffix}"
+        next_hop_instance = google_compute_instance.vm.self_link
+        priority          = 100
+      }
+    ]
+  ])
+
+  firewall_rules = [
+    {
+      name      = "iap-fw-${var.random_suffix}"
+      direction = "INGRESS"
+      allow = [
+        {
+          protocol = "TCP"
+          ports    = ["22"]
+        }
+      ]
+      ranges = ["35.235.240.0/20"]
+    },
+    {
+      name      = "tcp-primary-fw-${var.random_suffix}"
+      direction = "INGRESS"
+      allow = [
+        {
+          protocol = "TCP"
+        }
+      ]
+      ranges = [
+        var.subnet_cidr,
+        var.secondary_ranges["pods"]
+      ]
+    },
+  ]
+}
+
+module "gke" {
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
+  version = "~> 30.0"
+
+  depends_on = [google_compute_instance.vm]
+
+  name                                 = "gke-test-${var.random_suffix}"
+  project_id                           = var.project_id
+  region                               = var.region
+  release_channel                      = "RAPID"
+  zones                                = var.node_locations
+  network                              = module.net.network_name
+  subnetwork                           = "${var.region}-snet-${var.random_suffix}"
+  ip_range_pods                        = "${var.region}-snet-pods-${var.random_suffix}"
+  ip_range_services                    = "${var.region}-snet-services-${var.random_suffix}"
+  http_load_balancing                  = true
+  horizontal_pod_autoscaling           = true
+  enable_private_endpoint              = true
+  enable_private_nodes                 = true
+  datapath_provider                    = "ADVANCED_DATAPATH"
+  monitoring_enable_managed_prometheus = false
+  enable_shielded_nodes                = true
+  master_global_access_enabled         = false
+  master_ipv4_cidr_block               = var.secondary_ranges["master_cidr"]
+  master_authorized_networks           = var.master_authorized_networks
+  deletion_protection                  = false
+  remove_default_node_pool             = true
+  disable_default_snat                 = true
+  gateway_api_channel                  = "CHANNEL_STANDARD"
+
+  node_pools = [
+    {
+      name                      = "default-${var.random_suffix}"
+      machine_type              = "e2-highcpu-2"
+      min_count                 = 1
+      max_count                 = 100
+      local_ssd_count           = 0
+      spot                      = true
+      local_ssd_ephemeral_count = 0
+      disk_size_gb              = 100
+      disk_type                 = "pd-standard"
+      image_type                = "COS_CONTAINERD"
+      logging_variant           = "DEFAULT"
+      auto_repair               = true
+      auto_upgrade              = true
+      service_account           = google_service_account.gke-sa.email
+      initial_node_count        = 1
+      enable_secure_boot        = true
+    },
+  ]
+
+  node_pools_tags = {
+    all = ["gke-${var.random_suffix}"]
+  }
+
+  node_pools_oauth_scopes = {
+    all = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+  }
+
+  timeouts = {
+    create = "10m"
+    update = "10m"
+    delete = "10m"
+  }
+}
+
+resource "google_gke_hub_membership" "primary" {
+  provider = google-beta
+
+  project       = var.project_id
+  membership_id = "${var.project_id}-${module.gke.name}"
+  location      = var.region
+
+  endpoint {
+    gke_cluster {
+      resource_link = "//container.googleapis.com/${module.gke.cluster_id}"
+    }
+  }
+  authority {
+    issuer = "https://container.googleapis.com/v1/${module.gke.cluster_id}"
+  }
+}
+
+resource "google_compute_firewall" "psc_snet" {
+  name      = "allow-psc-${var.random_suffix}"
+  direction = "INGRESS"
+  allow {
+    protocol = "tcp"
+  }
+  source_ranges           = [var.psc_subnet_cidr]
+  target_service_accounts = [google_service_account.gke-sa.email]
+  network                 = module.net.network_id
+  project                 = var.project_id
+}
+
+resource "google_compute_firewall" "proxy_snet" {
+  name      = "allow-proxy-${var.random_suffix}"
+  direction = "INGRESS"
+  allow {
+    protocol = "tcp"
+  }
+  source_ranges           = [var.proxy_subnet_cidr]
+  target_service_accounts = [google_service_account.gke-sa.email]
+  network                 = module.net.network_id
+  project                 = var.project_id
+}

examples/island_cluster_with_vm_router/outputs.tf

@@ -0,0 +1,3 @@
+output "cluster_id" {
+  value = module.gke.cluster_id
+}

examples/island_cluster_with_vm_router/providers.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_version = "~> 1.6"
+
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+}
+
+provider "google-beta" {
+  project = var.project_id
+}

examples/island_cluster_with_vm_router/router.tf

@@ -0,0 +1,35 @@
+resource "google_compute_instance" "vm" {
+  project                   = var.project_id
+  zone                      = var.node_locations[0]
+  name                      = "router-${var.random_suffix}"
+  machine_type              = var.router_machine_type
+  allow_stopping_for_update = true
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-12"
+    }
+  }
+  can_ip_forward = true
+  shielded_instance_config {
+    enable_secure_boot = true
+  }
+  network_interface {
+    subnetwork = var.primary_subnet
+  }
+  network_interface {
+    subnetwork = module.net.subnets["${var.region}/${var.region}-snet-${var.random_suffix}"]["self_link"]
+  }
+  metadata_startup_script = <<-EOT
+    #!/bin/bash
+    set -ex
+    sudo apt-get update
+    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
+    sudo sysctl -p
+    sudo iptables -A FORWARD -i ens5 -o ens4 -j ACCEPT
+    sudo iptables -A FORWARD -i ens4 -o ens5 -m state --state ESTABLISHED,RELATED -j ACCEPT
+    GWY_URL="http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway"
+    GWY_IP=$(curl $${GWY_URL} -H "Metadata-Flavor: Google")
+    sudo ip route add ${var.secondary_ranges["pods"]} via $${GWY_IP} dev ens5
+    sudo iptables -t nat -A POSTROUTING -o ens4 -s 0.0.0.0/0 -j MASQUERADE
+  EOT
+}