├── terragrunt.hcl
├── gcp
├── values
│ └── sealed-secrets_values.yaml
├── README.md
├── helm.tf
├── sealed-secrets.tf
├── vpc.tf
├── variables.tf
├── outputs.tf
└── gke.tf
├── helm_releases
├── values
│ ├── argo-cd_values.yaml
│ ├── external-dns_values.yaml
│ ├── ingress-nginx_values.yaml
│ └── cert-manager_values.yaml
├── README.md
├── argo-cd.tf
├── helm.tf
├── ingress-nginx.tf
├── variables.tf
├── cert-manager.tf
└── external-dns.tf
├── kubernetes_manifests
├── README.md
├── kubernetes.tf
├── variables.tf
├── clusterissuer-prod.tf
└── clusterissuer-staging.tf
├── terraform.tfvars.example
├── versions.tf
├── .github
└── workflows
│ └── shellcheck.yml
├── variables.tf
├── module.tf
├── .gitignore
├── get-cloudflare-secret.sh
├── deploy.sh
├── README.md
└── LICENSE
/terragrunt.hcl:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/gcp/values/sealed-secrets_values.yaml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/helm_releases/values/argo-cd_values.yaml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/helm_releases/values/external-dns_values.yaml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/helm_releases/values/ingress-nginx_values.yaml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/helm_releases/README.md:
--------------------------------------------------------------------------------
1 | # Provision Helm Charts
2 |
3 | This module contains Terraform configuration files to provision Helm Charts on a GKE cluster.
4 |
--------------------------------------------------------------------------------
/kubernetes_manifests/README.md:
--------------------------------------------------------------------------------
1 | # Provision Kubernetes Manifests
2 |
3 | This module contains Terraform configuration files to provision Kubernetes manifests on a GKE cluster.
4 |
--------------------------------------------------------------------------------
/gcp/README.md:
--------------------------------------------------------------------------------
1 | # Provision a GKE Cluster with VPC and subnet
2 |
3 | This module contains Terraform configuration files to provision an GKE cluster on GCP. It also creates a VPC and subnet for the GKE cluster.
4 |
--------------------------------------------------------------------------------
/terraform.tfvars.example:
--------------------------------------------------------------------------------
1 | project_id = ""
2 | region = "me-west1"
3 | zone = "me-west1-a"
4 | gke_location = "me-west1-a"
5 | gke_num_nodes = "3"
6 | machine_type = "e2-medium"
7 |
--------------------------------------------------------------------------------
/helm_releases/values/cert-manager_values.yaml:
--------------------------------------------------------------------------------
1 | extraArgs:
2 | - --dns01-recursive-nameservers-only
3 | - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
4 | podDnsPolicy: None
5 | podDnsConfig:
6 | nameservers:
7 | - "1.1.1.1"
8 | - "1.0.0.1"
9 |
--------------------------------------------------------------------------------
/helm_releases/argo-cd.tf:
--------------------------------------------------------------------------------
1 | resource "helm_release" "argo-cd" {
2 | name = "argocd"
3 | repository = "https://argoproj.github.io/argo-helm"
4 | chart = "argo-cd"
5 | # version = "8.0.6"
6 |
7 | namespace = "argocd"
8 | create_namespace = "true"
9 |
10 | values = [
11 | file("${path.module}/values/argo-cd_values.yaml")
12 | ]
13 | }
14 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_providers {
3 | google = {
4 | source = "hashicorp/google"
5 | version = "~> 6.35"
6 | }
7 |
8 | kubernetes = {
9 | source = "hashicorp/kubernetes"
10 | version = "~> 2.36"
11 | }
12 |
13 | helm = {
14 | source = "hashicorp/helm"
15 | version = "~> 2.17"
16 | }
17 |
18 | }
19 |
20 | required_version = "~> 1"
21 | }
22 |
--------------------------------------------------------------------------------
/gcp/helm.tf:
--------------------------------------------------------------------------------
1 | # Helm provider
2 |
3 | data "google_client_config" "provider" {}
4 |
5 | provider "helm" {
6 | kubernetes {
7 | host = "https://${google_container_cluster.primary.endpoint}"
8 | insecure = false
9 |
10 | token = data.google_client_config.provider.access_token
11 | cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth[0].cluster_ca_certificate)
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/gcp/sealed-secrets.tf:
--------------------------------------------------------------------------------
1 | resource "helm_release" "sealed-secrets" {
2 | name = "sealed-secrets-controller"
3 | repository = "https://bitnami-labs.github.io/sealed-secrets/"
4 | chart = "sealed-secrets"
5 | # version = "2.17.2"
6 |
7 | namespace = "kube-system"
8 | create_namespace = "true"
9 |
10 | values = [
11 | file("${path.module}/values/sealed-secrets_values.yaml")
12 | ]
13 | }
14 |
--------------------------------------------------------------------------------
/helm_releases/helm.tf:
--------------------------------------------------------------------------------
1 | # Helm provider
2 |
3 | provider "google" {
4 | project = var.project_id
5 | region = var.region
6 | zone = var.zone
7 | }
8 |
9 | data "google_client_config" "provider" {}
10 |
11 | provider "helm" {
12 | kubernetes {
13 | host = "https://${var.kubernetes_cluster_host}"
14 | insecure = false
15 |
16 | token = data.google_client_config.provider.access_token
17 | cluster_ca_certificate = base64decode(var.kubernetes_cluster_ca_certificate)
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/kubernetes_manifests/kubernetes.tf:
--------------------------------------------------------------------------------
1 | # Kubernetes provider
2 |
3 | provider "google" {
4 | project = var.project_id
5 | region = var.region
6 | zone = var.zone
7 | }
8 |
9 | data "google_client_config" "provider" {}
10 |
11 | provider "kubernetes" {
12 | host = "https://${var.kubernetes_cluster_host}"
13 | insecure = false
14 |
15 | token = data.google_client_config.provider.access_token
16 | cluster_ca_certificate = base64decode(var.kubernetes_cluster_ca_certificate)
17 | }
18 |
--------------------------------------------------------------------------------
/.github/workflows/shellcheck.yml:
--------------------------------------------------------------------------------
1 | name: ShellCheck
2 | on:
3 | push:
4 | branches: [ "main" ]
5 | pull_request:
6 | branches: [ "main" ]
7 | workflow_dispatch:
8 | inputs:
9 | git-ref:
10 | description: Git Ref (Optional)
11 | required: false
12 |
13 | permissions:
14 | contents: read
15 |
16 | jobs:
17 | shellcheck:
18 | name: ShellCheck
19 | runs-on: ubuntu-latest
20 | steps:
21 | - uses: actions/checkout@v3
22 | - name: Run ShellCheck
23 | uses: ludeeus/action-shellcheck@2.0.0
24 | with:
25 | format: gcc
26 |
--------------------------------------------------------------------------------
/gcp/vpc.tf:
--------------------------------------------------------------------------------
1 | provider "google" {
2 | project = var.project_id
3 | region = var.region
4 | zone = var.zone
5 | }
6 |
7 | # VPC
8 | resource "google_compute_network" "vpc" {
9 | name = "${var.project_id}-vpc"
10 | auto_create_subnetworks = "false"
11 | }
12 |
13 | # Subnet
14 | resource "google_compute_subnetwork" "subnet" {
15 | name = "${var.project_id}-subnet"
16 | region = var.region
17 | network = google_compute_network.vpc.name
18 | ip_cidr_range = "10.10.0.0/24"
19 | private_ip_google_access = "true"
20 | }
21 |
--------------------------------------------------------------------------------
/helm_releases/ingress-nginx.tf:
--------------------------------------------------------------------------------
1 | resource "helm_release" "ingress-nginx" {
2 | name = "ingress-nginx"
3 | repository = "https://kubernetes.github.io/ingress-nginx"
4 | chart = "ingress-nginx"
5 | # version = "4.12.2"
6 |
7 | namespace = "ingress-nginx"
8 | create_namespace = "true"
9 |
10 | values = [
11 | file("${path.module}/values/ingress-nginx_values.yaml")
12 | ]
13 |
14 | set {
15 | name = "controller.ingressClassResource.default"
16 | value = "true"
17 | }
18 |
19 | set {
20 | name = "controller.metrics.enabled"
21 | value = "true"
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/helm_releases/variables.tf:
--------------------------------------------------------------------------------
1 | variable "gke_username" {
2 | default = ""
3 | description = "GKE username"
4 | }
5 |
6 | variable "gke_password" {
7 | default = ""
8 | description = "GKE password"
9 | sensitive = true
10 | }
11 |
12 | variable "project_id" {
13 | description = "project id"
14 | }
15 |
16 | variable "region" {
17 | description = "region"
18 | }
19 |
20 | variable "zone" {
21 | description = "zone"
22 | }
23 |
24 | variable "kubernetes_cluster_host" {
25 | description = "Kubernetes cluster: host"
26 | sensitive = true
27 | }
28 |
29 | variable "kubernetes_cluster_ca_certificate" {
30 | description = "Kubernetes cluster: CA certificate"
31 | sensitive = true
32 | }
33 |
--------------------------------------------------------------------------------
/kubernetes_manifests/variables.tf:
--------------------------------------------------------------------------------
1 | variable "gke_username" {
2 | default = ""
3 | description = "GKE username"
4 | }
5 |
6 | variable "gke_password" {
7 | default = ""
8 | description = "GKE password"
9 | sensitive = true
10 | }
11 |
12 | variable "project_id" {
13 | description = "project id"
14 | }
15 |
16 | variable "region" {
17 | description = "region"
18 | }
19 |
20 | variable "zone" {
21 | description = "zone"
22 | }
23 |
24 | variable "kubernetes_cluster_host" {
25 | description = "Kubernetes cluster: host"
26 | sensitive = true
27 | }
28 |
29 | variable "kubernetes_cluster_ca_certificate" {
30 | description = "Kubernetes cluster: CA certificate"
31 | sensitive = true
32 | }
33 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | # gcp variables
2 | variable "gke_username" {
3 | default = ""
4 | description = "GKE username"
5 | }
6 |
7 | variable "gke_password" {
8 | default = ""
9 | description = "GKE password"
10 | sensitive = true
11 | }
12 |
13 | variable "project_id" {
14 | description = "project id"
15 | }
16 |
17 | variable "region" {
18 | description = "region"
19 | }
20 |
21 | variable "zone" {
22 | description = "zone"
23 | }
24 |
25 | variable "gke_location" {
26 | description = "The location (region or zone) of the cluster"
27 | }
28 |
29 | variable "gke_num_nodes" {
30 | description = "number of GKE nodes"
31 | }
32 |
33 | variable "machine_type" {
34 | description = "Google Compute Engine machine type"
35 | default = "e2-medium"
36 | }
37 |
--------------------------------------------------------------------------------
/helm_releases/cert-manager.tf:
--------------------------------------------------------------------------------
1 | resource "helm_release" "cert-manager" {
2 | name = "cert-manager"
3 | repository = "https://charts.jetstack.io"
4 | chart = "cert-manager"
5 | # version = "1.17.2"
6 |
7 | namespace = "default"
8 | create_namespace = "true"
9 |
10 | values = [
11 | file("${path.module}/values/cert-manager_values.yaml")
12 | ]
13 |
14 | set {
15 | name = "installCRDs"
16 | value = "true"
17 | }
18 |
19 | set {
20 | name = "ingressShim.defaultIssuerName"
21 | value = "letsencrypt-prod"
22 | }
23 |
24 | set {
25 | name = "ingressShim.defaultIssuerKind"
26 | value = "ClusterIssuer"
27 | }
28 |
29 | set {
30 | name = "ingressShim.defaultIssuerGroup"
31 | value = "cert-manager.io"
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/kubernetes_manifests/clusterissuer-prod.tf:
--------------------------------------------------------------------------------
1 | resource "kubernetes_manifest" "clusterissuer-prod" {
2 | manifest = {
3 | "apiVersion" : "cert-manager.io/v1",
4 | "kind" : "ClusterIssuer",
5 | "metadata" : {
6 | "name" : "letsencrypt-prod"
7 | },
8 | "spec" : {
9 | "acme" : {
10 | "server" : "https://acme-v02.api.letsencrypt.org/directory",
11 | "privateKeySecretRef" : {
12 | "name" : "letsencrypt-prod"
13 | },
14 | "solvers" : [
15 | {
16 | "dns01" : {
17 | "cloudflare" : {
18 | "apiTokenSecretRef" : {
19 | "name" : "cloudflare-api-token-secret",
20 | "key" : "api-token"
21 | }
22 | }
23 | }
24 | }
25 | ]
26 | }
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/helm_releases/external-dns.tf:
--------------------------------------------------------------------------------
1 | resource "helm_release" "external-dns" {
2 | name = "external-dns"
3 | repository = "https://kubernetes-sigs.github.io/external-dns/"
4 | chart = "external-dns"
5 | # version = "1.16.1"
6 |
7 | namespace = "default"
8 | create_namespace = "true"
9 |
10 | values = [
11 | file("${path.module}/values/external-dns_values.yaml")
12 | ]
13 |
14 | set {
15 | name = "provider.name"
16 | value = "cloudflare"
17 | }
18 |
19 | set {
20 | name = "env[0].name"
21 | value = "CF_API_TOKEN"
22 | }
23 |
24 | set {
25 | name = "env[0].valueFrom.secretKeyRef.name"
26 | value = "cloudflare-api-token-secret"
27 | }
28 |
29 | set {
30 | name = "env[0].valueFrom.secretKeyRef.key"
31 | value = "api-token"
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/kubernetes_manifests/clusterissuer-staging.tf:
--------------------------------------------------------------------------------
1 | resource "kubernetes_manifest" "clusterissuer-staging" {
2 | manifest = {
3 | "apiVersion" : "cert-manager.io/v1",
4 | "kind" : "ClusterIssuer",
5 | "metadata" : {
6 | "name" : "letsencrypt-staging"
7 | },
8 | "spec" : {
9 | "acme" : {
10 | "server" : "https://acme-staging-v02.api.letsencrypt.org/directory",
11 | "privateKeySecretRef" : {
12 | "name" : "letsencrypt-staging"
13 | },
14 | "solvers" : [
15 | {
16 | "dns01" : {
17 | "cloudflare" : {
18 | "apiTokenSecretRef" : {
19 | "name" : "cloudflare-api-token-secret",
20 | "key" : "api-token"
21 | }
22 | }
23 | }
24 | }
25 | ]
26 | }
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/gcp/variables.tf:
--------------------------------------------------------------------------------
1 | variable "gke_username" {
2 | default = ""
3 | description = "GKE username"
4 | }
5 |
6 | variable "gke_password" {
7 | default = ""
8 | description = "GKE password"
9 | sensitive = true
10 | }
11 |
12 | variable "project_id" {
13 | description = "project id"
14 | }
15 |
16 | variable "region" {
17 | description = "region"
18 | }
19 |
20 | variable "zone" {
21 | description = "zone"
22 | }
23 |
24 | variable "gke_location" {
25 | description = "The location (region or zone) of the cluster"
26 | }
27 |
28 | variable "gke_num_nodes" {
29 | description = "number of GKE nodes"
30 | }
31 |
32 | variable "machine_type" {
33 | description = "Google Compute Engine machine type"
34 | }
35 |
36 | variable "gke_deletion_protection" {
37 | description = "Whether Terraform will be prevented from destroying the cluster. Deleting this cluster via terraform destroy or terraform apply will only succeed if this field is false in the Terraform state."
38 | default = false
39 | }
40 |
--------------------------------------------------------------------------------
/module.tf:
--------------------------------------------------------------------------------
1 | module "gcp" {
2 | source = "./gcp"
3 |
4 | gke_username = var.gke_username
5 | gke_password = var.gke_password
6 | project_id = var.project_id
7 | region = var.region
8 | zone = var.zone
9 |
10 | gke_location = var.gke_location
11 | gke_num_nodes = var.gke_num_nodes
12 | machine_type = var.machine_type
13 | }
14 |
15 | module "helm_releases" {
16 | source = "./helm_releases"
17 |
18 | gke_username = var.gke_username
19 | gke_password = var.gke_password
20 | project_id = var.project_id
21 | region = var.region
22 | zone = var.zone
23 |
24 | kubernetes_cluster_host = module.gcp.kubernetes_cluster_host
25 | kubernetes_cluster_ca_certificate = module.gcp.kubernetes_cluster_ca_certificate
26 | }
27 |
28 | module "kubernetes_manifests" {
29 | source = "./kubernetes_manifests"
30 |
31 | gke_username = var.gke_username
32 | gke_password = var.gke_password
33 | project_id = var.project_id
34 | region = var.region
35 | zone = var.zone
36 |
37 | kubernetes_cluster_host = module.gcp.kubernetes_cluster_host
38 | kubernetes_cluster_ca_certificate = module.gcp.kubernetes_cluster_ca_certificate
39 | }
40 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Local .terraform directories
2 | **/.terraform/*
3 |
4 | **/_out/*
5 |
6 | # .tfstate files
7 | *.tfstate
8 | *.tfstate.*
9 |
10 | # Crash log files
11 | crash.log
12 |
13 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
14 | # .tfvars files are managed as part of configuration and so should be included in
15 | # version control.
16 | #
17 | # example.tfvars
18 |
19 | # Ignore override files as they are usually used to override resources locally and so
20 | # are not checked in
21 | override.tf
22 | override.tf.json
23 | *_override.tf
24 | *_override.tf.json
25 |
26 | # Include override files you do wish to add to version control using negated pattern
27 | #
28 | # !example_override.tf
29 |
30 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
31 | # example: *tfplan*
32 |
33 | # Ignore lock files
34 | .terraform.lock.hcl
35 | .terraform.tfstate.lock.info
36 |
37 | # Ignore tfvars
38 | terraform.tfvars
39 |
40 | # Ignore terragrunt cache directories
41 | **/.terragrunt-cache/*
42 |
43 | # Ignore terragrunt stack directories
44 | **/.terragrunt-stack/*
45 |
46 |
--------------------------------------------------------------------------------
/gcp/outputs.tf:
--------------------------------------------------------------------------------
1 | output "region" {
2 | value = var.region
3 | description = "GCloud Region"
4 | }
5 |
6 | output "zone" {
7 | value = var.zone
8 | description = "GCloud Zone"
9 | }
10 |
11 | output "project_id" {
12 | value = var.project_id
13 | description = "GCloud Project ID"
14 | }
15 |
16 | output "kubernetes_cluster_location" {
17 | value = var.gke_location
18 | description = "GKE Cluster location"
19 | }
20 |
21 | output "kubernetes_cluster_name" {
22 | value = google_container_cluster.primary.name
23 | description = "GKE Cluster Name"
24 | }
25 |
26 | output "kubernetes_cluster_host" {
27 | value = google_container_cluster.primary.endpoint
28 | description = "GKE Cluster Host"
29 | }
30 |
31 | output "kubernetes_cluster_ca_certificate" {
32 | value = google_container_cluster.primary.master_auth[0].cluster_ca_certificate
33 | description = "GKE Cluster CA certificate"
34 | }
35 |
36 | output "kubectl" {
37 | value = "gcloud container clusters get-credentials $(terraform output -raw kubernetes_cluster_name) --location $(terraform output -raw kubernetes_cluster_location)"
38 | }
39 |
--------------------------------------------------------------------------------
/gcp/gke.tf:
--------------------------------------------------------------------------------
1 | # GKE cluster
2 | resource "google_container_cluster" "primary" {
3 | name = "${var.project_id}-gke"
4 | location = var.gke_location
5 | deletion_protection = var.gke_deletion_protection
6 |
7 | # We can't create a cluster with no node pool defined, but we want to only use
8 | # separately managed node pools. So we create the smallest possible default
9 | # node pool and immediately delete it.
10 | remove_default_node_pool = true
11 | initial_node_count = 1
12 |
13 | network = google_compute_network.vpc.name
14 | subnetwork = google_compute_subnetwork.subnet.name
15 |
16 | master_auth {
17 | client_certificate_config {
18 | issue_client_certificate = true
19 | }
20 | }
21 | }
22 |
23 | # Separately Managed Node Pool
24 | resource "google_container_node_pool" "primary_nodes" {
25 | name = google_container_cluster.primary.name
26 | location = var.gke_location
27 | cluster = google_container_cluster.primary.name
28 | node_count = var.gke_num_nodes
29 |
30 | node_config {
31 | oauth_scopes = [
32 | "https://www.googleapis.com/auth/logging.write",
33 | "https://www.googleapis.com/auth/monitoring",
34 | "https://www.googleapis.com/auth/cloud-platform",
35 | ]
36 |
37 | labels = {
38 | env = var.project_id
39 | }
40 |
41 | machine_type = var.machine_type
42 | tags = ["gke-node", "${var.project_id}-gke"]
43 | metadata = {
44 | disable-legacy-endpoints = "true"
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/get-cloudflare-secret.sh:
--------------------------------------------------------------------------------
1 | #! /bin/sh
2 |
3 | valid_string="This API Token is valid and active"
4 | valid_token=false
5 |
6 | while [ ${valid_token} = false ]
7 | do
8 | # Ask user to enter Cloudflare API token
9 | stty -echo
10 | printf "Enter Cloudflare API token: "
11 | read -r CLOUDFLARE_API_TOKEN
12 | stty echo
13 | printf "\n"
14 |
15 | if curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
16 | -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
17 | -H "Content-Type:application/json" |
18 | grep -q "$valid_string"; then
19 | valid_token=true
20 | echo "Valid Cloudflare API token"
21 | else
22 | echo "Invalid Cloudflare API token.
23 | For getting your token, see instructions here:
24 | https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-tokens"
25 | fi
26 | done
27 |
28 | SECRET_NAME="cloudflare-api-token-secret"
29 | NAMESPACE_FOR_SECRET="default"
30 | NAMESPACE_FOR_SEALED_SECRETS_CONTROLLER="kube-system"
31 |
32 | # Remove previous secret by the same name
33 | ( kubectl delete --namespace "${NAMESPACE_FOR_SECRET}" sealedsecrets.bitnami.com "${SECRET_NAME}" ) > /dev/null 2>&1
34 |
35 | kubectl --namespace "${NAMESPACE_FOR_SECRET}" \
36 | create secret \
37 | generic "${SECRET_NAME}" \
38 | --dry-run=client \
39 | --from-literal api-token="${CLOUDFLARE_API_TOKEN}" \
40 | --output json |
41 | kubeseal \
42 | --controller-name=sealed-secrets-controller \
43 | --controller-namespace="${NAMESPACE_FOR_SEALED_SECRETS_CONTROLLER}" \
44 | |
45 | tee "${SECRET_NAME}".yaml
46 |
47 | kubectl create \
48 | --namespace "${NAMESPACE_FOR_SECRET}"\
49 | --filename "${SECRET_NAME}".yaml
50 |
51 | rm "${SECRET_NAME}".yaml
52 |
53 | exit 0
54 |
--------------------------------------------------------------------------------
/deploy.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Default values
4 | TF_BIN=""
5 | AUTO_APPROVE=""
6 |
7 | # Detect available binaries if not overridden
8 | detect_default_binary() {
9 | if command -v tofu >/dev/null 2>&1; then
10 | TF_BIN="tofu"
11 | elif command -v terraform >/dev/null 2>&1; then
12 | TF_BIN="terraform"
13 | else
14 | echo "Error: Neither 'tofu' nor 'terraform' is installed or in PATH, and no binary was provided via -tf_binary."
15 | exit 1
16 | fi
17 | }
18 |
19 | # Parse flags
20 | while [ $# -gt 0 ]; do
21 | case "$1" in
22 | -auto-approve)
23 | AUTO_APPROVE="$1"
24 | ;;
25 | -tf_binary)
26 | shift
27 | if [ -z "$1" ]; then
28 | echo "Error: -tf_binary requires an argument."
29 | exit 1
30 | fi
31 | if [ ! -x "$1" ] && ! command -v "$1" >/dev/null 2>&1; then
32 | echo "Error: Specified Terraform binary '$1' is not executable or not found in PATH."
33 | exit 1
34 | fi
35 | TF_BIN="$1"
36 | ;;
37 | *)
38 | echo "Unknown option: $1"
39 | exit 1
40 | ;;
41 | esac
42 | shift
43 | done
44 |
45 | # Fallback to detected binary if none provided
46 | [ -z "$TF_BIN" ] && detect_default_binary
47 |
48 | # Define tf alias
49 | tf() {
50 | "$TF_BIN" "$@"
51 | }
52 |
53 | # Enable required GCP services
54 | gcloud services enable container.googleapis.com
55 |
56 | # Initialize Terraform/Tofu
57 | tf init
58 |
59 | # Apply GCP-specific module
60 | tf apply -target=module.gcp "$AUTO_APPROVE"
61 |
62 | # Extract Terraform variables
63 | PROJECT_ID=$(echo "var.project_id" | tf console -var-file terraform.tfvars |
64 | sed -e 's/^"//' -e 's/"$//' -e "s/^'//" -e "s/'$//")
65 |
66 | ZONE=$(echo "var.zone" | tf console -var-file terraform.tfvars |
67 | sed -e 's/^"//' -e 's/"$//' -e "s/^'//" -e "s/'$//")
68 |
69 | REGION=$(echo "var.region" | tf console -var-file terraform.tfvars |
70 | sed -e 's/^"//' -e 's/"$//' -e "s/^'//" -e "s/'$//")
71 |
72 | # Get cluster credentials
73 | gcloud container clusters get-credentials "$PROJECT_ID-gke" --zone "$ZONE" || \
74 | gcloud container clusters get-credentials "$PROJECT_ID-gke" --region "$REGION"
75 |
76 | # Fetch Cloudflare secrets
77 | /bin/sh get-cloudflare-secret.sh
78 |
79 | # Apply Helm releases
80 | tf apply -target=module.helm_releases "$AUTO_APPROVE"
81 |
82 | # Apply everything else
83 | tf apply "$AUTO_APPROVE"
84 |
85 | exit 0
86 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Terraform - Provision a GKE Cluster with Cloudflare Ingress and ArgoCD
2 |
3 | [](https://www.mozilla.org/en-US/MPL/2.0/)
4 | [](https://github.com/roib20/terraform-provision-gke-cloudflare/actions/workflows/shellcheck.yml)
5 |
6 | This repo contains three Terraform modules to provision a GKE cluster (with VPC and subnet), then deploy Helm charts and Kubernetes manifests.
7 |
8 | The included deployments are designed for a fully-functioning Ingress controller that works with Cloudflare.
9 |
10 | Note: the GCP module in this repo is a modified fork of [learn-terraform-provision-gke-cluster](https://github.com/hashicorp/learn-terraform-provision-gke-cluster); the MPL 2.0 license is adhered to.
11 |
12 |
13 |
14 | ## What is deployed?
15 |
16 | - **Secret Management:** [Sealed Secrets](https://sealed-secrets.netlify.app/)
17 | - **Ingress Controller:** [Ingress NGINX Controller](https://kubernetes.github.io/ingress-nginx/)
18 | - **TLS Certificate:** [cert-manager](https://cert-manager.io/) & [Let's Encrypt](https://letsencrypt.org/)
19 | - **Authoritative DNS:** [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) & [Cloudflare DNS](https://www.cloudflare.com/dns/)
20 | - **GitOps:** [Argo CD](https://argoproj.github.io/cd/)
21 |
22 | ## What is needed to deploy?
23 | The `deploy.sh` script does everything needed in order to deploy the full environment in the correct order. In order to use this script, you need a Unix shell (the script is written for POSIX shell - designed to have wide compatibility in Linux, macOS and WSL environments).
24 |
25 | In addition, you will need to have the following packages installed:
26 | * [gcloud CLI](https://cloud.google.com/sdk/docs/install) (configured with `gcloud init`)
27 | * [kubectl](https://kubernetes.io/docs/tasks/tools/)
28 | * [kubeseal](https://formulae.brew.sh/formula/kubeseal)
29 | * [Terraform](https://developer.hashicorp.com/terraform/downloads)
30 |
31 | For Cloudflare, you should own a domain and register it in Cloudflare. Then generate an API token with the permissions described here: https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-tokens
32 |
33 | ## How to deploy this?
34 | 1) In your shell, run `gcloud init`
35 |
36 | 2) Enable billing for the GCP project you're using: see [Google Cloud documentation on enabling billing for a project](https://cloud.google.com/billing/docs/how-to/modify-project). GCP free trial can be used (if eligible).
37 |
38 | 3) Edit the `terraform.tfvars.example` file:
39 | * Use the command: `cp "terraform.tfvars.example" "terraform.tfvars"`
40 | * Edit `terraform.tfvars` using a text editor. Make sure to add an appropriate GCP project ID (according to what you configured in step 1).
41 |
42 | 4) Run the `deploy.sh` script
43 |
44 | 6) When running the script, the GKE cluster would be provisioned first, together with a sealed-secrets controller. You would then be asked to provide your Cloudflare API token which will be configured as a sealed secret and used for the DNS-01 challange and ExternalDNS.
45 |
46 | 7) When the script completes, run `kubectl get pods -A` to ensure everything deployed correctly.
47 |
48 | ## How to destroy this?
49 | Destroying is much simpler. Just run `terraform destroy` from the project directory.
50 |
51 |
52 |
53 | ## FAQ
54 | ### Can I use this without Cloudflare?
55 | Yes, but you will need to modify the cluster issuers and ExternalDNS to work with a different DNS provider.
56 |
57 | ### Can I use this without GCP?
58 | In theory yes but it will require the modules to be heavily rewritten.
59 |
60 | ### Can I use this in production?
61 | This is not recommended. These modules are designed only for learning (e.g. using a GCP free trial).
62 |
63 | ### Can I deploy other Helm charts?
64 | Yes, in the "helm_releases" folder, add any additional Helm chart as a tf file containing a "helm_release" resource.
65 |
66 | ### Can I deploy other Kubernetes manifests?
67 | Yes, in the "kubernetes_manifests" folder, add any additional Kubernetes manifest as a tf file containing a "kubernetes_manifest" resource. Make sure the manifest is formatted as JSON, not YAML.
68 |
69 | ### How do I access the Ingress?
70 | Apply an approriate Ingress resource for your service (see Kuberenets documentation) and add the following annotations:
71 |
72 | ```
73 | annotations:
74 | external-dns.alpha.kubernetes.io/hostname: "your.domain,*.your.domain" # MODIFY THIS
75 | cert-manager.io/cluster-issuer: letsencrypt-prod # or letsencrypt-staging
76 | ```
77 |
78 | The first annotation updates the DNS records using ExternalDNS. The second annotation uses cert-manager to provision a Let's Encrypt certificate (use either prod or staging).
79 |
80 | ### I am getting an SSL/TLS error or redirect error while accessing my domain after applying the ingress resource. How can I solve this?
81 | See Cloudflare Docs: [ERR_TOO_MANY_REDIRECTS](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/)
82 |
83 | It is recommended to set the SSL/TLS encryption mode in Cloudflare to `Full` or `Full (strict)`; if using a staging or self-signed certificate, use `Full`. With a prod certificate, both modes can be used. If not using *any* certificate, use Cloudflare's "Flexible" mode.
84 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (c) 2022 roib20
2 |
3 | Mozilla Public License Version 2.0
4 | ==================================
5 |
6 | 1. Definitions
7 | --------------
8 |
9 | 1.1. "Contributor"
10 | means each individual or legal entity that creates, contributes to
11 | the creation of, or owns Covered Software.
12 |
13 | 1.2. "Contributor Version"
14 | means the combination of the Contributions of others (if any) used
15 | by a Contributor and that particular Contributor's Contribution.
16 |
17 | 1.3. "Contribution"
18 | means Covered Software of a particular Contributor.
19 |
20 | 1.4. "Covered Software"
21 | means Source Code Form to which the initial Contributor has attached
22 | the notice in Exhibit A, the Executable Form of such Source Code
23 | Form, and Modifications of such Source Code Form, in each case
24 | including portions thereof.
25 |
26 | 1.5. "Incompatible With Secondary Licenses"
27 | means
28 |
29 | (a) that the initial Contributor has attached the notice described
30 | in Exhibit B to the Covered Software; or
31 |
32 | (b) that the Covered Software was made available under the terms of
33 | version 1.1 or earlier of the License, but not also under the
34 | terms of a Secondary License.
35 |
36 | 1.6. "Executable Form"
37 | means any form of the work other than Source Code Form.
38 |
39 | 1.7. "Larger Work"
40 | means a work that combines Covered Software with other material, in
41 | a separate file or files, that is not Covered Software.
42 |
43 | 1.8. "License"
44 | means this document.
45 |
46 | 1.9. "Licensable"
47 | means having the right to grant, to the maximum extent possible,
48 | whether at the time of the initial grant or subsequently, any and
49 | all of the rights conveyed by this License.
50 |
51 | 1.10. "Modifications"
52 | means any of the following:
53 |
54 | (a) any file in Source Code Form that results from an addition to,
55 | deletion from, or modification of the contents of Covered
56 | Software; or
57 |
58 | (b) any new file in Source Code Form that contains any Covered
59 | Software.
60 |
61 | 1.11. "Patent Claims" of a Contributor
62 | means any patent claim(s), including without limitation, method,
63 | process, and apparatus claims, in any patent Licensable by such
64 | Contributor that would be infringed, but for the grant of the
65 | License, by the making, using, selling, offering for sale, having
66 | made, import, or transfer of either its Contributions or its
67 | Contributor Version.
68 |
69 | 1.12. "Secondary License"
70 | means either the GNU General Public License, Version 2.0, the GNU
71 | Lesser General Public License, Version 2.1, the GNU Affero General
72 | Public License, Version 3.0, or any later versions of those
73 | licenses.
74 |
75 | 1.13. "Source Code Form"
76 | means the form of the work preferred for making modifications.
77 |
78 | 1.14. "You" (or "Your")
79 | means an individual or a legal entity exercising rights under this
80 | License. For legal entities, "You" includes any entity that
81 | controls, is controlled by, or is under common control with You. For
82 | purposes of this definition, "control" means (a) the power, direct
83 | or indirect, to cause the direction or management of such entity,
84 | whether by contract or otherwise, or (b) ownership of more than
85 | fifty percent (50%) of the outstanding shares or beneficial
86 | ownership of such entity.
87 |
88 | 2. License Grants and Conditions
89 | --------------------------------
90 |
91 | 2.1. Grants
92 |
93 | Each Contributor hereby grants You a world-wide, royalty-free,
94 | non-exclusive license:
95 |
96 | (a) under intellectual property rights (other than patent or trademark)
97 | Licensable by such Contributor to use, reproduce, make available,
98 | modify, display, perform, distribute, and otherwise exploit its
99 | Contributions, either on an unmodified basis, with Modifications, or
100 | as part of a Larger Work; and
101 |
102 | (b) under Patent Claims of such Contributor to make, use, sell, offer
103 | for sale, have made, import, and otherwise transfer either its
104 | Contributions or its Contributor Version.
105 |
106 | 2.2. Effective Date
107 |
108 | The licenses granted in Section 2.1 with respect to any Contribution
109 | become effective for each Contribution on the date the Contributor first
110 | distributes such Contribution.
111 |
112 | 2.3. Limitations on Grant Scope
113 |
114 | The licenses granted in this Section 2 are the only rights granted under
115 | this License. No additional rights or licenses will be implied from the
116 | distribution or licensing of Covered Software under this License.
117 | Notwithstanding Section 2.1(b) above, no patent license is granted by a
118 | Contributor:
119 |
120 | (a) for any code that a Contributor has removed from Covered Software;
121 | or
122 |
123 | (b) for infringements caused by: (i) Your and any other third party's
124 | modifications of Covered Software, or (ii) the combination of its
125 | Contributions with other software (except as part of its Contributor
126 | Version); or
127 |
128 | (c) under Patent Claims infringed by Covered Software in the absence of
129 | its Contributions.
130 |
131 | This License does not grant any rights in the trademarks, service marks,
132 | or logos of any Contributor (except as may be necessary to comply with
133 | the notice requirements in Section 3.4).
134 |
135 | 2.4. Subsequent Licenses
136 |
137 | No Contributor makes additional grants as a result of Your choice to
138 | distribute the Covered Software under a subsequent version of this
139 | License (see Section 10.2) or under the terms of a Secondary License (if
140 | permitted under the terms of Section 3.3).
141 |
142 | 2.5. Representation
143 |
144 | Each Contributor represents that the Contributor believes its
145 | Contributions are its original creation(s) or it has sufficient rights
146 | to grant the rights to its Contributions conveyed by this License.
147 |
148 | 2.6. Fair Use
149 |
150 | This License is not intended to limit any rights You have under
151 | applicable copyright doctrines of fair use, fair dealing, or other
152 | equivalents.
153 |
154 | 2.7. Conditions
155 |
156 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
157 | in Section 2.1.
158 |
159 | 3. Responsibilities
160 | -------------------
161 |
162 | 3.1. Distribution of Source Form
163 |
164 | All distribution of Covered Software in Source Code Form, including any
165 | Modifications that You create or to which You contribute, must be under
166 | the terms of this License. You must inform recipients that the Source
167 | Code Form of the Covered Software is governed by the terms of this
168 | License, and how they can obtain a copy of this License. You may not
169 | attempt to alter or restrict the recipients' rights in the Source Code
170 | Form.
171 |
172 | 3.2. Distribution of Executable Form
173 |
174 | If You distribute Covered Software in Executable Form then:
175 |
176 | (a) such Covered Software must also be made available in Source Code
177 | Form, as described in Section 3.1, and You must inform recipients of
178 | the Executable Form how they can obtain a copy of such Source Code
179 | Form by reasonable means in a timely manner, at a charge no more
180 | than the cost of distribution to the recipient; and
181 |
182 | (b) You may distribute such Executable Form under the terms of this
183 | License, or sublicense it under different terms, provided that the
184 | license for the Executable Form does not attempt to limit or alter
185 | the recipients' rights in the Source Code Form under this License.
186 |
187 | 3.3. Distribution of a Larger Work
188 |
189 | You may create and distribute a Larger Work under terms of Your choice,
190 | provided that You also comply with the requirements of this License for
191 | the Covered Software. If the Larger Work is a combination of Covered
192 | Software with a work governed by one or more Secondary Licenses, and the
193 | Covered Software is not Incompatible With Secondary Licenses, this
194 | License permits You to additionally distribute such Covered Software
195 | under the terms of such Secondary License(s), so that the recipient of
196 | the Larger Work may, at their option, further distribute the Covered
197 | Software under the terms of either this License or such Secondary
198 | License(s).
199 |
200 | 3.4. Notices
201 |
202 | You may not remove or alter the substance of any license notices
203 | (including copyright notices, patent notices, disclaimers of warranty,
204 | or limitations of liability) contained within the Source Code Form of
205 | the Covered Software, except that You may alter any license notices to
206 | the extent required to remedy known factual inaccuracies.
207 |
208 | 3.5. Application of Additional Terms
209 |
210 | You may choose to offer, and to charge a fee for, warranty, support,
211 | indemnity or liability obligations to one or more recipients of Covered
212 | Software. However, You may do so only on Your own behalf, and not on
213 | behalf of any Contributor. You must make it absolutely clear that any
214 | such warranty, support, indemnity, or liability obligation is offered by
215 | You alone, and You hereby agree to indemnify every Contributor for any
216 | liability incurred by such Contributor as a result of warranty, support,
217 | indemnity or liability terms You offer. You may include additional
218 | disclaimers of warranty and limitations of liability specific to any
219 | jurisdiction.
220 |
221 | 4. Inability to Comply Due to Statute or Regulation
222 | ---------------------------------------------------
223 |
224 | If it is impossible for You to comply with any of the terms of this
225 | License with respect to some or all of the Covered Software due to
226 | statute, judicial order, or regulation then You must: (a) comply with
227 | the terms of this License to the maximum extent possible; and (b)
228 | describe the limitations and the code they affect. Such description must
229 | be placed in a text file included with all distributions of the Covered
230 | Software under this License. Except to the extent prohibited by statute
231 | or regulation, such description must be sufficiently detailed for a
232 | recipient of ordinary skill to be able to understand it.
233 |
234 | 5. Termination
235 | --------------
236 |
237 | 5.1. The rights granted under this License will terminate automatically
238 | if You fail to comply with any of its terms. However, if You become
239 | compliant, then the rights granted under this License from a particular
240 | Contributor are reinstated (a) provisionally, unless and until such
241 | Contributor explicitly and finally terminates Your grants, and (b) on an
242 | ongoing basis, if such Contributor fails to notify You of the
243 | non-compliance by some reasonable means prior to 60 days after You have
244 | come back into compliance. Moreover, Your grants from a particular
245 | Contributor are reinstated on an ongoing basis if such Contributor
246 | notifies You of the non-compliance by some reasonable means, this is the
247 | first time You have received notice of non-compliance with this License
248 | from such Contributor, and You become compliant prior to 30 days after
249 | Your receipt of the notice.
250 |
251 | 5.2. If You initiate litigation against any entity by asserting a patent
252 | infringement claim (excluding declaratory judgment actions,
253 | counter-claims, and cross-claims) alleging that a Contributor Version
254 | directly or indirectly infringes any patent, then the rights granted to
255 | You by any and all Contributors for the Covered Software under Section
256 | 2.1 of this License shall terminate.
257 |
258 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all
259 | end user license agreements (excluding distributors and resellers) which
260 | have been validly granted by You or Your distributors under this License
261 | prior to termination shall survive termination.
262 |
263 | ************************************************************************
264 | * *
265 | * 6. Disclaimer of Warranty *
266 | * ------------------------- *
267 | * *
268 | * Covered Software is provided under this License on an "as is" *
269 | * basis, without warranty of any kind, either expressed, implied, or *
270 | * statutory, including, without limitation, warranties that the *
271 | * Covered Software is free of defects, merchantable, fit for a *
272 | * particular purpose or non-infringing. The entire risk as to the *
273 | * quality and performance of the Covered Software is with You. *
274 | * Should any Covered Software prove defective in any respect, You *
275 | * (not any Contributor) assume the cost of any necessary servicing, *
276 | * repair, or correction. This disclaimer of warranty constitutes an *
277 | * essential part of this License. No use of any Covered Software is *
278 | * authorized under this License except under this disclaimer. *
279 | * *
280 | ************************************************************************
281 |
282 | ************************************************************************
283 | * *
284 | * 7. Limitation of Liability *
285 | * -------------------------- *
286 | * *
287 | * Under no circumstances and under no legal theory, whether tort *
288 | * (including negligence), contract, or otherwise, shall any *
289 | * Contributor, or anyone who distributes Covered Software as *
290 | * permitted above, be liable to You for any direct, indirect, *
291 | * special, incidental, or consequential damages of any character *
292 | * including, without limitation, damages for lost profits, loss of *
293 | * goodwill, work stoppage, computer failure or malfunction, or any *
294 | * and all other commercial damages or losses, even if such party *
295 | * shall have been informed of the possibility of such damages. This *
296 | * limitation of liability shall not apply to liability for death or *
297 | * personal injury resulting from such party's negligence to the *
298 | * extent applicable law prohibits such limitation. Some *
299 | * jurisdictions do not allow the exclusion or limitation of *
300 | * incidental or consequential damages, so this exclusion and *
301 | * limitation may not apply to You. *
302 | * *
303 | ************************************************************************
304 |
305 | 8. Litigation
306 | -------------
307 |
308 | Any litigation relating to this License may be brought only in the
309 | courts of a jurisdiction where the defendant maintains its principal
310 | place of business and such litigation shall be governed by laws of that
311 | jurisdiction, without reference to its conflict-of-law provisions.
312 | Nothing in this Section shall prevent a party's ability to bring
313 | cross-claims or counter-claims.
314 |
315 | 9. Miscellaneous
316 | ----------------
317 |
318 | This License represents the complete agreement concerning the subject
319 | matter hereof. If any provision of this License is held to be
320 | unenforceable, such provision shall be reformed only to the extent
321 | necessary to make it enforceable. Any law or regulation which provides
322 | that the language of a contract shall be construed against the drafter
323 | shall not be used to construe this License against a Contributor.
324 |
325 | 10. Versions of the License
326 | ---------------------------
327 |
328 | 10.1. New Versions
329 |
330 | Mozilla Foundation is the license steward. Except as provided in Section
331 | 10.3, no one other than the license steward has the right to modify or
332 | publish new versions of this License. Each version will be given a
333 | distinguishing version number.
334 |
335 | 10.2. Effect of New Versions
336 |
337 | You may distribute the Covered Software under the terms of the version
338 | of the License under which You originally received the Covered Software,
339 | or under the terms of any subsequent version published by the license
340 | steward.
341 |
342 | 10.3. Modified Versions
343 |
344 | If you create software not governed by this License, and you want to
345 | create a new license for such software, you may create and use a
346 | modified version of this License if you rename the license and remove
347 | any references to the name of the license steward (except to note that
348 | such modified license differs from this License).
349 |
350 | 10.4. Distributing Source Code Form that is Incompatible With Secondary
351 | Licenses
352 |
353 | If You choose to distribute Source Code Form that is Incompatible With
354 | Secondary Licenses under the terms of this version of the License, the
355 | notice described in Exhibit B of this License must be attached.
356 |
357 | Exhibit A - Source Code Form License Notice
358 | -------------------------------------------
359 |
360 | This Source Code Form is subject to the terms of the Mozilla Public
361 | License, v. 2.0. If a copy of the MPL was not distributed with this
362 | file, You can obtain one at http://mozilla.org/MPL/2.0/.
363 |
364 | If it is not possible or desirable to put the notice in a particular
365 | file, then You may include the notice in a location (such as a LICENSE
366 | file in a relevant directory) where a recipient would be likely to look
367 | for such a notice.
368 |
369 | You may add additional accurate notices of copyright ownership.
370 |
371 | Exhibit B - "Incompatible With Secondary Licenses" Notice
372 | ---------------------------------------------------------
373 |
374 | This Source Code Form is "Incompatible With Secondary Licenses", as
375 | defined by the Mozilla Public License, v. 2.0.
376 |
--------------------------------------------------------------------------------