Skip to content

openteams-ai/terraform-vor-gke-cluster

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

49 Commits
.github
.github
Β 
Β 
.terraform-docs
.terraform-docs
Β 
Β 
docs
docs
Β 
Β 
examples
examples
Β 
Β 
scripts
scripts
Β 
Β 
templates
templates
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
cluster.tf
cluster.tf
Β 
Β 
main.tf
main.tf
Β 
Β 
network.tf
network.tf
Β 
Β 
nodes.tf
nodes.tf
Β 
Β 
outputs.tf
outputs.tf
Β 
Β 
policies.tf
policies.tf
Β 
Β 
variables.tf
variables.tf
Β 
Β 

Repository files navigation

Vor Terraform - Secure GKE Infrastructure Module

This Terraform module creates a security-hardened Google Kubernetes Engine (GKE) cluster with customizable node pools, custom VPC networking, and comprehensive IAM configurations following least privilege principles.

πŸ—οΈ Architecture Overview

The module creates a complete secure GKE environment with:

  • Private GKE cluster with enhanced security configurations
  • Custom VPC with dedicated subnets and secondary IP ranges
  • Private node pools with shielded VMs and secure boot
  • Dedicated service accounts with minimal required permissions
  • Network policies and firewall rules for secure communication
  • NAT Gateway for secure outbound internet access from private nodes

πŸ“š Deep Dive Documentation

Infrastructure Overview (Layout)

graph TD
  subgraph GCP Project
    VPC["Custom VPC (create_vpc=true)"]
    SubnetPrimary["Primary Subnet (10.0.0.0/24)"]
    SubnetPods["Pods Subnet (10.1.0.0/16)"]
    SubnetServices["Services Subnet (10.2.0.0/16)"]
    NAT["Cloud NAT Gateway"]
    FlowLogs["VPC Flow Logs"]
  end

  subgraph GKE Cluster
    Cluster["Private GKE Cluster\n(Private Nodes, No Public IP)"]
    Master["Master Node\n(API Server, Private Endpoint)"]
    MasterCIDR["Master CIDR: 172.16.0.0/28"]
    WorkloadID["Workload Identity"]
    BinaryAuth["Binary Authorization"]
    NetworkPolicies["Network Policies (Calico)"]
    Firewall["Firewall Rules\n(Deny-All-Ingress by Default)"]
  end

  subgraph Node Pools
    SecureNodes["Node Pool: secure-nodes\ne2-standard-4"]
    General["Node Pool: general\ne2-standard-4"]
    Compute["Node Pool: compute-optimized\nc2-standard-8, Preemptible"]
    GPU["Node Pool: gpu-nodes\nn1-standard-4 + T4 GPU"]
    ShieldedVMs["Shielded VMs\nSecure Boot + Integrity Monitoring"]
    Taints["Node Taints"]
    Accelerators["Guest Accelerators\n(NVIDIA T4)"]
  end

  subgraph IAM
    SANode["Node Pool Service Account\nLeast Privilege"]
    IAMRoles["IAM Roles\n(logWriter, metricWriter, etc)"]
    OAuthScopes["OAuth Scopes\n(logging, monitoring, etc)"]
  end

  subgraph Security & Monitoring
    Monitoring["Monitoring + Logging"]
  end

  %% VPC connectivity
  VPC --> SubnetPrimary
  VPC --> SubnetPods
  VPC --> SubnetServices
  VPC --> NAT
  VPC --> FlowLogs

  %% Cluster and Master
  SubnetPrimary --> Cluster
  SubnetPrimary --> Master
  Master --> MasterCIDR
  Cluster --> WorkloadID
  Cluster --> BinaryAuth
  Cluster --> NetworkPolicies
  Cluster --> Firewall

  %% Node Pools inside cluster
  Cluster --> SecureNodes
  Cluster --> General
  Cluster --> Compute
  Cluster --> GPU

  %% Node security
  SecureNodes --> ShieldedVMs
  General --> ShieldedVMs
  Compute --> ShieldedVMs
  GPU --> ShieldedVMs
  GPU --> Accelerators
  GPU --> Taints
  Compute --> Taints

  %% IAM bindings
  Cluster --> SANode
  SecureNodes --> SANode
  General --> SANode
  Compute --> SANode
  GPU --> SANode
  SANode --> IAMRoles
  SANode --> OAuthScopes

  %% Monitoring
  Cluster --> Monitoring
  FlowLogs --> Monitoring
Loading

πŸš€ Getting Started

  1. Review the Examples: Start with the basic example for a simple setup or the advanced example for a production-ready configuration
  2. Configure Variables: See the complete inputs documentation below for all configuration options
  3. Deploy: Run terraform init, terraform plan, and terraform apply

For detailed configuration guides, see the component documentation linked above.

Requirements

Name Version
terraform >= 1.0
google ~> 6.47

Providers

Name Version
google ~> 6.47

Modules

No modules.

Resources

Name Type
google_compute_firewall.allow_health_checks resource
google_compute_firewall.allow_internal resource
google_compute_firewall.deny_all_ingress resource
google_compute_network.main resource
google_compute_router.main resource
google_compute_router_nat.main resource
google_compute_subnetwork.main resource
google_container_cluster.main resource
google_container_node_pool.main resource
google_project_iam_member.main resource
google_project_service.compute resource
google_project_service.container resource
google_service_account.main resource

Inputs

Name Description Type Default Required
additional_node_group_oauth_scopes Additional OAuth scopes for nodes list(string) [] no
additional_node_group_roles Additional IAM roles for node service account list(string) [] no
authorized_networks List of authorized networks that can access the cluster master 
list(object({
    cidr_block   = string
    display_name = string
  }))
 [] no
availability_zones List of zones where nodes can be created list(string) [] no
create_vpc Whether to create a new VPC or use existing network resources bool true no
database_encryption_key_name KMS key name for database encryption at rest string "" no
enable_binary_authorization Enable binary authorization for container image security bool false no
enable_private_endpoint Enable private endpoint for the cluster master (nodes are always private) bool false no
gateway_api_channel GKE Gateway API config channel string "CHANNEL_DISABLED" no
kubernetes_version Kubernetes version for the cluster string n/a yes
labels Labels to apply to all node pools map(string) {} no
location GCP zone where the cluster will be created string n/a yes
maintenance_start_time Start time for daily maintenance window (HH:MM format) string "02:00" no
master_ipv4_cidr_block CIDR block for the master network string "172.16.0.0/28" no
name Name of the GKE cluster and associated resources string n/a yes
network_self_link Self link of existing VPC network (when create_vpc is false) string "" no
node_disk_size_gb Disk size for node pools in GB number 100 no
node_disk_type Disk type for node pools string "pd-balanced" no
node_group_defaults Default values for node groups 
object({
    min_size      = number
    max_size      = number
    instance_type = string
    preemptible   = optional(bool, false)
    node_taints = optional(list(object({
      key    = string
      value  = string
      effect = string
    })), [])
    guest_accelerators = optional(list(object({
      name               = string
      count              = number
      gpu_partition_size = optional(string, "")
    })), [])
    labels = optional(map(string), {})
  })
 
{
  "guest_accelerators": [],
  "instance_type": "e2-standard-2",
  "labels": {},
  "max_size": 3,
  "min_size": 1,
  "node_taints": [],
  "preemptible": false
}
 no
node_groups List of node pool configurations 
list(object({
    name          = string
    min_size      = number
    max_size      = number
    instance_type = string
    preemptible   = optional(bool, false)
    node_taints = optional(list(object({
      key    = string
      value  = string
      effect = string
    })), [])
    guest_accelerators = optional(list(object({
      name               = string
      count              = number
      gpu_partition_size = optional(string, "")
      gpu_driver_version = optional(string, "")
    })), [])
    labels = optional(map(string), {})
  }))
 
[
  {
    "guest_accelerators": [],
    "instance_type": "e2-standard-2",
    "labels": {},
    "max_size": 3,
    "min_size": 1,
    "name": "default",
    "node_taints": [],
    "preemptible": false
  }
]
 no
pods_secondary_range_name Name of secondary range for pods (when using existing VPC) string "" no
pods_subnet_cidr CIDR range for pods secondary subnet string "10.1.0.0/16" no
primary_subnet_cidr CIDR range for the primary subnet string "10.0.0.0/24" no
project_id GCP project ID where resources will be created string n/a yes
rbac_security_group Security group for RBAC authenticator string "" no
region GCP region for regional resources string n/a yes
release_channel GKE release channel string "STABLE" no
services_secondary_range_name Name of secondary range for services (when using existing VPC) string "" no
services_subnet_cidr CIDR range for services secondary subnet string "10.2.0.0/16" no
subnetwork_self_link Self link of existing subnetwork (when create_vpc is false) string "" no
tags Network tags for node pools list(string) [] no

Outputs

Name Description
cluster_access_token Access token for the GKE cluster
cluster_ca_certificate Base64 encoded cluster CA certificate
cluster_endpoint Endpoint for the GKE cluster
cluster_name Name of the GKE cluster
cluster_security_features Security features enabled on the cluster
kubeconfig Kubeconfig for connecting to kubernetes cluster
node_pools List of node pool names
service_account_email Email of the service account used by node pools
subnet_id ID of the subnet
vpc_id ID of the VPC network

License

This module is licensed under the Apache 2.0 License. See LICENSE for details.

About

This is a Terraform module for bootstrapping GKE Vor infrastructure

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages