Introduce separate networking submodule

README.md

@@ -30,23 +30,23 @@ The module has been tested with:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 6.21.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.25.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_database"></a> [database](#module\_database) | ./modules/database | n/a |
 | <a name="module_gke"></a> [gke](#module\_gke) | ./modules/gke | n/a |
-| <a name="module_operator"></a> [operator](#module\_operator) | github.com/MaterializeInc/terraform-helm-materialize | v0.1.7 |
+| <a name="module_networking"></a> [networking](#module\_networking) | ./modules/networking | n/a |
+| <a name="module_operator"></a> [operator](#module\_operator) | github.com/MaterializeInc/terraform-helm-materialize | v0.1.8 |
 | <a name="module_storage"></a> [storage](#module\_storage) | ./modules/storage | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
-| [google_client_config.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 
 ## Inputs
 
@@ -59,7 +59,7 @@ The module has been tested with:
 | <a name="input_install_materialize_operator"></a> [install\_materialize\_operator](#input\_install\_materialize\_operator) | Whether to install the Materialize operator | `bool` | `true` | no |
 | <a name="input_install_metrics_server"></a> [install\_metrics\_server](#input\_install\_metrics\_server) | Whether to install the metrics-server for the Materialize Console. Defaults to false since GKE installs one by default in the kube-system namespace. Only set to true if the GKE cluster was deployed with [monitoring explicitly turned off](https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#:~:text=To%20disable%20system%20metric%20collection,for%20the%20%2D%2Dmonitoring%20flag). Refer to the [GKE docs](https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#:~:text=To%20disable%20system%20metric%20collection,for%20the%20%2D%2Dmonitoring%20flag) for more information, including impact to GKE customer support efforts. | `bool` | `false` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to apply to all resources | `map(string)` | `{}` | no |
-| <a name="input_materialize_instances"></a> [materialize\_instances](#input\_materialize\_instances) | Configuration for Materialize instances | <pre>list(object({<br/>    name                 = string<br/>    namespace            = optional(string)<br/>    database_name        = string<br/>    create_database      = optional(bool, true)<br/>    environmentd_version = optional(string, "v0.130.4")<br/>    cpu_request          = optional(string, "1")<br/>    memory_request       = optional(string, "1Gi")<br/>    memory_limit         = optional(string, "1Gi")<br/>    in_place_rollout     = optional(bool, false)<br/>    request_rollout      = optional(string)<br/>    force_rollout        = optional(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_materialize_instances"></a> [materialize\_instances](#input\_materialize\_instances) | Configuration for Materialize instances | <pre>list(object({<br/>    name                    = string<br/>    namespace               = optional(string)<br/>    database_name           = string<br/>    create_database         = optional(bool, true)<br/>    environmentd_version    = optional(string, "v0.130.4")<br/>    cpu_request             = optional(string, "1")<br/>    memory_request          = optional(string, "1Gi")<br/>    memory_limit            = optional(string, "1Gi")<br/>    in_place_rollout        = optional(bool, false)<br/>    request_rollout         = optional(string)<br/>    force_rollout           = optional(string)<br/>    balancer_memory_request = optional(string, "256Mi")<br/>    balancer_memory_limit   = optional(string, "256Mi")<br/>    balancer_cpu_request    = optional(string, "100m")<br/>  }))</pre> | `[]` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Kubernetes namespace for Materialize | `string` | `"materialize"` | no |
 | <a name="input_network_config"></a> [network\_config](#input\_network\_config) | Network configuration for the GKE cluster | <pre>object({<br/>    subnet_cidr   = string<br/>    pods_cidr     = string<br/>    services_cidr = string<br/>  })</pre> | <pre>{<br/>  "pods_cidr": "10.48.0.0/14",<br/>  "services_cidr": "10.52.0.0/20",<br/>  "subnet_cidr": "10.0.0.0/20"<br/>}</pre> | no |
 | <a name="input_operator_namespace"></a> [operator\_namespace](#input\_operator\_namespace) | Namespace for the Materialize operator | `string` | `"materialize"` | no |
@@ -77,6 +77,7 @@ The module has been tested with:
 | <a name="output_connection_strings"></a> [connection\_strings](#output\_connection\_strings) | Formatted connection strings for Materialize |
 | <a name="output_database"></a> [database](#output\_database) | Cloud SQL instance details |
 | <a name="output_gke_cluster"></a> [gke\_cluster](#output\_gke\_cluster) | GKE cluster details |
+| <a name="output_network"></a> [network](#output\_network) | Network details |
 | <a name="output_operator"></a> [operator](#output\_operator) | Materialize operator details |
 | <a name="output_service_accounts"></a> [service\_accounts](#output\_service\_accounts) | Service account details |
 | <a name="output_storage"></a> [storage](#output\_storage) | GCS bucket details |

examples/simple/main.tf

@@ -6,6 +6,14 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 6.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
     random = {
       source  = "hashicorp/random"
       version = "~> 3.0"
@@ -18,6 +26,23 @@ provider "google" {
   region  = var.region
 }
 
+# Configure kubernetes provider with GKE cluster credentials
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  host                   = "https://${module.materialize.gke_cluster.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.materialize.gke_cluster.ca_certificate)
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = "https://${module.materialize.gke_cluster.endpoint}"
+    token                  = data.google_client_config.default.access_token
+    cluster_ca_certificate = base64decode(module.materialize.gke_cluster.ca_certificate)
+  }
+}
+
 module "materialize" {
   # Referencing the root module directory:
   source = "../.."
@@ -47,6 +72,12 @@ module "materialize" {
 
   # Once the operator is installed, you can define your Materialize instances here.
   materialize_instances = var.materialize_instances
+
+  providers = {
+    google     = google
+    kubernetes = kubernetes
+    helm       = helm
+  }
 }
 
 variable "project_id" {
@@ -66,7 +97,6 @@ variable "prefix" {
   default     = "mz-simple"
 }
 
-
 resource "random_password" "pass" {
   length  = 20
   special = false
@@ -95,6 +125,11 @@ variable "operator_version" {
   default     = null
 }
 
+output "network" {
+  description = "Network details"
+  value       = module.materialize.network
+}
+
 variable "orchestratord_version" {
   description = "Version of the Materialize orchestrator to install"
   type        = string

main.tf

@@ -5,21 +5,27 @@ locals {
   })
 }
 
-
-provider "google" {
-  project = var.project_id
-  region  = var.region
-}
-
-module "gke" {
-  source = "./modules/gke"
+module "networking" {
+  source = "./modules/networking"
 
   project_id    = var.project_id
   region        = var.region
   prefix        = var.prefix
   subnet_cidr   = var.network_config.subnet_cidr
   pods_cidr     = var.network_config.pods_cidr
   services_cidr = var.network_config.services_cidr
+}
+
+module "gke" {
+  source = "./modules/gke"
+
+  depends_on = [module.networking]
+
+  project_id   = var.project_id
+  region       = var.region
+  prefix       = var.prefix
+  network_name = module.networking.network_name
+  subnet_name  = module.networking.subnet_name
 
   node_count   = var.gke_config.node_count
   machine_type = var.gke_config.machine_type
@@ -34,15 +40,18 @@ module "gke" {
 module "database" {
   source = "./modules/database"
 
-  depends_on = [module.gke]
+  depends_on = [
+    module.networking,
+    module.gke
+  ]
 
   database_name = var.database_config.db_name
   database_user = var.database_config.username
 
   project_id = var.project_id
   region     = var.region
   prefix     = var.prefix
-  network_id = module.gke.network_id
+  network_id = module.networking.network_id
 
   tier       = var.database_config.tier
   db_version = var.database_config.version

modules/gke/main.tf

@@ -1,83 +1,9 @@
-resource "google_compute_network" "vpc" {
-  name                    = "${var.prefix}-network"
-  auto_create_subnetworks = false
-  project                 = var.project_id
-
-  lifecycle {
-    create_before_destroy = true
-    prevent_destroy       = false
-  }
-}
-
-resource "google_compute_route" "default_route" {
-  name             = "${var.prefix}-default-route"
-  project          = var.project_id
-  network          = google_compute_network.vpc.name
-  dest_range       = "0.0.0.0/0"
-  priority         = 1000
-  next_hop_gateway = "default-internet-gateway"
-
-  # Ensure this is destroyed before the network
-  depends_on = [google_compute_network.vpc]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "google_compute_subnetwork" "subnet" {
-  name          = "${var.prefix}-subnet"
-  project       = var.project_id
-  network       = google_compute_network.vpc.id
-  ip_cidr_range = var.subnet_cidr
-  region        = var.region
-
-  private_ip_google_access = true
-
-  secondary_ip_range {
-    range_name    = "pods"
-    ip_cidr_range = var.pods_cidr
-  }
-
-  secondary_ip_range {
-    range_name    = "services"
-    ip_cidr_range = var.services_cidr
-  }
-}
-
 resource "google_service_account" "gke_sa" {
   project      = var.project_id
   account_id   = "${var.prefix}-gke-sa"
   display_name = "GKE Service Account for Materialize"
 }
 
-resource "google_compute_global_address" "private_ip_address" {
-  provider      = google
-  project       = var.project_id
-  name          = "${var.prefix}-private-ip"
-  purpose       = "VPC_PEERING"
-  address_type  = "INTERNAL"
-  prefix_length = 16
-  network       = google_compute_network.vpc.id
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "google_service_networking_connection" "private_vpc_connection" {
-  provider                = google
-  network                 = google_compute_network.vpc.id
-  service                 = "servicenetworking.googleapis.com"
-  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  deletion_policy = "ABANDON"
-}
-
 resource "google_service_account" "workload_identity_sa" {
   project      = var.project_id
   account_id   = "${var.prefix}-materialize-sa"
@@ -92,18 +18,15 @@ resource "google_container_cluster" "primary" {
   depends_on = [
     google_service_account.gke_sa,
     google_service_account.workload_identity_sa,
-    google_service_networking_connection.private_vpc_connection,
-    google_compute_subnetwork.subnet,
-    google_compute_route.default_route
   ]
 
   name     = "${var.prefix}-gke"
   location = var.region
   project  = var.project_id
 
   networking_mode = "VPC_NATIVE"
-  network         = google_compute_network.vpc.name
-  subnetwork      = google_compute_subnetwork.subnet.name
+  network         = var.network_name
+  subnetwork      = var.subnet_name
 
   remove_default_node_pool = true
   initial_node_count       = 1
@@ -171,10 +94,8 @@ resource "google_container_node_pool" "primary_nodes" {
 
   lifecycle {
     create_before_destroy = true
-
-    prevent_destroy = false
+    prevent_destroy       = false
   }
-
 }
 
 resource "google_service_account_iam_binding" "workload_identity" {

modules/gke/outputs.tf

@@ -18,21 +18,6 @@ output "cluster_location" {
   value       = google_container_cluster.primary.location
 }
 
-output "network_id" {
-  description = "The ID of the VPC network"
-  value       = google_compute_network.vpc.id
-}
-
-output "network_name" {
-  description = "The name of the VPC network"
-  value       = google_compute_network.vpc.name
-}
-
-output "subnet_name" {
-  description = "The name of the subnet"
-  value       = google_compute_subnetwork.subnet.name
-}
-
 output "service_account_email" {
   description = "The email of the GKE service account"
   value       = google_service_account.gke_sa.email

modules/gke/variables.tf

@@ -13,18 +13,13 @@ variable "prefix" {
   type        = string
 }
 
-variable "subnet_cidr" {
-  description = "CIDR range for the subnet"
+variable "network_name" {
+  description = "The name of the VPC network"
   type        = string
 }
 
-variable "pods_cidr" {
-  description = "CIDR range for pods"
-  type        = string
-}
-
-variable "services_cidr" {
-  description = "CIDR range for services"
+variable "subnet_name" {
+  description = "The name of the subnet"
   type        = string
 }