Added terraform boilerplate code for GCP

Vadym Mudryi · Vadym Mudryi · commit 8bf2771757ad · 2025-04-01T09:07:44.000+03:00
diff --git a/terraform-templates/README.md b/terraform-templates/README.md
@@ -0,0 +1 @@
+This folder contains templates to prepare infrastructure for OpenCRVS deployment.
diff --git a/terraform-templates/google-cloud-platform/01.common/backend_bucket.tf b/terraform-templates/google-cloud-platform/01.common/backend_bucket.tf
@@ -0,0 +1,11 @@
+# Bucket to store terraform state files for all project
+resource "google_storage_bucket" "backend_terraform_bucket" {
+  name          = "opencrvs-app-terraform-bucket"
+  force_destroy = false
+  location      = "EU"
+  storage_class = "STANDARD"
+  project       = var.project_id
+  versioning {
+    enabled = true
+  }
+}
diff --git a/terraform-templates/google-cloud-platform/01.common/gke_vpc.tf b/terraform-templates/google-cloud-platform/01.common/gke_vpc.tf
@@ -0,0 +1,53 @@
+resource "google_compute_network" "vpc_network" {
+  name                    = "gke-vpc"
+  project                 = var.project_id
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_router" "nat_router" {
+  name    = "${google_compute_network.vpc_network.name}-nat-router"
+  network = google_compute_network.vpc_network.name
+  region  = "europe-west1"
+  project = var.project_id
+}
+
+resource "google_compute_address" "nat_ips" {
+  count   = var.nat_ip_count
+  name    = "gke-nat-ip-${count.index + 1}"
+  region  = "europe-west1"
+  project = var.project_id
+}
+
+resource "google_compute_router_nat" "nat_config" {
+  name                               = "${google_compute_network.vpc_network.name}-nat-config"
+  router                             = google_compute_router.nat_router.name
+  region                             = "europe-west1"
+  project                            = var.project_id
+  nat_ip_allocate_option             = "MANUAL_ONLY"
+  nat_ips = google_compute_address.nat_ips.*.self_link
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+
+  min_ports_per_vm = 8192
+  max_ports_per_vm = 65536
+
+  log_config {
+    enable = false
+    filter = "ALL"
+  }
+}
+
+resource "google_compute_global_address" "private_ip_alloc" {
+  name          = "opencrvs-private-connection-ip"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = google_compute_network.vpc_network.name
+  project       = var.project_id
+}
+
+# Create a private connection
+resource "google_service_networking_connection" "service_networking" {
+  network                 = google_compute_network.vpc_network.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.private_ip_alloc.name]
+}
diff --git a/terraform-templates/google-cloud-platform/01.common/outputs.tf b/terraform-templates/google-cloud-platform/01.common/outputs.tf
@@ -0,0 +1,11 @@
+output "gke_vpc_self_link" {
+  value = google_compute_network.vpc_network.self_link
+}
+
+output "gke_vpc_name" {
+  value = google_compute_network.vpc_network.name
+}
+
+output "server_tls_policy" {
+  value = google_compute_ssl_policy.custom_restricted.id
+}
diff --git a/terraform-templates/google-cloud-platform/01.common/project.tf b/terraform-templates/google-cloud-platform/01.common/project.tf
@@ -0,0 +1,7 @@
+# Enable APIs
+resource "google_project_service" "enabled_apis" {
+  for_each           = var.enabled_apis
+  project            = var.project_id
+  service            = each.key
+  disable_on_destroy = false // Set to false to prevent the API from being disabled if the resource is destroyed.
+}
diff --git a/terraform-templates/google-cloud-platform/01.common/providers.tf b/terraform-templates/google-cloud-platform/01.common/providers.tf
@@ -0,0 +1,20 @@
+# Include Google Provider to configure your Google Cloud Platform infrastructure.
+provider "google" {
+  # credentials = var.credentials_file
+}
+
+terraform {
+  # Configure terraform to persist state in Google Storage Bucket
+  # Exact configuration of bucket is configured per env in ./envs/<env_name>/backendconfig.tfvars file
+  backend "gcs" {
+    bucket = "opencrvs-app-terraform-bucket"
+    prefix = "states/common"
+  }
+
+  # Include Google Provider as required provider globally
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+    }
+  }
+}
diff --git a/terraform-templates/google-cloud-platform/01.common/ssl_policy.tf b/terraform-templates/google-cloud-platform/01.common/ssl_policy.tf
@@ -0,0 +1,7 @@
+
+resource "google_compute_ssl_policy" "custom_restricted" { 
+  name            = "custom-restricted" 
+  project = var.project_id
+  profile         = "RESTRICTED"
+  min_tls_version = "TLS_1_2" 
+}
diff --git a/terraform-templates/google-cloud-platform/01.common/variables.tf b/terraform-templates/google-cloud-platform/01.common/variables.tf
@@ -0,0 +1,48 @@
+# File for defining global variables. Exact value variables can be set per env using ./envs/<env-name>/terraform.tfvars file
+# variable "tf_credentials_file" {
+#   type        = string
+#   description = "Credentials file to use for Terraform"
+#   default     = "~/.secret/tf-sa.json"
+#   sensitive   = true
+# }
+
+variable "project_id" {
+  type    = string
+  default = "opencrvs-on-k8s"
+}
+
+variable "location" {
+  type    = string
+  default = "europe-west1"
+
+}
+
+
+variable "enabled_apis" {
+  type        = set(string)
+  description = "List enabled APIs for project here"
+  # APIs enabled in scope of Check Point CloudGuard (Dome 9): Identity for integration
+  default = [
+    "compute.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "container.googleapis.com",
+    "iam.googleapis.com",
+    # "appengine.googleapis.com",
+    # "bigquery.googleapis.com",
+    # "cloudfunctions.googleapis.com",
+    # "sqladmin.googleapis.com",
+    # "bigtableadmin.googleapis.com",
+    "pubsub.googleapis.com",
+    "redis.googleapis.com",
+    "serviceusage.googleapis.com",
+    "servicenetworking.googleapis.com",
+    "cloudkms.googleapis.com",
+    "admin.googleapis.com",
+  ]
+}
+
+variable "nat_ip_count" {
+  description = "Number of NAT IP addresses to allocate"
+  type        = number
+  default     = 1  # Change this to the number of IP addresses you need
+}
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/envs/.DS_Store b/terraform-templates/google-cloud-platform/02.gke_cluster/envs/.DS_Store
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/gke.tf b/terraform-templates/google-cloud-platform/02.gke_cluster/gke.tf
@@ -0,0 +1,124 @@
+module "gke" {
+  source                 = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant"
+  version                = "~>31.1.0"
+  project_id             = var.project_id
+  name                   = var.gke_cluster_name
+  regional               = false
+  kubernetes_version     = "latest"
+  zones                  = [var.gke_cluster_location]
+  network                = data.terraform_remote_state.common.outputs.gke_vpc_name
+  subnetwork             = google_compute_subnetwork.vpc_subnetwork.name
+  ip_range_pods          = "${var.gke_cluster_name}-pods-subnet"
+  ip_range_services      = "${var.gke_cluster_name}-services-subnet"
+  release_channel        = "REGULAR"
+  enable_cost_allocation = true
+  maintenance_start_time = "1970-01-01T22:00:00Z"
+  maintenance_end_time   = "1970-01-02T02:00:00Z"
+  maintenance_recurrence = "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR"
+  # TODO: Ensure that Compute Instances have Confidential Computing enabled
+  # enable_confidential_nodes = true
+  # TODO: Double check after cluster creation
+  cluster_autoscaling = {
+    autoscaling_profile = "OPTIMIZE_UTILIZATION"
+    auto_repair         = true
+    auto_upgrade        = true
+    enabled             = false
+    gpu_resources       = []
+    min_cpu_cores       = 4
+    max_cpu_cores       = 16
+    min_memory_gb       = 16
+    max_memory_gb       = 50
+  }
+  http_load_balancing        = true
+  network_policy             = false
+  registry_project_ids       = [var.project_id]
+  horizontal_pod_autoscaling = true
+  # Default: False
+  filestore_csi_driver = false
+  enable_gcfs        = true
+  # TODO: Check option
+  enable_private_endpoint = false
+  enable_private_nodes    = true
+  # TODO: 
+  master_ipv4_cidr_block               = var.gke_master_ipv4_cidr_block
+  monitoring_enable_managed_prometheus = false
+  dns_cache                            = false
+  remove_default_node_pool             = true
+
+  node_pools = [
+    {
+      name         = "main-pool"
+      machine_type = var.gke_machine_type
+      #   node_locations            = var.gke_cluster_location
+      min_count                 = 1
+      max_count                 = 20
+      local_ssd_count           = 0
+      spot                      = var.gke_use_spot_instance_type
+      local_ssd_ephemeral_count = 0
+      disk_size_gb              = 20
+      disk_type                 = "pd-standard"
+      image_type                = "COS_CONTAINERD"
+      # Image steaming
+      enable_gcfs        = true
+      enable_gvnic       = false
+      logging_variant    = "DEFAULT"
+      auto_repair        = true
+      auto_upgrade       = true
+      preemptible        = false
+      initial_node_count = 1
+    }
+  ]
+
+  node_pools_oauth_scopes = {
+    all = [
+      # Write access to Stackdriver Logging
+      "https://www.googleapis.com/auth/logging.write",
+      # Write access to Stackdriver Monitoring
+      "https://www.googleapis.com/auth/monitoring",
+      # Read-only access to Google Cloud Storage
+      "https://www.googleapis.com/auth/devstorage.read_only"
+    ]
+  }
+
+  node_pools_labels = {
+    all = {}
+
+    default-node-pool = {
+      default-node-pool = true
+    }
+  }
+
+  node_pools_metadata = {
+    all = {
+      # Block project-wide SSH keys
+      "block-project-ssh-keys" = "TRUE"
+    }
+
+    default-node-pool = {
+      "block-project-ssh-keys"        = "TRUE"
+      node-pool-metadata-custom-value = "my-node-pool"
+    }
+  }
+
+  node_pools_taints = {
+    all = []
+
+    default-node-pool = [
+      {
+        key    = "default-node-pool"
+        value  = true
+        effect = "PREFER_NO_SCHEDULE"
+      },
+    ]
+  }
+
+  node_pools_tags = {
+    all = [
+      var.gke_cluster_name
+    ]
+
+    default-node-pool = [
+      "default-node-pool",
+    ]
+  }
+}
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/outputs.tf b/terraform-templates/google-cloud-platform/02.gke_cluster/outputs.tf
@@ -0,0 +1,18 @@
+output "k8s_instance_group" {
+  value = module.gke.instance_group_urls.0
+}
+
+output "cluster_location" {
+    value = var.gke_cluster_location
+}
+
+output "cluster_name" {
+    value = var.gke_cluster_name
+}
+
+locals {
+  a = tostring(module.gke.endpoint)
+}
+output "cluster_endpoint" {
+  value = nonsensitive(module.gke.endpoint)
+}
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/prod_tfplan.out b/terraform-templates/google-cloud-platform/02.gke_cluster/prod_tfplan.out
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/providers.tf b/terraform-templates/google-cloud-platform/02.gke_cluster/providers.tf
@@ -0,0 +1,30 @@
+# Include Google Provider to configure your Google Cloud Platform infrastructure.
+provider "google" {
+  # credentials = var.credentials_file
+}
+
+terraform {
+  # Configure terraform to persist state in Google Storage Bucket
+  # Exact configuration of bucket is configured per env in ./envs/<env_name>/backendconfig.tfvars file
+  backend "gcs" {
+    bucket = "opencrvs-app-terraform-bucket"
+    prefix = "states/gke-cluster"
+  }
+
+  # Include Google Provider as required provider globally
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+      # version = "> 5.18.0"
+    }
+  }
+}
+
+# Import remote state from common section
+data "terraform_remote_state" "common" {
+  backend = "gcs"
+  config = {
+    bucket = "opencrvs-app-terraform-bucket"
+    prefix = "states/common"
+  }
+}
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/variables.tf b/terraform-templates/google-cloud-platform/02.gke_cluster/variables.tf
@@ -0,0 +1,49 @@
+variable "location" {
+  type    = string
+}
+
+variable "project_id" {
+  type    = string
+}
+
+variable "env" {
+  type = string
+
+}
+
+variable "gke_cluster_name" {
+  type = string
+}
+
+
+variable "gke_cluster_location" {
+  type    = string
+  default = "europe-west1-b"
+
+}
+
+variable "gke_use_spot_instance_type" {
+  type    = bool
+  default = true
+
+}
+
+variable "gke_master_ipv4_cidr_block" {
+  type = string
+
+}
+variable "gke_node_ipv4_cidr_block" {
+  type = string
+}
+
+variable "gke_pod_ipv4_cidr_block" {
+  type = string
+}
+
+variable "gke_services_ipv4_cidr_block" {
+  type = string
+}
+
+variable "gke_machine_type" {
+  type = string
+}
diff --git a/terraform-templates/google-cloud-platform/02.gke_cluster/vpc.tf b/terraform-templates/google-cloud-platform/02.gke_cluster/vpc.tf
diff --git a/terraform-templates/google-cloud-platform/README.md b/terraform-templates/google-cloud-platform/README.md

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+This folder contains templates to prepare infrastructure for OpenCRVS deployment.`