This repo contain a sample infrastructure to connect a kubernetes cluster and a sql database with a Virtual Private Connection (VPC).
gke
module contains:google_container_cluster
- a "kubernetes" provider
database
module contains:google_sql_database_instance
google_sql_database
google_sql_user
cloudbuild_trigger
google_cloudbuild_trigger
storage
google_storage_bucket
pub_sub
google_pubsub_topic
google_pubsub_subscription
Init the workspace:
terraform init
Create new dev (or prod) workspace:
terraform workspace new dev
List available workspaces, and check that the correct one is selected:
terraform workspace list
Select the right workspace if not already so:
terraform workspace select dev
Do the terraform magic:
terraform plan
terraform apply -auto-approve
List and show terraform state file
terraform state list
terraform state show
If you want to delete:
terraform destroy
if you want to use the cloud trigger and cloudbuild.yaml
, you need to set up all variables such as _PROJECT_ID
.
See terraform.tfvars
for full list of vars to autofill.
If you are using cloud build trigger and cloudbuild.yaml
.
To allow Cloud Build service account to run Terraform scripts with the goal of managing Google Cloud resources, you need to grant it appropriate access to your project. For simplicity, project editor access is granted in this tutorial. But when the project editor role has a wide-range permission, in production environments you must follow your company's IT security best practices, usually providing least-privileged access.
In Cloud Shell, retrieve the email for your project's Cloud Build service account:
CLOUDBUILD_SA="$(gcloud projects describe $PROJECT_ID \
--format 'value(projectNumber)')@cloudbuild.gserviceaccount.com"
Grant the required access to your Cloud Build service account:
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$CLOUDBUILD_SA --role roles/editor