Initial commit

Author: Vitaly Markov

README.md

@@ -42,7 +42,7 @@
 
 [![Cloud Posse][logo]](https://cpco.io/homepage)
 
-# terraform-example-module [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-example-module.svg)](https://github.com/cloudposse/terraform-example-module/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) [![Discourse Forum](https://img.shields.io/discourse/https/ask.sweetops.com/posts.svg)](https://ask.sweetops.com/)
+# terraform-example-module [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-example-module.svg)](https://github.com/cloudposse/terraform-example-module/releases/latest)
 
 
 This is `terraform-example-module` project provides all the scaffolding for a typical well-built Cloud Posse module. It's a template repository you can
@@ -64,9 +64,9 @@ This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops)
 
 
 
-It's 100% Open Source and licensed under the [APACHE2](LICENSE).
 
 
+It's 100% Open Source and licensed under the [MIT](LICENSE).
 
 
 
@@ -120,27 +120,35 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.0, < 0.14.0 |
-| local | ~> 1.2 |
-| random | ~> 2.2 |
+| terraform | >= 0.12.0, < 0.13.0 |
+| gitlab | >= 2.10 |
+| kubernetes | >= 1.11 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| random | ~> 2.2 |
+| gitlab | >= 2.10 |
+| kubernetes | >= 1.11 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| example | Example variable | `string` | `"hello world"` | no |
+| cluster\_name | n/a | `string` | n/a | yes |
+| dns\_zone | (Required) specifies the DNS suffix for the externally-visible websites and services deployed in the cluster | `string` | n/a | yes |
+| enabled | n/a | `bool` | `true` | no |
+| group\_gitlab\_runner\_enabled | (Optional) Setup a gitlab group runner (will be used a group runner token to set GITLAB\_RUNNER\_TOKEN env variable) | `bool` | `false` | no |
+| kubernetes\_ca\_cert | (Required) PEM-encoded root certificates bundle for TLS authentication | `string` | n/a | yes |
+| kubernetes\_endpoint | (Required) The hostname (in form of URI) of Kubernetes master. | `string` | n/a | yes |
+| kubernetes\_token | (Required) Token of your service account, must have admin permission to create another service accounts | `string` | n/a | yes |
+| root\_gitlab\_group | (Semi-optional) A gitlab group id attach Kubernetes cluster to | `string` | `""` | no |
+| root\_gitlab\_project | (Semi-optional) A gitlab project id attach Kubernetes cluster to | `string` | `""` | no |
+| stage | (Required) Stage, e.g. 'prod', 'staging', 'dev' or 'testing' | `string` | n/a | yes |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| example | Example output |
+No output.
 
 
 
@@ -249,31 +257,34 @@ Copyright © 2020-2020 [Cloud Posse, LLC](https://cloudposse.com)
 
 
 
-## License 
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 
 
-See [LICENSE](LICENSE) for full details.
 
-    Licensed to the Apache Software Foundation (ASF) under one
-    or more contributor license agreements.  See the NOTICE file
-    distributed with this work for additional information
-    regarding copyright ownership.  The ASF licenses this file
-    to you under the Apache License, Version 2.0 (the
-    "License"); you may not use this file except in compliance
-    with the License.  You may obtain a copy of the License at
+## License 
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-      https://www.apache.org/licenses/LICENSE-2.0
+The MIT License (MIT)
 
-    Unless required by applicable law or agreed to in writing,
-    software distributed under the License is distributed on an
-    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-    KIND, either express or implied.  See the License for the
-    specific language governing permissions and limitations
-    under the License.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
 
+Source: <https://opensource.org/licenses/MIT>
 
 
 
@@ -300,11 +311,11 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
 
 ### Contributors
 
-|  [![Erik Osterman][osterman_avatar]][osterman_homepage]<br/>[Erik Osterman][osterman_homepage] |
+|  [![Vitaly Markov][vymarkov_avatar]][vymarkov_homepage]<br/>[Vitaly Markov][vymarkov_homepage] |
 |---|
 
-  [osterman_homepage]: https://github.com/osterman
-  [osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png
+  [vymarkov_homepage]: https://github.com/vymarkov
+  [vymarkov_avatar]: https://img.cloudposse.com/150x150/https://github.com/vymarkov.png
 
 [![README Footer][readme_footer_img]][readme_footer_link]
 [![Beacon][beacon]][website]

README.yaml

@@ -11,7 +11,7 @@ name: terraform-example-module
 #logo: docs/logo.png
 
 # License of this project
-license: "APACHE2"
+license: "MIT"
 
 # Copyrights
 copyrights:
@@ -27,12 +27,6 @@ badges:
   - name: "Latest Release"
     image: "https://img.shields.io/github/release/cloudposse/terraform-example-module.svg"
     url: "https://github.com/cloudposse/terraform-example-module/releases/latest"
-  - name: "Slack Community"
-    image: "https://slack.cloudposse.com/badge.svg"
-    url: "https://slack.cloudposse.com"
-  - name: "Discourse Forum"
-    image: "https://img.shields.io/discourse/https/ask.sweetops.com/posts.svg"
-    url: "https://ask.sweetops.com/"
 
 # List any related terraform modules that this module may be used with or that this module depends on.
 related:
@@ -91,5 +85,5 @@ include:
 
 # Contributors to this project
 contributors:
-  - name: "Erik Osterman"
-    github: "osterman"
+  - name: "Vitaly Markov"
+    github: "vymarkov"

docs/terraform.md

@@ -2,25 +2,33 @@
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.0, < 0.14.0 |
-| local | ~> 1.2 |
-| random | ~> 2.2 |
+| terraform | >= 0.12.0, < 0.13.0 |
+| gitlab | >= 2.10 |
+| kubernetes | >= 1.11 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| random | ~> 2.2 |
+| gitlab | >= 2.10 |
+| kubernetes | >= 1.11 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| example | Example variable | `string` | `"hello world"` | no |
+| cluster\_name | n/a | `string` | n/a | yes |
+| dns\_zone | (Required) specifies the DNS suffix for the externally-visible websites and services deployed in the cluster | `string` | n/a | yes |
+| enabled | n/a | `bool` | `true` | no |
+| group\_gitlab\_runner\_enabled | (Optional) Setup a gitlab group runner (will be used a group runner token to set GITLAB\_RUNNER\_TOKEN env variable) | `bool` | `false` | no |
+| kubernetes\_ca\_cert | (Required) PEM-encoded root certificates bundle for TLS authentication | `string` | n/a | yes |
+| kubernetes\_endpoint | (Required) The hostname (in form of URI) of Kubernetes master. | `string` | n/a | yes |
+| kubernetes\_token | (Required) Token of your service account, must have admin permission to create another service accounts | `string` | n/a | yes |
+| root\_gitlab\_group | (Semi-optional) A gitlab group id attach Kubernetes cluster to | `string` | `""` | no |
+| root\_gitlab\_project | (Semi-optional) A gitlab project id attach Kubernetes cluster to | `string` | `""` | no |
+| stage | (Required) Stage, e.g. 'prod', 'staging', 'dev' or 'testing' | `string` | n/a | yes |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| example | Example output |
+No output.
 

main.tf

@@ -1,11 +1,87 @@
-resource "random_integer" "example" {
-  min = 1
-  max = 50000
-  keepers = {
-    example = var.example
+locals {
+  sa_name      = "gitlab-admin"
+  sa_namespace = "kube-system"
+
+  environment_scope           = var.stage
+  project_cluster_enabled     = var.enabled && length(var.root_gitlab_project) > 0 ? 1 : 0
+  group_cluster_enabled       = var.enabled && length(var.root_gitlab_group) > 0 ? 1 : 0
+  group_gitlab_runner_enabled = (var.group_gitlab_runner_enabled && length(var.root_gitlab_group) > 0) ? 1 : 0
+
+  cluster_name = var.cluster_name
+  domain       = var.dns_zone
+}
+
+# In the next steps we will add a few env variables to Gitlab CI variables
+# to make possible run CI jobs that depends on these variables
+data "gitlab_project" "root" {
+  count = local.project_cluster_enabled
+  id    = var.root_gitlab_project
+}
+
+data "gitlab_group" "root" {
+  count    = length(var.root_gitlab_group) > 0 ? 1 : 0
+  group_id = length(var.root_gitlab_group) > 0 ? var.root_gitlab_group : 0
+}
+
+module "gitlab_admin_sa" {
+  source = "./modules/gitlab-admin-service-account"
+
+  enabled = var.enabled
+
+  kubernetes_endpoint = var.kubernetes_endpoint
+  kubernetes_token    = var.kubernetes_token
+  kubernetes_ca_cert  = var.kubernetes_ca_cert
+}
+
+# https://www.terraform.io/docs/providers/gitlab/r/project_cluster.html
+data "kubernetes_secret" "gitlab_admin_token" {
+  count = var.enabled ? 1 : 0
+
+  metadata {
+    name      = module.gitlab_admin_sa.sa_name
+    namespace = local.sa_namespace
   }
 }
 
-locals {
-  example = format("%v %d", var.example, random_integer.example.result)
+resource "gitlab_project_cluster" "root" {
+  count   = local.project_cluster_enabled
+  project = join("", data.gitlab_project.root.*.id)
+
+  name   = local.cluster_name
+  domain = local.domain
+
+  kubernetes_api_url = var.kubernetes_endpoint
+  kubernetes_token   = join(",", data.kubernetes_secret.gitlab_admin_token.*.data.token)
+  kubernetes_ca_cert = base64decode(var.kubernetes_ca_cert)
+
+  environment_scope = local.environment_scope
+
+  lifecycle {
+    ignore_changes = [kubernetes_ca_cert]
+  }
+}
+
+resource "gitlab_group_cluster" "root" {
+  count = local.group_cluster_enabled
+
+  group = join("", data.gitlab_group.root.*.id)
+
+  name   = local.cluster_name
+  domain = local.domain
+
+  kubernetes_api_url = var.kubernetes_endpoint
+  kubernetes_token   = join(",", data.kubernetes_secret.gitlab_admin_token.*.data.token)
+  kubernetes_ca_cert = base64decode(var.kubernetes_ca_cert)
+
+  ## You can use only one Kubernetes cluster per a group/project when your team uses a free plan on Gitlab.com
+  ## If you will set explicitly env scope you can't use Auto DevOps feature
+  ##
+  ## References:
+  ## - https://docs.gitlab.com/12.5/ee/topics/autodevops/index.html#overview
+  ## - https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+  environment_scope = local.environment_scope
+
+  lifecycle {
+    ignore_changes = [kubernetes_ca_cert]
+  }
 }

modules/gitlab-admin-service-account/main.tf

@@ -0,0 +1,41 @@
+locals {
+  sa_name = "gitlab-admin"
+  sa_namespace = "kube-system"
+}
+
+# This module create a service account with admin permissions for Gitlab Kubernetes integration
+#
+# - https://gitlab.com/help/user/project/clusters/add_remove_clusters#add-existing-cluster
+resource "kubernetes_service_account" "gitlab_admin_service_account" {
+  count = var.enabled ? 1 : 0
+
+  metadata {
+    name      = local.sa_name
+    namespace = local.sa_namespace
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "gitlab_admin_cluster_role_binding" {
+  count = var.enabled ? 1 : 0
+
+  metadata {
+    name = local.sa_name
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = "gitlab-admin"
+    namespace = "kube-system"
+  }
+}
+
+output "sa_name" {
+  value = join(",", kubernetes_service_account.gitlab_admin_service_account.*.default_secret_name)
+}
+

modules/gitlab-admin-service-account/variables.tf

@@ -0,0 +1,16 @@
+variable "enabled" {
+  type    = bool
+  default = true
+}
+
+variable "kubernetes_endpoint" {
+  type = string
+}
+
+variable "kubernetes_token" {
+  type = string
+}
+
+variable "kubernetes_ca_cert" {
+  type = string
+}

outputs.tf

@@ -1,4 +0,0 @@
-output "example" {
-  description = "Example output"
-  value       = local.example
-}

providers.tf

@@ -0,0 +1,9 @@
+# https://www.terraform.io/docs/providers/kubernetes/index.html
+
+provider "kubernetes" {
+  load_config_file = "false"
+
+  host                   = var.kubernetes_endpoint
+  token                  = var.kubernetes_token
+  cluster_ca_certificate = base64decode(var.kubernetes_ca_cert)
+}